From e07569a1f5b2828e3e6bac198f1fa9c7caccc559 Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:26:43 +0200 Subject: [PATCH 01/37] =?UTF-8?q?5.24:=20fix=20brig.rabbitmq=20=E2=86=92?= =?UTF-8?q?=20brig.config.rabbitmq=20path,=20split=20secrets?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous example put rabbitmq under brig.rabbitmq, which doesn't exist in the brig chart. The correct path is brig.config.rabbitmq. The secrets example also belongs in secrets.yaml, not values.yaml. The redundant 'port: 5672 # default' line is removed since the chart default covers it. Source: confirmed by Mohit while debugging the path during a customer upgrade run. --- .../config-references/wire-server-5.24.0.md | 20 +++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.24.0.md b/src/how-to/upgrade/config-references/wire-server-5.24.0.md index 27b2cf2..27e5599 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.24.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.24.0.md @@ -18,17 +18,29 @@ brig: ### `brig` +In `values/wire-server/values.yaml`: + +```yaml +brig: + config: + rabbitmq: + host: rabbitmq-host-or-service +``` + +In `values/wire-server/secrets.yaml`: + ```yaml brig: - rabbitmq: - host: rabbitmq-host-or-service - port: 5672 # default secrets: rabbitmq: username: wire-server - password: verysecurepassword + password: ``` +`port` defaults to `5672`, only set it if the RabbitMQ instance listens somewhere else. + +Why: starting at `5.23`, `rabbitmq` is deployed as an external service instead of in-cluster. `brig` can't rely on the in-cluster default service name anymore, so the hostname has to be set explicitly. + ### `background-worker` ```yaml From 3bd397a741953467c77246d468b421008dc1aabf Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:26:57 +0200 Subject: [PATCH 02/37] 5.24: add artifact URL and fix 'chagelog' typo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The artifact tarball URL is needed for offline installs and is currently not findable from this page. Also fixes the 'release chagelog' → 'release changelog' typo while editing the same paragraph. --- src/how-to/upgrade/config-references/wire-server-5.24.0.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.24.0.md b/src/how-to/upgrade/config-references/wire-server-5.24.0.md index 27e5599..19e063b 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.24.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.24.0.md @@ -1,8 +1,9 @@ -# Wire-Server 5.24.0 release +# Wire-Server `5.24.0` release -The following reference was written based on the following [`build.json` charts](https://raw.githubusercontent.com/wireapp/wire-builds/79660a72c74c8644fb3717bd147368e4c5848117/build.json). +Reference based on these [`build.json` charts](https://raw.githubusercontent.com/wireapp/wire-builds/79660a72c74c8644fb3717bd147368e4c5848117/build.json), and the [release changelog](https://github.com/wireapp/wire-server/releases/tag/v2025-11-26). -For additional details, you can also read our [release chagelog](https://github.com/wireapp/wire-server/releases/tag/v2025-11-26). +Artifact: +[`wire-server-deploy-static-f88a2db81e763f7376fc0f7ecc40166a3bc37ee8.tgz`](https://s3-eu-west-1.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-f88a2db81e763f7376fc0f7ecc40166a3bc37ee8.tgz) ## Known bugs From e153f90d24a536734c9b9a33e01c9208cdb6dc3a Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:27:15 +0200 Subject: [PATCH 03/37] 5.24: add prerequisites section with mandatory migration framing Calls out the two major pieces of work in this upgrade (redis-ephemeral swap, PostgreSQL conversation migration) so readers know what they're in for. Also makes explicit that 'this change restarts pods' phrasing refers to behavior after helm upgrade, not values-file watching, since that caused real confusion during a customer upgrade. --- .../upgrade/config-references/wire-server-5.24.0.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/how-to/upgrade/config-references/wire-server-5.24.0.md b/src/how-to/upgrade/config-references/wire-server-5.24.0.md index 19e063b..736a0c2 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.24.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.24.0.md @@ -5,6 +5,17 @@ Reference based on these [`build.json` charts](https://raw.githubusercontent.com Artifact: [`wire-server-deploy-static-f88a2db81e763f7376fc0f7ecc40166a3bc37ee8.tgz`](https://s3-eu-west-1.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-f88a2db81e763f7376fc0f7ecc40166a3bc37ee8.tgz) +## Heads up + +`5.24` is one of the heavier upgrades in this series. Two big things going on: + +* `databases-ephemeral` is replaced by `redis-ephemeral`. The hostname `gundeck` uses for Redis changes. +* Conversation data moves from Cassandra to PostgreSQL. **The original docs called this optional. It must be treated as mandatory.** Skipping it here and then upgrading to `5.25` causes conversations to silently disappear from reads, because of a bad chart default at `5.25`. See the post-upgrade migrations section below. + +This page assumes the source version is `5.23.x`. + +One more thing: every value change documented on this page must be followed by an actual `d helm upgrade --install wire-server ...` run for the change to apply. The chart doesn't watch the `values.yaml`. Phrasing like "this change should restart all the `galley` pods" means "after the helm upgrade is re-run, the pods will restart". It doesn't happen by itself. + ## Known bugs There is a bug with our `brig` charts failing to deploy in a non-federated environment. If you are running a non-federated environment, to work around this, set the following configuration in your `brig`: From 6dfa5c1e91fd149e0dd0710f6ce40617e6701e1a Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:27:45 +0200 Subject: [PATCH 04/37] 5.24: add dedicated redis-ephemeral chart section The previous page only mentioned redis-ephemeral as context for the gundeck.config.redis.host change. The chart deployment itself is a required step that must happen before the wire-server helm upgrade, and that wasn't called out anywhere. Adds explicit ordering and the helm command, plus a forward reference to the cleanup section for removing the old databases-ephemeral chart. Renames the section to 'What must change' with numbered ordering so the upgrade flow is clear. --- .../config-references/wire-server-5.24.0.md | 21 +++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.24.0.md b/src/how-to/upgrade/config-references/wire-server-5.24.0.md index 736a0c2..e24682e 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.24.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.24.0.md @@ -26,9 +26,26 @@ brig: enableFederation: true ``` -## Mandatory (breaking) changes +## What must change -### `brig` +Listed in the order things should be done. + +### 1. Deploy `redis-ephemeral` (replaces `databases-ephemeral`) + +The upstream chart for the in-cluster Redis was swapped. The new chart is `redis-ephemeral` and ships Redis `7.4.6` (the old chart was based on Bitnami). It only supports standalone deployments. + +Deploy it **before** the `wire-server` upgrade. If `wire-server` is upgraded first with `gundeck.config.redis.host` already pointing at `redis-ephemeral`, gundeck won't be able to connect. + +```bash +d helm upgrade --install redis-ephemeral ./charts/redis-ephemeral \ + --values ./values/redis-ephemeral/prod-values.example.yaml +``` + +Defaults are fine. Nothing should be carried over from `databases-ephemeral`, it's a different chart. + +The old `databases-ephemeral` chart isn't auto-removed. Don't uninstall it yet either, wait until everything else is verified. See "Cleanup" at the bottom. + +### 2. Edit `brig.config.rabbitmq` in the wire-server values In `values/wire-server/values.yaml`: From e58f8710ac408a5d547b00c5520d2fd7548743ba Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:28:11 +0200 Subject: [PATCH 05/37] 5.24: expand background-worker mandatory section with required fields The 5.24 background-worker chart needs additional fields that weren't fully called out: postgresql.host in values, pgPassword in secrets. Adds these explicitly with the kubectl command to retrieve the existing password. Pulls the conversation migration section out from under background-worker, it gets its own post-upgrade section in a later commit. Adds an inline warning about the chart's misleading default for postgresMigration.conversation, since it points at PostgreSQL by default but the data is still in Cassandra for non-migrated installs. --- .../config-references/wire-server-5.24.0.md | 37 +++++++++---------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.24.0.md b/src/how-to/upgrade/config-references/wire-server-5.24.0.md index e24682e..839d96f 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.24.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.24.0.md @@ -70,41 +70,40 @@ brig: Why: starting at `5.23`, `rabbitmq` is deployed as an external service instead of in-cluster. `brig` can't rely on the in-cluster default service name anymore, so the hostname has to be set explicitly. -### `background-worker` +### 3. Add the new `background-worker` config + +`background-worker` needs a few new fields. In `values/wire-server/values.yaml`: ```yaml background-worker: config: - federationDomain: "example.com" # must match federation domain used for the instance in other services (brig etc.) + federationDomain: example.com # match the federation domain used everywhere else (brig, etc.) cassandraBrig: - host: your-cassandra-host-or-service # same as your current cassandra.host value + host: # same value as the existing cassandra.host cassandraGalley: - host: your-cassandra-host-or-service # same as your current cassandra.host value + host: # same value as the existing cassandra.host + postgresql: + host: ``` -#### Conversation Data Migration - -The following configuration is only mandatory if you decide to migrate conversation data to PostgreSQL at this stage. - -Starting this release, migrating conversation data to PostgreSQL from Cassandra is possible. This is only required for channel search and channel management from Team Settings. Follow [this document](../../../developer/reference/config-options.md#using-postgresql-for-storing-conversation-data) for the steps and configuration required. - -If you do so, the following configurations are for `background-worker` are required. +In `values/wire-server/secrets.yaml`: ```yaml background-worker: - config: - postgresql: - host: your-postgresql-host-or-service + secrets: + pgPassword: ``` -And for secrets: +To grab the existing PostgreSQL password from a typical deploy: -```yaml -background-worker: - secrets: - pgPassword: "your-postgresql-password" +```bash +d kubectl get secret postgresql-external -o jsonpath='{.data.password}' | base64 -d ``` +Why: `background-worker` now runs jobs that need PostgreSQL access and that talk directly to the Cassandra keyspaces of `brig` and `galley`. The federation domain is needed for federation-related background tasks. + +> **Warning about the `postgresMigration.conversation` default.** At this release the `background-worker` chart defaults `postgresMigration.conversation` to `postgresql`. That default must **not** be left in place when conversations haven't been migrated yet. The data is still in Cassandra, so a `postgresql` setting points the worker at an empty table. See the migration section below. This is the bug that caused conversations to disappear at `5.25` for installs that didn't migrate. + ### `gundeck` Upstream Helm chart for `redis-ephemeral` has been replaced. New Redis service hostname has been changed from `{{ .Release.Name }}-master` to `{{ .Release.Name }}`. Verify your Redis service name with: From 1fa6f590696550db078ec2397c0ef389a6aabe25 Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:28:32 +0200 Subject: [PATCH 06/37] 5.24: expand gundeck redis section with verification and WSD bug note Adds a real-world example of 'kubectl get svc | grep redis' output so readers know what to expect, and explains why both the new and old services may appear during the transition. Calls out the wire-server-deploy prod-values.example.yaml bug where gundeck.config.redis.host is set to the old databases-ephemeral service. Also adds the helm upgrade run as the last numbered step so the sequence ends with the actual upgrade command. Source: known bug confirmed by Veki during a customer upgrade run. --- .../config-references/wire-server-5.24.0.md | 39 ++++++++++++++++--- 1 file changed, 34 insertions(+), 5 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.24.0.md b/src/how-to/upgrade/config-references/wire-server-5.24.0.md index 839d96f..e4e6887 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.24.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.24.0.md @@ -104,21 +104,50 @@ Why: `background-worker` now runs jobs that need PostgreSQL access and that talk > **Warning about the `postgresMigration.conversation` default.** At this release the `background-worker` chart defaults `postgresMigration.conversation` to `postgresql`. That default must **not** be left in place when conversations haven't been migrated yet. The data is still in Cassandra, so a `postgresql` setting points the worker at an empty table. See the migration section below. This is the bug that caused conversations to disappear at `5.25` for installs that didn't migrate. -### `gundeck` +### 4. Update `gundeck.config.redis.host` + +The Redis service hostname changed from `{{ .Release.Name }}-master` to `{{ .Release.Name }}`. With the standard `redis-ephemeral` release name, the in-cluster service is just `redis-ephemeral` now (used to be `databases-ephemeral-redis-ephemeral-master`). -Upstream Helm chart for `redis-ephemeral` has been replaced. New Redis service hostname has been changed from `{{ .Release.Name }}-master` to `{{ .Release.Name }}`. Verify your Redis service name with: +Check the cluster: ```bash -kubectl get svc | grep redis +d kubectl get svc | grep redis +``` + +The output looks something like this (the old `databases-ephemeral-*` services will still be there until the old chart is uninstalled, see "Cleanup"): + +``` +databases-ephemeral-redis-ephemeral-headless ClusterIP None 6379/TCP +databases-ephemeral-redis-ephemeral-master ClusterIP 10.x.x.x 6379/TCP +redis-ephemeral ClusterIP 10.x.x.x 6379/TCP +redis-ephemeral-headless ClusterIP None 6379/TCP ``` -Then set accordingly: +The one to use is the plain `redis-ephemeral`. In `values/wire-server/values.yaml`: ```yaml gundeck: config: redis: - host: "your-redis-service" + host: redis-ephemeral +``` + +> **Bug in `wire-server-deploy` `5.24`**: the bundled `values/wire-server/prod-values.example.yaml` ships `gundeck.config.redis.host: databases-ephemeral-redis-ephemeral` (the old service). If that file was used as a starting point, override it to `redis-ephemeral` in the local `values.yaml`. + +### 5. Run the wire-server helm upgrade + +Once all the values are in place: + +```bash +d helm upgrade --install wire-server ./charts/wire-server --timeout=15m0s \ + --values ./values/wire-server/values.yaml \ + --values ./values/wire-server/secrets.yaml +``` + +Watch in another terminal: + +```bash +d kubectl get events ``` ## Optional changes From fec8fc189ce3c5e8b2cebc62a055b94db1e34809 Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:28:55 +0200 Subject: [PATCH 07/37] 5.24: add inline post-upgrade conversation migration recipe The previous page presented the PostgreSQL conversation migration as optional, with a single sentence linking out to a config-options page. That framing is what caused the cascade of bugs at 5.25 for sites that treated it as truly optional. Promotes the migration to mandatory and inlines the full three-step recipe verbatim from the wire-server CHANGELOG, plus log and metric verification steps. The link to config-options is no longer the only source of truth for the procedure. Source for the procedure wording: wire-server CHANGELOG entry for release 5.24.0. --- .../config-references/wire-server-5.24.0.md | 71 +++++++++++++++++++ 1 file changed, 71 insertions(+) diff --git a/src/how-to/upgrade/config-references/wire-server-5.24.0.md b/src/how-to/upgrade/config-references/wire-server-5.24.0.md index e4e6887..2c26205 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.24.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.24.0.md @@ -150,6 +150,77 @@ Watch in another terminal: d kubectl get events ``` +## Post-upgrade: migrate conversation data to PostgreSQL + +This is the part that's been flaky in the past. Don't skip it. + +It can only be done **after** the `5.24` `wire-server` helm upgrade has succeeded. Some required services don't exist yet on `5.23`, so trying to migrate before the upgrade just fails. + +A Cassandra backup of `galley` should be taken before starting. Seriously. + +The migration runs in three steps. Each step is a values change followed by a `helm upgrade --install wire-server ...`. + +### Step 1: prepare wire-server for migration + +In `values/wire-server/values.yaml`: + +```yaml +galley: + config: + postgresMigration: + conversation: migration-to-postgresql +background-worker: + config: + migrateConversations: false + postgresMigration: + conversation: migration-to-postgresql +``` + +Run the helm upgrade. Once it's set to `migration-to-postgresql`, do not switch back to `cassandra`. New conversations from this point on are written to PostgreSQL, reads still come from Cassandra. + +### Step 2: run the actual migration + +In `values/wire-server/values.yaml`: + +```yaml +background-worker: + config: + migrateConversations: true + postgresMigration: + conversation: migration-to-postgresql +``` + +Run the helm upgrade. The `background-worker` pods restart and start moving data. This can take a long time on a database with a lot of conversations. + +Watch the logs (look for `finished migration`): + +```bash +d kubectl logs deployment/background-worker --tail=2000 | grep migrate-conversations +``` + +Or watch the metrics, both of these should hit `1.0`: + +* `wire_local_convs_migration_finished` +* `wire_user_remote_convs_migration_finished` + +### Step 3: switch reads over to PostgreSQL + +Once the metrics are at `1.0`, in `values/wire-server/values.yaml`: + +```yaml +galley: + config: + postgresMigration: + conversation: postgresql +background-worker: + config: + migrateConversations: false + postgresMigration: + conversation: postgresql +``` + +Run the helm upgrade. From now on reads and writes both go to PostgreSQL. This configuration must be kept on every subsequent upgrade. + ## Optional changes ### `background-worker` From c218b939afbb174a50abb98e38796f8f5dc27c74 Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:29:15 +0200 Subject: [PATCH 08/37] 5.24: expand known bugs with cert-manager email and brig fix scope Adds the bin/helm-operations.sh CERT_MASTER_EMAIL bash-syntax bug that affects fresh 5.23.1 starting points. Also clarifies that the brig non-federated workaround is fixed at 5.25 so readers know when to remove it. Source: cert-manager email bug confirmed by Mohit while reproducing a fresh install. --- .../config-references/wire-server-5.24.0.md | 22 ++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.24.0.md b/src/how-to/upgrade/config-references/wire-server-5.24.0.md index 2c26205..bdd7109 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.24.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.24.0.md @@ -18,7 +18,9 @@ One more thing: every value change documented on this page must be followed by a ## Known bugs -There is a bug with our `brig` charts failing to deploy in a non-federated environment. If you are running a non-federated environment, to work around this, set the following configuration in your `brig`: +### `brig` won't deploy in non-federated environments + +The `5.24` `brig` chart has a bug that breaks deployment when federation is off. Workaround, in `values/wire-server/values.yaml`: ```yaml brig: @@ -26,6 +28,24 @@ brig: enableFederation: true ``` +This is fixed at `5.25`, so once `5.25` is reached the workaround can be taken back out. + +### `bin/helm-operations.sh` has a malformed `CERT_MASTER_EMAIL` default + +Only relevant for fresh installs starting from `5.23.1` (rather than upgrading an existing deployment). The line in `bin/helm-operations.sh` on the `release-5.23.1` branch reads: + +```bash +CERT_MASTER_EMAIL="certmaster@${CERT_MASTER_EMAIL}:-certmaster@${TARGET_SYSTEM}" +``` + +Bash `:-` defaults have to live inside `${}`. The fix that's already on `master`: + +```bash +CERT_MASTER_EMAIL="${CERT_MASTER_EMAIL:-certmaster@example.com}" +``` + +Without this fix, `cert-manager` ACME registration fails with `400 urn:ietf:params:acme:error:invalidContact: Error validating contact(s) :: unable to parse email address` in the `cert-manager-ns` pod logs. Either patch the file or pass `CERT_MASTER_EMAIL` explicitly when invoking `helm-operations.sh`. + ## What must change Listed in the order things should be done. From 21d320034bbf5850a5e8106ce8ca32a6a37c22dd Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:29:47 +0200 Subject: [PATCH 09/37] 5.24: add verification, cleanup, and disk space sections Verification gives concrete grep patterns and expected log lines for brig, background-worker and gundeck after the upgrade, plus a postgres conversation count check. Cleanup documents removing the now-unused databases-ephemeral chart, which is not auto-removed by the upgrade. Disk space footer covers the /opt/assets growth across repeated setup-offline-sources runs and how to recover. The note specifies the assethost (not the adminhost) since the path only exists there. --- .../config-references/wire-server-5.24.0.md | 94 ++++++++++++++++--- 1 file changed, 80 insertions(+), 14 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.24.0.md b/src/how-to/upgrade/config-references/wire-server-5.24.0.md index bdd7109..f7fb010 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.24.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.24.0.md @@ -243,25 +243,22 @@ Run the helm upgrade. From now on reads and writes both go to PostgreSQL. This c ## Optional changes -### `background-worker` +### `background-worker` tunables -New settings, change only if required. The following are defaults as they come in charts +These are chart defaults, only set them when an actual change is needed: ```yaml background-worker: postgresql: - host: postgresql # This one is already referenced in the mandatory category + host: postgresql # already referenced as mandatory above port: "5432" user: wire-server dbname: wire-server - # Background jobs consumer configuration + # Background jobs consumer backgroundJobs: - # Maximum number of in-flight jobs per process - concurrency: 8 - # Per-attempt timeout in seconds - jobTimeout: 60s - # Total attempts, including the first try - maxAttempts: 3 + concurrency: 8 # max in-flight jobs per process + jobTimeout: 60s # per-attempt timeout + maxAttempts: 3 # total attempts including the first try postgresqlPool: size: 5 acquisitionTimeout: 10s @@ -269,17 +266,86 @@ background-worker: idlenessTimeout: 10m ``` -### `gundeck` +### `gundeck` Redis tunables -New settings, change only if required. The following are defaults as they come in charts +Also chart defaults, don't touch unless necessary: ```yaml gundeck: config: redis: - host: redis-ephemeral # This one is already referenced in the mandatory catefory + host: redis-ephemeral # already referenced as mandatory above port: 6379 connectionMode: "master" # master | cluster enableTls: false insecureSkipVerifyTls: false -``` +``` + +## Verification + +After the helm upgrade is done. + +`brig` should connect to RabbitMQ. The log lines look something like this: + +```bash +d kubectl logs deployment/brig --tail=300 | grep -iE 'rabbit|amqp' +``` + +``` +{"level":"Info","msgs":["Trying to connect to RabbitMQ"]} +{"level":"Info","msgs":["Retrieved connection..."]} +{"level":"Info","msgs":["Opening channel with RabbitMQ"]} +{"level":"Info","msgs":["RabbitMQ channel opened"]} +``` + +`background-worker` does the same and also opens a Cassandra control connection: + +```bash +d kubectl logs deployment/background-worker --tail=300 | grep -iE 'rabbit|cassandra' +``` + +`gundeck` pods should all be `Running`: + +```bash +d kubectl get pods | grep gundeck +``` + +If the conversation migration is already done, the row count in PostgreSQL should be non-zero. SSH into one of the postgres nodes: + +```bash +ssh "sudo -u postgres psql -d wire-server -c 'SELECT COUNT(*) FROM conversation;'" +``` + +And before calling it done, log in on the webapp and on a mobile client, send a message in an existing conversation, confirm conversations are still there. The whole point of the migration is to keep that data, so it must be verified for real. + +## Cleanup + +Once `redis-ephemeral` looks healthy, the old `databases-ephemeral` chart can go. Nothing uninstalls it automatically. + +First confirm nothing still references it: + +```bash +d helm list -A | grep databases-ephemeral +d kubectl get svc | grep databases-ephemeral +grep -r "databases-ephemeral" values/wire-server/values.yaml +``` + +The grep on `values/wire-server/values.yaml` should come back empty. If it doesn't, fix the override first, then come back. + +Then: + +```bash +d helm uninstall databases-ephemeral +``` + +## Disk space note + +Each upgrade in this series re-runs `setup-offline-sources`, which copies the new release's binaries, container images, and debs into `/opt/assets` on the assethost. After a few versions, the assethost runs out of space and the playbook fails with `no space left on device`. + +When that happens, SSH into the **assethost** (not the adminhost) and clear it: + +```bash +sudo rm -rvf /opt/assets +``` + +Then re-run `setup-offline-sources` from the adminhost. From e7dc5e1a59a9db318896326aeb5fba60766e0eb5 Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:30:14 +0200 Subject: [PATCH 10/37] 5.25: add artifact URL and prerequisites section Calls out the dependency on having completed the 5.24 conversation migration before reaching this release. The chart-default issue at 5.25 makes that prerequisite load-bearing. --- .../upgrade/config-references/wire-server-5.25.0.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.25.0.md b/src/how-to/upgrade/config-references/wire-server-5.25.0.md index 767ae44..8498b22 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.25.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.25.0.md @@ -1,8 +1,13 @@ -# Wire-Server 5.25.0 release +# Wire-Server `5.25.0` release -The following reference was written based on the following [`build.json` charts](https://raw.githubusercontent.com/wireapp/wire-builds/5a74084feeb1138925dcb671b333da0c76f88f08/build.json). +Reference based on these [`build.json` charts](https://raw.githubusercontent.com/wireapp/wire-builds/5a74084feeb1138925dcb671b333da0c76f88f08/build.json), and the [release changelog](https://github.com/wireapp/wire-server/releases/tag/v2026-01-13). -For additional details, you can also read our [release changelog](https://github.com/wireapp/wire-server/releases/tag/v2026-01-13). +Artifact: +[`wire-server-deploy-static-1ca0f1beecb9022e9c7cde2d3ab02fc7e90695e0.tgz`](https://s3-eu-west-1.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-1ca0f1beecb9022e9c7cde2d3ab02fc7e90695e0.tgz) + +## Heads up + +Coming from `5.24.0`. If the deploy is still at `5.24` and the conversation data migration to PostgreSQL described on the `5.24` page hasn't been done yet, do that first. There's a chart-default bug at `5.25` that silently breaks anything that hasn't migrated, so it really matters. ## Known bugs From 1102cb3aa7779959f1543d48804d412791399034 Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:30:31 +0200 Subject: [PATCH 11/37] 5.25: replace 'no mandatory changes' with postgresMigration warning The previous version of this page said there were no mandatory changes at 5.25. That was wrong. The 5.25 background-worker chart defaults postgresMigration.conversation to postgresql, which breaks deployments that have not completed the conversation migration. The wrong default was the proximate cause of conversation-loss reports during 5.24 to 5.25 upgrades. Replaces the no-changes note with explicit instructions for both the 'have migrated' and 'have not migrated' cases. Notes that the chart default is corrected at 5.26 so readers know when this changes. --- .../config-references/wire-server-5.25.0.md | 28 +++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.25.0.md b/src/how-to/upgrade/config-references/wire-server-5.25.0.md index 8498b22..0423264 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.25.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.25.0.md @@ -19,9 +19,33 @@ brig: enableFederation: false ``` -## Mandatory (breaking) changes +## What must change -No mandatory changes in comparison to the last release. +### 1. Set `background-worker.config.postgresMigration.conversation` explicitly + +The `5.25` `background-worker` chart ships with `postgresMigration.conversation` defaulting to `postgresql`. That's wrong for any deploy that hasn't migrated conversations to PostgreSQL yet, the data is still in Cassandra and the worker would be reading from an empty postgres table. This is the bug that caused conversations to disappear in real upgrades. + +It has to be set explicitly. Either of these, depending on the actual state of the deploy: + +If conversation data hasn't been migrated to PostgreSQL yet (most installs coming from `5.23`): + +```yaml +background-worker: + config: + postgresMigration: + conversation: cassandra +``` + +If the migration was already done (per the `5.24` page): + +```yaml +background-worker: + config: + postgresMigration: + conversation: postgresql +``` + +Set this before running the wire-server helm upgrade. The default is corrected back to `cassandra` at `5.26`. ## Optional changes From 5ae2a92a40fd5d59d521259312820bfce85a1065 Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:30:45 +0200 Subject: [PATCH 12/37] 5.25: document mlsPrivateKeys requirement on Proteus-only backends Webapp builds after November 2025 require mlsPrivateKeys to be set even when MLS is disabled. Existing deployments that originally ran older versions may not have these keys configured and will hit a confusing webapp error. Source: investigation by Mohit while reproducing the issue. --- .../config-references/wire-server-5.25.0.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/src/how-to/upgrade/config-references/wire-server-5.25.0.md b/src/how-to/upgrade/config-references/wire-server-5.25.0.md index 0423264..8dda9dc 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.25.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.25.0.md @@ -47,6 +47,25 @@ background-worker: Set this before running the wire-server helm upgrade. The default is corrected back to `cassandra` at `5.26`. +### 2. Make sure `mlsPrivateKeys` is configured (even if MLS is off) + +Webapp builds from after November 2025 need `mlsPrivateKeys` set on the backend, even when MLS is disabled and the deploy is Proteus-only. Without the keys, the endpoint `v13/mls/public-keys` returns `400`, and the webapp throws `MLSService is required to construct ConversationService with MLS capabilities`. + +Check `values/wire-server/secrets.yaml` has something like: + +```yaml +galley: + secrets: + mlsPrivateKeys: + removal: + ed25519: | + -----BEGIN PRIVATE KEY----- + ... + -----END PRIVATE KEY----- +``` + +If it's missing, generate the keys with `bin/offline-secrets.sh`. Environments that were originally deployed from older `wire-server-deploy` versions may not have run that script and won't have the keys. + ## Optional changes ### `nginx-ingress-services` From f69c2e851b422e6087f67f6b4ca1fc71153d1833 Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:30:59 +0200 Subject: [PATCH 13/37] 5.25: document cells feature flag schema additions Operators who override galley.settings.featureFlags.cells must add the new required fields (channels/groups/one2one/users/collabora/ publicLinks/storage/metadata) before upgrading. Operators who rely on the chart default are not affected. Also adds the wire-server helm upgrade run as the last numbered step so the sequence ends with the actual upgrade command. Source: wire-server CHANGELOG entry for release 5.25.0. --- .../config-references/wire-server-5.25.0.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/how-to/upgrade/config-references/wire-server-5.25.0.md b/src/how-to/upgrade/config-references/wire-server-5.25.0.md index 8dda9dc..3d585f2 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.25.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.25.0.md @@ -66,6 +66,22 @@ galley: If it's missing, generate the keys with `bin/offline-secrets.sh`. Environments that were originally deployed from older `wire-server-deploy` versions may not have run that script and won't have the keys. +### 3. If `galley.settings.featureFlags.cells` is overridden, add the new fields + +The `cells` feature flag schema gained new required fields at this release: `channels`, `groups`, `one2one`, `users`, `collabora`, `publicLinks`, `storage`, `metadata`. Any local override of `cells` in the `values.yaml` has to add them. + +If `cells` isn't overridden and the chart default is in use, no action needed. + +### 4. Run the wire-server helm upgrade + +Once values and secrets are updated: + +```bash +d helm upgrade --install wire-server ./charts/wire-server --timeout=15m0s \ + --values ./values/wire-server/values.yaml \ + --values ./values/wire-server/secrets.yaml +``` + ## Optional changes ### `nginx-ingress-services` From 7a1097b1e2bd04dc1dd514ea8f191bf29be31a95 Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:31:11 +0200 Subject: [PATCH 14/37] 5.25: clarify the brig enableFederation note from 5.24 The previous wording showed enableFederation: false in the example yaml, which was the opposite of the workaround it was telling readers to remove. Renames the section to 'Notes from the previous release' and states clearly that the 5.24 workaround can be removed. --- .../upgrade/config-references/wire-server-5.25.0.md | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.25.0.md b/src/how-to/upgrade/config-references/wire-server-5.25.0.md index 3d585f2..a44f237 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.25.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.25.0.md @@ -9,15 +9,9 @@ Artifact: Coming from `5.24.0`. If the deploy is still at `5.24` and the conversation data migration to PostgreSQL described on the `5.24` page hasn't been done yet, do that first. There's a chart-default bug at `5.25` that silently breaks anything that hasn't migrated, so it really matters. -## Known bugs +## Notes from the previous release -Bug in `brig` for non-federated environments in `wire-server-5.24.0` release has been fixed with this release. You can remove (or set to false!) the following config, if it was used as a workaround in the last release: - -```yaml -brig: - config: - enableFederation: false -``` +The `brig` non-federated bug from `5.24` is fixed at `5.25`. If `enableFederation: true` was set in `values/wire-server/values.yaml` as a workaround, it can be removed (so it falls back to the default of `false`). ## What must change From ad037465d71e08b96e90711fe06079065efe1e9f Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:31:35 +0200 Subject: [PATCH 15/37] 5.25: refine optional sections and add migration failure metrics, disk footer Tightens the wording on the existing optional sections and notes when each one is relevant. Documents the two new failure metrics (wire_local_convs_migration_failed and wire_user_remote_convs_migration_failed) and what to do when they reach 1. Adds the standard disk space footer. Source for the new metrics: wire-server CHANGELOG entry for 5.25.0. --- .../config-references/wire-server-5.25.0.md | 38 +++++++++++++++---- 1 file changed, 30 insertions(+), 8 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.25.0.md b/src/how-to/upgrade/config-references/wire-server-5.25.0.md index a44f237..b1c6281 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.25.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.25.0.md @@ -78,9 +78,9 @@ d helm upgrade --install wire-server ./charts/wire-server --timeout=15m0s \ ## Optional changes -### `nginx-ingress-services` +### `nginx-ingress-services` private key rotation policy -Support for `cert-manager` certificate private key rotation policy has been added in this release. This allows preserving private keys across certificate renewals for client key pinning scenarios in both federator and ingress certificates. The following shown are defaults as they come in charts from referenced `build.json`. +`cert-manager` certificate private key rotation policy is now configurable, both for the ingress and the federator. Useful when client key pinning is in use and keys need to survive renewals. ```yaml nginx-ingress-services: @@ -93,14 +93,14 @@ nginx-ingress-services: rotationPolicy: Always ``` -Options are: +* `Always` (default): regenerate the key on each renewal. +* `Never`: keep the same key across renewals (for key pinning). -* Always (default) - regenerates key on each renewal -* Never - preserves key across renewals (for key pinning) +Edit `values/nginx-ingress-services/values.yaml` during the nginx ingress upgrade step. Only relevant for `cert-manager`-based deploys with a key pinning requirement. -### `background-worker` +### `background-worker` migration tunables -Configuring page size and parallelism for conversation migration to PostgreSQL is now possible. This can be configured like this: +When the conversation migration is being run at `5.25` rather than at `5.24` (please don't, but if it has to happen), page size and parralelism can now be tuned: ```yaml background-worker: @@ -109,4 +109,26 @@ background-worker: pageSize: 10000 parallelism: 2 ``` - \ No newline at end of file + +### New migration failure metrics + +Two metrics for tracking migration failures: + +* `wire_local_convs_migration_failed` +* `wire_user_remote_convs_migration_failed` + +If either of these hits `1`, the migration has failed. The actual error will be in the `background-worker` logs. To retry, restart the `background-worker` pods. + +These go alongside the already-existing `wire_local_convs_migration_finished` and `wire_user_remote_convs_migration_finished` ones. + +## Disk space note + +Each upgrade in this series re-runs `setup-offline-sources`, which copies the new release's binaries, container images, and debs into `/opt/assets` on the assethost. After a few versions, the assethost runs out of space and the playbook fails with `no space left on device`. + +When that happens, SSH into the **assethost** (not the adminhost) and clear it: + +```bash +sudo rm -rvf /opt/assets +``` + +Then re-run `setup-offline-sources` from the adminhost. From acb171fac96fd808cf2d8862ef6765e2bcf4e335 Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:32:02 +0200 Subject: [PATCH 16/37] 5.26: add skip-for-federated banner, artifact URL, prerequisites The 5.26 helm charts have unresolved issues in federated mode and the release PR was closed without merging. Federated deployments need to go straight from 5.25 to 5.27. Banner makes this visible at the top of the page so readers do not pick this version by accident. Source: confirmed by Veki and Julia during a customer upgrade run. --- .../config-references/wire-server-5.26.0.md | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.26.0.md b/src/how-to/upgrade/config-references/wire-server-5.26.0.md index a9d8e13..341daf8 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.26.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.26.0.md @@ -1,8 +1,19 @@ -# Wire-Server 5.26.0 release +# Wire-Server `5.26.0` release -The following reference was written based on the following [`build.json` charts](https://raw.githubusercontent.com/wireapp/wire-builds/7023ffdd52f9de2a1eb5ce2e01cefaf16253274b/build.json). +> **Federated environments: skip this version.** +> +> The `5.26` charts have unresolved issues in federated mode. The original release PR was closed without merging. Federated deploys should go straight from `5.25` to `5.27`. +> +> Non-federated deploys can apply `5.26` if they want, but there are no breaking changes between `5.25` and `5.27`, so skipping is also fine. -For additional details, you can also read our [release changelog](https://github.com/wireapp/wire-server/releases/tag/v2026-01-26). +Reference based on these [`build.json` charts](https://raw.githubusercontent.com/wireapp/wire-builds/7023ffdd52f9de2a1eb5ce2e01cefaf16253274b/build.json), and the [release changelog](https://github.com/wireapp/wire-server/releases/tag/v2026-01-26). + +Artifact: +[`wire-server-deploy-static-6ccd1d01db71f30efa1164cf0f9fb6c1f6f5bf64.tgz`](https://s3-eu-west-1.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-6ccd1d01db71f30efa1164cf0f9fb6c1f6f5bf64.tgz) + +## Heads up + +Coming from `5.25.0`. For deploys at any earlier version, do the `5.25` page first. ## Known bugs From d461fe58fdc2049d1c74bf0291dd5e974a03f621 Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:32:17 +0200 Subject: [PATCH 17/37] 5.26: reframe postgresMigration default note as a fix not a new bug The previous wording said the previous release 'introduced a bug' that this release fixes, but the wrong default has been in place since 5.24 and the 5.25 page now warns about it. This release just corrects the default. Reframes the note accordingly and explains what action is needed for readers who relied on the default at 5.25. Source: wire-server CHANGELOG entry for release 5.26.0. --- .../upgrade/config-references/wire-server-5.26.0.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.26.0.md b/src/how-to/upgrade/config-references/wire-server-5.26.0.md index 341daf8..23e9607 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.26.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.26.0.md @@ -15,15 +15,19 @@ Artifact: Coming from `5.25.0`. For deploys at any earlier version, do the `5.25` page first. -## Known bugs +## Notes from the previous release -Previous release introduced a bug into `background-worker` default settings for `postgresMigration` and have now been correctly set to Cassandra. If you are relying on default values from our charts, but have migrated your conversations to PostgreSQL, update your config accordingly to keep using PostgreSQL. Specifically, this value: +The `background-worker` chart default for `postgresMigration.conversation` is corrected at this release. It defaults to `cassandra` again, matching the `galley` default. Earlier versions of the chart defaulted to `postgresql`, which is exactly the bug that broke conversations on installs that hadn't migrated. -``` +If `postgresMigration.conversation` was already set explicitly in `values/wire-server/values.yaml` (which `5.25` told operators to do), no action. + +If the chart default at `5.25` was being relied on, **and** the migration was already done, the value has to be set explicitly to `postgresql` now, otherwise the new `cassandra` default flips the worker back to reading from Cassandra: + +```yaml background-worker: config: postgresMigration: - conversation: postgresql | cassandra # default is cassandra, and should be if not migrated to postgresql + conversation: postgresql ``` ## Mandatory (breaking) changes From d469412ea0fdcec814ef6dd48c5375271619a6ef Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:32:35 +0200 Subject: [PATCH 18/37] 5.26: document mandatory K8s 1.27 minimum and elasticsearch reindex Kubernetes versions below 1.27 are no longer supported. Operators on older clusters need to upgrade Kubernetes first. User search results now carry user type information, but only after the elasticsearch index is refilled from Cassandra. Anyone invoking brig-index directly also needs to add PostgreSQL connection parameters. Source: wire-server CHANGELOG entry for release 5.26.0. --- .../config-references/wire-server-5.26.0.md | 22 +++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.26.0.md b/src/how-to/upgrade/config-references/wire-server-5.26.0.md index 23e9607..6b0f89f 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.26.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.26.0.md @@ -30,10 +30,24 @@ background-worker: conversation: postgresql ``` -## Mandatory (breaking) changes +## What must change -No mandatory changes. +### 1. Make sure the Kubernetes cluster is at `1.27` or newer -## Optional changes +Anything below `1.27` is no longer supported. On older clusters, Kubernetes itself has to be upgraded before touching wire-server. -Conversation codes can now be migrated to PostgreSQL. For details, read our [changelog](https://github.com/wireapp/wire-server/releases/tag/v2026-01-26). +### 2. Re-fill the Elasticsearch index from Cassandra (after the upgrade) + +User search now returns user type info (regular, app, legacy bot). The new fields don't show up in search results until the Elasticsearch index is re-filled from Cassandra. Do this after the wire-server upgrade. + +For deploys that call `brig-index` directly instead of letting the chart run it, the tool needs PostgreSQL access now, on top of its existing settings. The invocation has to be updated accordingly. + +See [Refill ES documents from Cassandra](../../../developer/reference/elastic-search.md) for the actual procedure. + +### 3. Run the wire-server helm upgrade + +```bash +d helm upgrade --install wire-server ./charts/wire-server --timeout=15m0s \ + --values ./values/wire-server/values.yaml \ + --values ./values/wire-server/secrets.yaml +``` From c7be1b5bcf1d956f814ca4f1ee7988134cad9bc3 Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:32:56 +0200 Subject: [PATCH 19/37] 5.26: inline conversation codes migration recipe and add disk footer Replaces the vague 'see the changelog' link with the actual three-step procedure. The migration only applies if the 5.24 conversation data migration has already been completed. Adds the standard disk space footer. Source for the procedure: wire-server CHANGELOG entry for 5.26.0. --- .../config-references/wire-server-5.26.0.md | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/src/how-to/upgrade/config-references/wire-server-5.26.0.md b/src/how-to/upgrade/config-references/wire-server-5.26.0.md index 6b0f89f..cc52379 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.26.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.26.0.md @@ -51,3 +51,53 @@ d helm upgrade --install wire-server ./charts/wire-server --timeout=15m0s \ --values ./values/wire-server/values.yaml \ --values ./values/wire-server/secrets.yaml ``` + +## Post-upgrade: migrate conversation codes to PostgreSQL (optional) + +Same shape as the conversation data migration from `5.24`. Only makes sense when conversation data has already been migrated, otherwise leave it. + +Step 1, in `values/wire-server/values.yaml`: + +```yaml +galley: + config: + postgresMigration: + conversationCodes: migration-to-postgresql +background-worker: + config: + postgresMigration: + conversationCodes: migration-to-postgresql + migrateConversationCodes: false +``` + +Run the helm upgrade. + +Step 2, set `migrateConversationCodes: true` on `background-worker` and run the helm upgrade again. Wait for the `wire_conv_codes_migration_finished` metric to hit `1.0`. + +Step 3, switch reads to PostgreSQL: + +```yaml +galley: + config: + postgresMigration: + conversationCodes: postgresql +background-worker: + config: + postgresMigration: + conversationCodes: postgresql + migrateConversationCodes: false +``` + +Run the helm upgrade. + +## Disk space note + +Each upgrade in this series re-runs `setup-offline-sources`, which copies the new release's binaries, container images, and debs into `/opt/assets` on the assethost. After a few versions, the assethost runs out of space and the playbook fails with `no space left on device`. + +When that happens, SSH into the **assethost** (not the adminhost) and clear it: + +```bash +sudo rm -rvf /opt/assets +``` + +Then re-run `setup-offline-sources` from the adminhost. From f6137e6df7a9bb782c2f939f39b8538babd002d4 Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:33:36 +0200 Subject: [PATCH 20/37] 5.27: artifact URL, prereqs, team features migration recipe, footer Adds the artifact URL and prerequisites including the supported skip of 5.26 for federated environments. Replaces the vague link-out for the team features migration with the full four-step procedure including the optional Cassandra table drop. Adds a note about webapp, team-settings, and account-pages now being standalone charts so readers do not look for their values inside values/wire-server/values.yaml. Adds the standard disk space footer. Source for the migration procedure: wire-server CHANGELOG entry for release 5.27.0. --- .../config-references/wire-server-5.27.0.md | 73 ++++++++++++++++--- 1 file changed, 64 insertions(+), 9 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.27.0.md b/src/how-to/upgrade/config-references/wire-server-5.27.0.md index 8eb335c..1ca3e71 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.27.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.27.0.md @@ -1,17 +1,72 @@ -# Wire-Server 5.27.0 release +# Wire-Server `5.27.0` release -The following reference was written based on the following [`build.json` charts](https://raw.githubusercontent.com/wireapp/wire-builds/d8bdda07fd4c32937a5482711b6e322a32d0c784/build.json). +Reference based on these [`build.json` charts](https://raw.githubusercontent.com/wireapp/wire-builds/d8bdda07fd4c32937a5482711b6e322a32d0c784/build.json), and the [release changelog](https://github.com/wireapp/wire-server/releases/tag/v2026-02-04). -For additional details, you can also read our [release changelog](https://github.com/wireapp/wire-server/releases/tag/v2026-02-04). +Artifact: +[`wire-server-deploy-static-4b7ec1724ffa60fd86c5ffa697f7b41347f64267.tgz`](https://s3-eu-west-1.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-4b7ec1724ffa60fd86c5ffa697f7b41347f64267.tgz) -## Known bugs +## Heads up -No known bugs +Coming from `5.26.0`, or from `5.25.0` for deploys that skipped `5.26` because of the federation issues. Either is fine, there are no breaking changes between `5.25` and `5.27`. -## Mandatory (breaking) changes +No mandatory changes at this release. No known bugs. -No mandatory changes +## Things to know -## Optional changes +`webapp`, `team-settings`, and `account-pages` are now their own standalone helm charts. They used to be subcharts of `wire-server`, they aren't anymore. So: -Team features can now be migrated to PostgreSQL. For details, read our [changelog](https://github.com/wireapp/wire-server/releases/tag/v2026-02-04). \ No newline at end of file +* They have their own values directories: `values/webapp/`, `values/team-settings/`, `values/account-pages/`. +* They get their own `helm upgrade --install` invocations, after the `wire-server` upgrade. +* For anyone used to looking for their config under `values/wire-server/values.yaml`, it's not there anymore. + +## Post-upgrade: migrate team features to PostgreSQL (optional) + +Same shape as the conversation data and conversation codes migrations. Only do this when conversation data and conversation codes have already been migrated, otherwise skip it. + +Step 1, in `values/wire-server/values.yaml`: + +```yaml +galley: + config: + postgresMigration: + teamFeatures: migration-to-postgresql +background-worker: + config: + postgresMigration: + teamFeatures: migration-to-postgresql + migrateTeamFeatures: false +``` + +Run the helm upgrade. + +Step 2, set `migrateTeamFeatures: true` on `background-worker` and run the helm upgrade again. Wait for `wire_team_features_migration_finished` to hit `1.0`. + +Step 3, switch reads to PostgreSQL: + +```yaml +galley: + config: + postgresMigration: + teamFeatures: postgresql +background-worker: + config: + postgresMigration: + teamFeatures: postgresql + migrateTeamFeatures: false +``` + +Run the helm upgrade so `galley` and `background-worker` restart and start reading from PostgreSQL. + +Step 4 (optional, only once everything is validated): the Cassandra `team_features_dyn` table can be dropped. + +## Disk space note + +Each upgrade in this series re-runs `setup-offline-sources`, which copies the new release's binaries, container images, and debs into `/opt/assets` on the assethost. After a few versions, the assethost runs out of space and the playbook fails with `no space left on device`. + +When that happens, SSH into the **assethost** (not the adminhost) and clear it: + +```bash +sudo rm -rvf /opt/assets +``` + +Then re-run `setup-offline-sources` from the adminhost. From 86d7c49414735155f6a0d83386a490618904d49e Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:33:44 +0200 Subject: [PATCH 21/37] 5.28: artifact URL, prereqs, expand mandatory changes, recommendations Adds When/Who tags to the existing image-override breaking change and clarifies that the change only affects deployments that override images. Documents the previously-undocumented mandatory action to remove and re-create apps that existed before user-type tracking. Without this, those apps will appear as regular users in search and API responses. Adds the Cassandra 4.1.x recommendation as a non-breaking note. Source for both new sections: wire-server CHANGELOG entry for release 5.28.0. --- .../config-references/wire-server-5.28.0.md | 60 ++++++++++++++----- 1 file changed, 44 insertions(+), 16 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.28.0.md b/src/how-to/upgrade/config-references/wire-server-5.28.0.md index 8e42a2e..49275ad 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.28.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.28.0.md @@ -1,31 +1,59 @@ -# Wire-Server 5.28.0 release +# Wire-Server `5.28.0` release -The following reference was written based on the following [`build.json` charts](https://raw.githubusercontent.com/wireapp/wire-builds/93632dd82237c122c93e0e37e02e5f2a1ba84746/build.json). +Reference based on these [`build.json` charts](https://raw.githubusercontent.com/wireapp/wire-builds/93632dd82237c122c93e0e37e02e5f2a1ba84746/build.json), and the [release changelog](https://github.com/wireapp/wire-server/releases/tag/v2026-03-03). -For additional details, you can also read our [release changelog](https://github.com/wireapp/wire-server/releases/tag/v2026-03-03). +Artifact: +[`wire-server-deploy-static-e16cdbfe2b3b42607bb8cddebad1c23c5e16e343.tgz`](https://s3-eu-west-1.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-e16cdbfe2b3b42607bb8cddebad1c23c5e16e343.tgz) -## Known bugs +## Heads up -No known bugs +Coming from `5.27.0`. No known bugs at this release. -## Mandatory (breaking) changes +## What must change -The following Helm charts were changed: +### 1. Update image overrides for `demo-smtp`, `fake-aws-ses`, `fake-aws-sns`, `legalhold` -- `demo-smtp` -- `fake-aws-ses` -- `fake-aws-sns` -- `legalhold` +These charts switched from a single `image` string to split `repository` + `tag` fields. The new format: -Image field overrides are now controlled with split values, `repository` + `tag`, unlike a full `image` string like previously, if you were using overrides in these charts, change to this format: - -``` +```yaml affected-chart: image: repository: quay.io/wire/... tag: some-tag ``` -## Optional changes +Only matters for deploys that actually override images for any of these charts. Deploys using the bundled `prod-values.example.yaml` defaults aren't affected. `legalhold` in particular is optional and isn't even installed in standard `wire-server-deploy` setups, so most installs will never see it. + +Edit the values for whichever of these charts is overridden, before running the corresponding helm upgrade. + +### 2. Remove and re-create existing apps + +Cassandra (in `brig.user`) now tracks user types per-user, but only for **newly created** users. For existing users and bots, the type is inferred. That works fine for users and bots, but it can't reliably distinguish apps from regular users. So any app created before `5.28` will show up as a regular user in API responses and search results. + +To get correct app information, the affected apps must be removed from their team and re-created after the upgrade. Only relevant for deploys that created apps before their official support. + +### 3. Run the wire-server helm upgrade + +```bash +d helm upgrade --install wire-server ./charts/wire-server --timeout=15m0s \ + --values ./values/wire-server/values.yaml \ + --values ./values/wire-server/secrets.yaml +``` + +## Recommendations + +### Upgrade Cassandra to `4.1.x` when convenient + +From this release on, wire-server is only tested against Cassandra `4.1.x`. The codebase still works on `3.11`, `4.0`, and `4.1`, but only `4.1` and newer get testing going forward. So a Cassandra upgrade should be planned at some point, no rush. + +## Disk space note + +Each upgrade in this series re-runs `setup-offline-sources`, which copies the new release's binaries, container images, and debs into `/opt/assets` on the assethost. After a few versions, the assethost runs out of space and the playbook fails with `no space left on device`. + +When that happens, SSH into the **assethost** (not the adminhost) and clear it: + +```bash +sudo rm -rvf /opt/assets +``` -No optional changes \ No newline at end of file +Then re-run `setup-offline-sources` from the adminhost. From de6f01ae6463a13dd801825b0f12977809d129f5 Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:34:10 +0200 Subject: [PATCH 22/37] 5.29: add skip-this-version banner, artifact URL, prerequisites The wire-server release notes mark this release as broken and tell readers to upgrade from 5.28 directly to 5.30. Adds a banner at the top of the page making this clear, and a prerequisites note for readers who land here for reference. Source: wire-server CHANGELOG entries for 5.29.0 and 5.30.0. --- .../config-references/wire-server-5.29.0.md | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.29.0.md b/src/how-to/upgrade/config-references/wire-server-5.29.0.md index 18d1d95..3230cf5 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.29.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.29.0.md @@ -1,8 +1,19 @@ -# Wire-Server 5.29.0 release +# Wire-Server `5.29.0` release -The following reference was written based on the following [`build.json` charts](https://raw.githubusercontent.com/wireapp/wire-builds/eaaec058bd49e392ab8727a02c568782f709c81a/build.json). +> **This release is broken. Skip it. Upgrade from `5.28` directly to `5.30`.** +> +> The `5.29` charts have known issues that prevent reliable deployment. The wire-server release notes themselves recommend skipping this version. The changes documented below are still in effect at `5.30` (some of them tweaked further), and this page exists for reference. Real upgrade instructions are on the `5.30` page. -For additional details, you can also read our [release changelog](https://github.com/wireapp/wire-server/releases/tag/v5.29.0). +Reference based on these [`build.json` charts](https://raw.githubusercontent.com/wireapp/wire-builds/eaaec058bd49e392ab8727a02c568782f709c81a/build.json), and the [release changelog](https://github.com/wireapp/wire-server/releases/tag/v5.29.0). + +Artifact: +[`wire-server-deploy-static-d5295d63b08c43a4983c27e33e5fff75acdb6663.tgz`](https://s3-eu-west-1.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-d5295d63b08c43a4983c27e33e5fff75acdb6663.tgz) + +## Heads up + +Skip this version. The content below is reference material for what shipped in `5.29`. The changes are mostly carried into `5.30`, see the `5.30` page for the actual upgrade. + +For reference purposes, the prior version is treated as `5.28.0`. ## Known bugs From 9532598898224ab227e135ab3e96fe889f7f75cf Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:34:35 +0200 Subject: [PATCH 23/37] 5.29: document chart consolidation, tags obsoletion, metallb removal The previous page only mentioned the proxy toggle change. The underlying chart consolidation that motivated it was not documented, and the tags obsoletion list was incomplete. Adds the full list of moved services and obsolete tags. Documents the metallb wrapper chart removal which previously had no mention. Cross-links forward to 5.30 where tags.proxy becomes required again, so readers do not remove a tag that they will need to add back at the next version. Source: wire-server CHANGELOG entry for release 5.29.0. --- .../config-references/wire-server-5.29.0.md | 46 +++++++++++++++---- 1 file changed, 38 insertions(+), 8 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.29.0.md b/src/how-to/upgrade/config-references/wire-server-5.29.0.md index 3230cf5..cc5572e 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.29.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.29.0.md @@ -15,21 +15,45 @@ Skip this version. The content below is reference material for what shipped in ` For reference purposes, the prior version is treated as `5.28.0`. -## Known bugs +## What was supposed to change at this release -No known bugs +### Core services moved into the `wire-server` umbrella chart -## Mandatory (breaking) changes +A bunch of services moved from their own subcharts into the umbrella chart templates at `charts/wire-server/templates`: -Wire-server core services were migrated from subcharts into the umbrella chart templates. As a result, dependency tags for these services are now obsolete. Out of these, `proxy` service might be the only breaking change if it was not used previously and is unconfigured. +* `background-worker` +* `brig` +* `cannon` +* `cargohold` +* `galley` +* `gundeck` +* `proxy` +* `spar` -### `proxy` +So the corresponding dependency tags become obsolete and can be removed from `values/wire-server/values.yaml`: -If `proxy` was used previously and is already configured, you have no breaking changes. +* `tags.brig` +* `tags.galley` +* `tags.cannon` +* `tags.cargohold` +* `tags.gundeck` +* `tags.proxy` +* `tags.spar` +* `tags.background-worker` -Since proxy can no longer be "toggled off" the following configuration with dummy secrets is sufficient for deploy. +For standard deploys this isn't a breaking change, the bundled environments don't toggle any of these off. It **is** a breaking change for custom deploys that had `tags.: false` for any of the moved services. -``` +When the upgrade actually runs, rendered manifests will show metadata and source-path diffs (chart labels, template source paths). That's expected, and it may trigger a one-time pod rollout because of checksum annotation changes. + +> Note: this is partially reverted at `5.30`. At `5.30` `tags.proxy` becomes required again. See the `5.30` page. + +### `proxy` can no longer be toggled off + +Side effect of the consolidation. `proxy` doesn't have a way to be disabled anymore. Deploys that previously set `tags.proxy: false` now have to provide at least a minimal `proxy` config so the chart renders. + +Placeholder secrets are enough. In `values/wire-server/secrets.yaml`: + +```yaml proxy: secrets: proxy_config: |- @@ -42,6 +66,12 @@ proxy: } ``` +Deploys that already had `proxy` configured at `5.28` don't need to do anything. + +### `metallb` wrapper chart removed + +The `metallb` wrapper chart is gone. It had been unmaintained for a while and the upstream Docker images aren't available anymore. Deploys that depended on this need to switch to a different load balancer setup before upgrading. + ## Optional changes ### `wire-server` From 061b4e7f51177d800057294fa18175d81df5a782 Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:35:09 +0200 Subject: [PATCH 24/37] 5.29: clean up optional changes, add rate-limit note and disk footer Drops the redundant 'tags.proxy is now obsolete' section since this is already covered as part of the chart consolidation in mandatory changes. Renames the proxy reference section to make its scope explicit and fixes a typo in the embedded comment. Adds the configurable rate-limit status code as a small optional note from the changelog. Source for the rate-limit configurability: wire-server CHANGELOG entry for release 5.29.0. --- .../config-references/wire-server-5.29.0.md | 35 +++++++++++-------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.29.0.md b/src/how-to/upgrade/config-references/wire-server-5.29.0.md index cc5572e..c5629a9 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.29.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.29.0.md @@ -74,20 +74,11 @@ The `metallb` wrapper chart is gone. It had been unmaintained for a while and th ## Optional changes -### `wire-server` +### `proxy` full configuration reference -This value in `wire-server` charts is now obsolete and can be removed if used: +Full set of `proxy` chart options at their defaults. These shouldn't be set in a local `values.yaml` unless there's a reason to override them. The `secrets` block was covered above for deploys that previously had `proxy` off. -``` -tags: - proxy: false # or true -``` - -### `proxy` - -The following is full config options for the `proxy` chart and are shown as defaults as they come set in charts. They are not required to be set in your `values.yaml`. Do not change unless necessary. - -``` +```yaml proxy: replicaCount: 3 image: @@ -111,7 +102,7 @@ proxy: logFormat: StructuredJSON logNetStrings: false proxy: {} - # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts: + # Disable one or more API versions. Make sure the configuration value matches in all charts: # brig, cannon, cargohold, galley, gundeck, proxy, spar. disabledAPIVersions: [development] @@ -124,4 +115,20 @@ proxy: seccompProfile: type: RuntimeDefault secrets: {} -``` \ No newline at end of file +``` + +### Rate-limit status code is configurable + +The status code returned by `nginz` and `cannon` for rate-limit responses can now be configured in helm values. Default is still `420`, so unless an actaul change is wanted, nothing to do. + +## Disk space note + +Each upgrade in this series re-runs `setup-offline-sources`, which copies the new release's binaries, container images, and debs into `/opt/assets` on the assethost. After a few versions, the assethost runs out of space and the playbook fails with `no space left on device`. + +When that happens, SSH into the **assethost** (not the adminhost) and clear it: + +```bash +sudo rm -rvf /opt/assets +``` + +Then re-run `setup-offline-sources` from the adminhost. From 6c3ab05414e9bae4307f77e015c7445fcf0acde9 Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:35:37 +0200 Subject: [PATCH 25/37] 5.30: create config reference page New page documenting the 5.30 release. Covers the three operator- relevant changes from the release notes: tags.proxy must be set explicitly again (reversing the 5.29 obsoletion), the restund chart is no longer shipped (migrate to coturn), and the recommended cleanup of duplicated background-worker overrides now that background-worker reuses galley's configmap and secrets. Also adds entries for 5.26 through 5.30 to mkdocs.yml so the pages appear in the navigation. Previously only 5.24 and 5.25 were listed despite the 5.26 to 5.29 pages already existing. Source for the 5.30 changes: wire-server CHANGELOG entry for release 5.30.0. --- mkdocs.yml | 5 ++ .../config-references/wire-server-5.30.0.md | 69 +++++++++++++++++++ 2 files changed, 74 insertions(+) create mode 100644 src/how-to/upgrade/config-references/wire-server-5.30.0.md diff --git a/mkdocs.yml b/mkdocs.yml index 56bfcfd..d5cdcf4 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -41,6 +41,11 @@ nav: - Overview: how-to/upgrade/05-config-reference.md - Wire Server 5.24: how-to/upgrade/config-references/wire-server-5.24.0.md - Wire Server 5.25: how-to/upgrade/config-references/wire-server-5.25.0.md + - Wire Server 5.26: how-to/upgrade/config-references/wire-server-5.26.0.md + - Wire Server 5.27: how-to/upgrade/config-references/wire-server-5.27.0.md + - Wire Server 5.28: how-to/upgrade/config-references/wire-server-5.28.0.md + - Wire Server 5.29: how-to/upgrade/config-references/wire-server-5.29.0.md + - Wire Server 5.30: how-to/upgrade/config-references/wire-server-5.30.0.md - Administration: - Overview: how-to/administrate/README.md - kubernetes: how-to/administrate/kubernetes/README.md diff --git a/src/how-to/upgrade/config-references/wire-server-5.30.0.md b/src/how-to/upgrade/config-references/wire-server-5.30.0.md new file mode 100644 index 0000000..eb34062 --- /dev/null +++ b/src/how-to/upgrade/config-references/wire-server-5.30.0.md @@ -0,0 +1,69 @@ +# Wire-Server `5.30.0` release + +For details, see the [release changelog](https://github.com/wireapp/wire-server/releases) on the wire-server repo. + +Artifact: +[`wire-server-deploy-static-1349f499ee83c3c2a940dd017f71aeb184e3090c.tgz`](https://s3-eu-west-1.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-1349f499ee83c3c2a940dd017f71aeb184e3090c.tgz) + +## Heads up + +Coming from `5.29.0`. In practice most deploys will be coming from `5.28` because `5.29` is broken and gets skipped (see the `5.29` page). The changes below cover both paths. + +For deploys that skipped `5.29`, the `5.29` changes are still in effect at `5.30`, so the `5.29` page is worth a look too. The most important one to know about: at `5.29` `tags.proxy` was marked obsolete and a bunch of services were moved into the umbrella chart. The `tags.proxy` part has been undone for this release, see below. + +No known bugs at this release. + +## What must change + +### 1. Set `tags.proxy` explicitly + +At `5.29` `tags.proxy` was marked obsolete because `proxy` got moved into the umbrella chart. At `5.30` it's required again. So for deploys that removed it as part of the `5.29` upgrade, or that never had it (because they came straight from `5.28`), it has to go back into `values/wire-server/values.yaml` before this upgrade: + +```yaml +tags: + proxy: true # deploy the proxy chart +``` + +Or to keep proxy off: + +```yaml +tags: + proxy: false # don't deploy the proxy chart +``` + +### 2. Migrate off Restund (if not already done) + +The `restund` helm chart and the underlying code stopped being shipped. Deploys still on Restund have to migrate to `coturn` before this upgrade. Coturn keeps being supported. + +This is a planning step, not a values edit. + +### 3. Run the wire-server helm upgrade + +```bash +d helm upgrade --install wire-server ./charts/wire-server --timeout=15m0s \ + --values ./values/wire-server/values.yaml \ + --values ./values/wire-server/secrets.yaml +``` + +## Recommended cleanup (not strictly required) + +`background-worker` now reuses `galley`'s configmap and secrets for the Cassandra, PostgreSQL, and federation domain settings. So a few `background-worker` overrides in the values files are now duplicated. Removing them is not required, but it's cleaner, and it keeps the two services aligned going forward. + +The duplicates to drop: + +* `background-worker.config.cassandraGalley` +* `background-worker.config.postgresql` +* `background-worker.config.federationDomain` +* `background-worker.secrets.pgPassword` (this one's in `secrets.yaml`) + +## Disk space note + +Each upgrade in this series re-runs `setup-offline-sources`, which copies the new release's binaries, container images, and debs into `/opt/assets` on the assethost. After a few versions, the assethost runs out of space and the playbook fails with `no space left on device`. + +When that happens, SSH into the **assethost** (not the adminhost) and clear it: + +```bash +sudo rm -rvf /opt/assets +``` + +Then re-run `setup-offline-sources` from the adminhost. From 7979431b5f90aac248429f091046fbd2aa832bf4 Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:45:04 +0200 Subject: [PATCH 26/37] 5.24: remove the helm-operations.sh CERT_MASTER_EMAIL note Not relevant to the version upgrade flow, this is install-time noise that doesn't belong on a per-version config reference page. --- .../config-references/wire-server-5.24.0.md | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.24.0.md b/src/how-to/upgrade/config-references/wire-server-5.24.0.md index f7fb010..e73fa12 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.24.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.24.0.md @@ -30,22 +30,6 @@ brig: This is fixed at `5.25`, so once `5.25` is reached the workaround can be taken back out. -### `bin/helm-operations.sh` has a malformed `CERT_MASTER_EMAIL` default - -Only relevant for fresh installs starting from `5.23.1` (rather than upgrading an existing deployment). The line in `bin/helm-operations.sh` on the `release-5.23.1` branch reads: - -```bash -CERT_MASTER_EMAIL="certmaster@${CERT_MASTER_EMAIL}:-certmaster@${TARGET_SYSTEM}" -``` - -Bash `:-` defaults have to live inside `${}`. The fix that's already on `master`: - -```bash -CERT_MASTER_EMAIL="${CERT_MASTER_EMAIL:-certmaster@example.com}" -``` - -Without this fix, `cert-manager` ACME registration fails with `400 urn:ietf:params:acme:error:invalidContact: Error validating contact(s) :: unable to parse email address` in the `cert-manager-ns` pod logs. Either patch the file or pass `CERT_MASTER_EMAIL` explicitly when invoking `helm-operations.sh`. - ## What must change Listed in the order things should be done. From f044a03e913f23271b08863895dd6a6ac693ec72 Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:45:33 +0200 Subject: [PATCH 27/37] 5.24: drop meta-note about helm upgrade, inline the command per migration step The Heads up paragraph telling readers that every value change has to be followed by a helm upgrade was redundant. Inlining the actual command at each migration step makes it explicit and unambiguous, and removes the need for the meta-note. --- .../config-references/wire-server-5.24.0.md | 32 ++++++++++++++++--- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.24.0.md b/src/how-to/upgrade/config-references/wire-server-5.24.0.md index e73fa12..0558eea 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.24.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.24.0.md @@ -14,8 +14,6 @@ Artifact: This page assumes the source version is `5.23.x`. -One more thing: every value change documented on this page must be followed by an actual `d helm upgrade --install wire-server ...` run for the change to apply. The chart doesn't watch the `values.yaml`. Phrasing like "this change should restart all the `galley` pods" means "after the helm upgrade is re-run, the pods will restart". It doesn't happen by itself. - ## Known bugs ### `brig` won't deploy in non-federated environments @@ -180,7 +178,15 @@ background-worker: conversation: migration-to-postgresql ``` -Run the helm upgrade. Once it's set to `migration-to-postgresql`, do not switch back to `cassandra`. New conversations from this point on are written to PostgreSQL, reads still come from Cassandra. +Then run: + +```bash +d helm upgrade --install wire-server ./charts/wire-server --timeout=15m0s \ + --values ./values/wire-server/values.yaml \ + --values ./values/wire-server/secrets.yaml +``` + +Once it's set to `migration-to-postgresql`, do not switch back to `cassandra`. New conversations from this point on are written to PostgreSQL, reads still come from Cassandra. ### Step 2: run the actual migration @@ -194,7 +200,15 @@ background-worker: conversation: migration-to-postgresql ``` -Run the helm upgrade. The `background-worker` pods restart and start moving data. This can take a long time on a database with a lot of conversations. +Then run: + +```bash +d helm upgrade --install wire-server ./charts/wire-server --timeout=15m0s \ + --values ./values/wire-server/values.yaml \ + --values ./values/wire-server/secrets.yaml +``` + +The `background-worker` pods restart and start moving data. This can take a long time on a database with a lot of conversations. Watch the logs (look for `finished migration`): @@ -223,7 +237,15 @@ background-worker: conversation: postgresql ``` -Run the helm upgrade. From now on reads and writes both go to PostgreSQL. This configuration must be kept on every subsequent upgrade. +Then run: + +```bash +d helm upgrade --install wire-server ./charts/wire-server --timeout=15m0s \ + --values ./values/wire-server/values.yaml \ + --values ./values/wire-server/secrets.yaml +``` + +From now on reads and writes both go to PostgreSQL. This configuration must be kept on every subsequent upgrade. ## Optional changes From 0300fd8bb05c3361decdea9cfa3bc1a150224ec3 Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:45:56 +0200 Subject: [PATCH 28/37] 5.24, 5.25: soften 'caused' to 'may have caused' for the conversations bug Causation hasn't been definitively established, several deploys exhibited the symptom but the chain isn't fully proven. Softens the wording on both pages accordingly. --- src/how-to/upgrade/config-references/wire-server-5.24.0.md | 2 +- src/how-to/upgrade/config-references/wire-server-5.25.0.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.24.0.md b/src/how-to/upgrade/config-references/wire-server-5.24.0.md index 0558eea..f54a41a 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.24.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.24.0.md @@ -104,7 +104,7 @@ d kubectl get secret postgresql-external -o jsonpath='{.data.password}' | base64 Why: `background-worker` now runs jobs that need PostgreSQL access and that talk directly to the Cassandra keyspaces of `brig` and `galley`. The federation domain is needed for federation-related background tasks. -> **Warning about the `postgresMigration.conversation` default.** At this release the `background-worker` chart defaults `postgresMigration.conversation` to `postgresql`. That default must **not** be left in place when conversations haven't been migrated yet. The data is still in Cassandra, so a `postgresql` setting points the worker at an empty table. See the migration section below. This is the bug that caused conversations to disappear at `5.25` for installs that didn't migrate. +> **Warning about the `postgresMigration.conversation` default.** At this release the `background-worker` chart defaults `postgresMigration.conversation` to `postgresql`. That default must **not** be left in place when conversations haven't been migrated yet. The data is still in Cassandra, so a `postgresql` setting points the worker at an empty table. See the migration section below. This is the bug that may have caused conversations to disappear at `5.25` for installs that didn't migrate. ### 4. Update `gundeck.config.redis.host` diff --git a/src/how-to/upgrade/config-references/wire-server-5.25.0.md b/src/how-to/upgrade/config-references/wire-server-5.25.0.md index b1c6281..2ebe6c7 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.25.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.25.0.md @@ -17,7 +17,7 @@ The `brig` non-federated bug from `5.24` is fixed at `5.25`. If `enableFederatio ### 1. Set `background-worker.config.postgresMigration.conversation` explicitly -The `5.25` `background-worker` chart ships with `postgresMigration.conversation` defaulting to `postgresql`. That's wrong for any deploy that hasn't migrated conversations to PostgreSQL yet, the data is still in Cassandra and the worker would be reading from an empty postgres table. This is the bug that caused conversations to disappear in real upgrades. +The `5.25` `background-worker` chart ships with `postgresMigration.conversation` defaulting to `postgresql`. That's wrong for any deploy that hasn't migrated conversations to PostgreSQL yet, the data is still in Cassandra and the worker would be reading from an empty postgres table. This is the bug that may have caused conversations to disappear in real upgrades. It has to be set explicitly. Either of these, depending on the actual state of the deploy: From ce589ff541927d801d725d03e3e6ca2315610bae Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:47:06 +0200 Subject: [PATCH 29/37] 5.24, 5.25, 5.28, 5.29: drop casual asides Removes 'This is the part that's been flaky in the past. Don't skip it.', 'Seriously.', 'please don't, but if it has to happen', and 'no rush' across the affected pages. Also tightens the rate-limit note in 5.29 and fixes a typo in the same paragraph. --- src/how-to/upgrade/config-references/wire-server-5.24.0.md | 4 +--- src/how-to/upgrade/config-references/wire-server-5.25.0.md | 2 +- src/how-to/upgrade/config-references/wire-server-5.28.0.md | 2 +- src/how-to/upgrade/config-references/wire-server-5.29.0.md | 2 +- 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.24.0.md b/src/how-to/upgrade/config-references/wire-server-5.24.0.md index f54a41a..5eeab14 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.24.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.24.0.md @@ -154,11 +154,9 @@ d kubectl get events ## Post-upgrade: migrate conversation data to PostgreSQL -This is the part that's been flaky in the past. Don't skip it. - It can only be done **after** the `5.24` `wire-server` helm upgrade has succeeded. Some required services don't exist yet on `5.23`, so trying to migrate before the upgrade just fails. -A Cassandra backup of `galley` should be taken before starting. Seriously. +A Cassandra backup of `galley` should be taken before starting. The migration runs in three steps. Each step is a values change followed by a `helm upgrade --install wire-server ...`. diff --git a/src/how-to/upgrade/config-references/wire-server-5.25.0.md b/src/how-to/upgrade/config-references/wire-server-5.25.0.md index 2ebe6c7..254954b 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.25.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.25.0.md @@ -100,7 +100,7 @@ Edit `values/nginx-ingress-services/values.yaml` during the nginx ingress upgrad ### `background-worker` migration tunables -When the conversation migration is being run at `5.25` rather than at `5.24` (please don't, but if it has to happen), page size and parralelism can now be tuned: +When the conversation migration is being run at `5.25` rather than at `5.24`, page size and parallelism can now be tuned: ```yaml background-worker: diff --git a/src/how-to/upgrade/config-references/wire-server-5.28.0.md b/src/how-to/upgrade/config-references/wire-server-5.28.0.md index 49275ad..6f59a1d 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.28.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.28.0.md @@ -44,7 +44,7 @@ d helm upgrade --install wire-server ./charts/wire-server --timeout=15m0s \ ### Upgrade Cassandra to `4.1.x` when convenient -From this release on, wire-server is only tested against Cassandra `4.1.x`. The codebase still works on `3.11`, `4.0`, and `4.1`, but only `4.1` and newer get testing going forward. So a Cassandra upgrade should be planned at some point, no rush. +From this release on, wire-server is only tested against Cassandra `4.1.x`. The codebase still works on `3.11`, `4.0`, and `4.1`, but only `4.1` and newer get testing going forward. A Cassandra upgrade should be planned at some point. ## Disk space note diff --git a/src/how-to/upgrade/config-references/wire-server-5.29.0.md b/src/how-to/upgrade/config-references/wire-server-5.29.0.md index c5629a9..aebbfa2 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.29.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.29.0.md @@ -119,7 +119,7 @@ proxy: ### Rate-limit status code is configurable -The status code returned by `nginz` and `cannon` for rate-limit responses can now be configured in helm values. Default is still `420`, so unless an actaul change is wanted, nothing to do. +The status code returned by `nginz` and `cannon` for rate-limit responses can now be configured in helm values. The default remains `420`, so no action is required unless a different code is desired. ## Disk space note From a9527c463732f4b1983c29eccf5975a49b12c526 Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:47:32 +0200 Subject: [PATCH 30/37] 5.25: remove migration-tunables section for off-sequence upgrades The section described how to tune the conversation migration when it is run at 5.25 rather than at 5.24 (where it belongs). The right guidance is to follow the documented sequence, this page should not have content for not following it. --- .../upgrade/config-references/wire-server-5.25.0.md | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.25.0.md b/src/how-to/upgrade/config-references/wire-server-5.25.0.md index 254954b..4a7c44b 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.25.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.25.0.md @@ -98,18 +98,6 @@ nginx-ingress-services: Edit `values/nginx-ingress-services/values.yaml` during the nginx ingress upgrade step. Only relevant for `cert-manager`-based deploys with a key pinning requirement. -### `background-worker` migration tunables - -When the conversation migration is being run at `5.25` rather than at `5.24`, page size and parallelism can now be tuned: - -```yaml -background-worker: - config: - migrateConversationsOptions: - pageSize: 10000 - parallelism: 2 -``` - ### New migration failure metrics Two metrics for tracking migration failures: From f3936a19595ced05bbbb040bcf90dee7fd5f9ee1 Mon Sep 17 00:00:00 2001 From: Arthur Wolf Date: Thu, 30 Apr 2026 23:59:46 +0200 Subject: [PATCH 31/37] 5.24, 5.26, 5.27: add backup warning at the top of each migration section Each post-upgrade data migration now starts with a callout asking operators to back up the Cassandra galley keyspace and the target PostgreSQL database before running any of the steps. The migrations start writing to PostgreSQL from step 1 onwards, so rolling back without a backup is not straightforward. --- src/how-to/upgrade/config-references/wire-server-5.24.0.md | 4 ++-- src/how-to/upgrade/config-references/wire-server-5.26.0.md | 2 ++ src/how-to/upgrade/config-references/wire-server-5.27.0.md | 2 ++ 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.24.0.md b/src/how-to/upgrade/config-references/wire-server-5.24.0.md index 5eeab14..327c53b 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.24.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.24.0.md @@ -154,9 +154,9 @@ d kubectl get events ## Post-upgrade: migrate conversation data to PostgreSQL -It can only be done **after** the `5.24` `wire-server` helm upgrade has succeeded. Some required services don't exist yet on `5.23`, so trying to migrate before the upgrade just fails. +> **Back up before starting.** Take a backup of the Cassandra `galley` keyspace and of the target PostgreSQL database before running any of the steps below. The migration is destructive in the sense that data starts being written to PostgreSQL from step 1 onwards, and rolling back without a backup is not straightforward. -A Cassandra backup of `galley` should be taken before starting. +It can only be done **after** the `5.24` `wire-server` helm upgrade has succeeded. Some required services don't exist yet on `5.23`, so trying to migrate before the upgrade just fails. The migration runs in three steps. Each step is a values change followed by a `helm upgrade --install wire-server ...`. diff --git a/src/how-to/upgrade/config-references/wire-server-5.26.0.md b/src/how-to/upgrade/config-references/wire-server-5.26.0.md index cc52379..edda5b1 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.26.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.26.0.md @@ -54,6 +54,8 @@ d helm upgrade --install wire-server ./charts/wire-server --timeout=15m0s \ ## Post-upgrade: migrate conversation codes to PostgreSQL (optional) +> **Back up before starting.** Take a backup of the Cassandra `galley` keyspace and of the target PostgreSQL database before running any of the steps below. The migration writes to PostgreSQL from step 1 onwards, and rolling back without a backup is not straightforward. + Same shape as the conversation data migration from `5.24`. Only makes sense when conversation data has already been migrated, otherwise leave it. Step 1, in `values/wire-server/values.yaml`: diff --git a/src/how-to/upgrade/config-references/wire-server-5.27.0.md b/src/how-to/upgrade/config-references/wire-server-5.27.0.md index 1ca3e71..638d01d 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.27.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.27.0.md @@ -21,6 +21,8 @@ No mandatory changes at this release. No known bugs. ## Post-upgrade: migrate team features to PostgreSQL (optional) +> **Back up before starting.** Take a backup of the Cassandra `galley` keyspace and of the target PostgreSQL database before running any of the steps below. The migration writes to PostgreSQL from step 1 onwards, and rolling back without a backup is not straightforward. + Same shape as the conversation data and conversation codes migrations. Only do this when conversation data and conversation codes have already been migrated, otherwise skip it. Step 1, in `values/wire-server/values.yaml`: From e0ab02104afc5e9bdc8428507ac7d9d72a408be9 Mon Sep 17 00:00:00 2001 From: Julia Longtin Date: Thu, 30 Apr 2026 22:54:28 +0000 Subject: [PATCH 32/37] Update src/how-to/upgrade/config-references/wire-server-5.24.0.md --- src/how-to/upgrade/config-references/wire-server-5.24.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.24.0.md b/src/how-to/upgrade/config-references/wire-server-5.24.0.md index 327c53b..f2e41fe 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.24.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.24.0.md @@ -344,7 +344,7 @@ d helm uninstall databases-ephemeral ## Disk space note -Each upgrade in this series re-runs `setup-offline-sources`, which copies the new release's binaries, container images, and debs into `/opt/assets` on the assethost. After a few versions, the assethost runs out of space and the playbook fails with `no space left on device`. +For those of you using our ansible based deployment package, each upgrade in this series re-runs `setup-offline-sources`, which copies the new release's binaries, container images, and debs into `/opt/assets` on the assethost. After a few versions, the assethost runs out of space and the playbook fails with `no space left on device`. When that happens, SSH into the **assethost** (not the adminhost) and clear it: From 03d4615cc7623afec3c6e4332c35f3b785b574a8 Mon Sep 17 00:00:00 2001 From: Julia Longtin Date: Thu, 30 Apr 2026 22:54:46 +0000 Subject: [PATCH 33/37] Update src/how-to/upgrade/config-references/wire-server-5.24.0.md --- src/how-to/upgrade/config-references/wire-server-5.24.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.24.0.md b/src/how-to/upgrade/config-references/wire-server-5.24.0.md index f2e41fe..891f546 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.24.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.24.0.md @@ -70,7 +70,7 @@ brig: `port` defaults to `5672`, only set it if the RabbitMQ instance listens somewhere else. -Why: starting at `5.23`, `rabbitmq` is deployed as an external service instead of in-cluster. `brig` can't rely on the in-cluster default service name anymore, so the hostname has to be set explicitly. +Why: for those using our ansible infrastructure package, starting at `5.23`, `rabbitmq` is deployed as an external service instead of in-cluster. `brig` can't rely on the in-cluster default service name anymore, so the hostname has to be set explicitly. ### 3. Add the new `background-worker` config From 1928d11a21d4fe10c49675db3bd72c4971ab50b7 Mon Sep 17 00:00:00 2001 From: Julia Longtin Date: Thu, 30 Apr 2026 22:55:03 +0000 Subject: [PATCH 34/37] Update src/how-to/upgrade/config-references/wire-server-5.24.0.md --- src/how-to/upgrade/config-references/wire-server-5.24.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.24.0.md b/src/how-to/upgrade/config-references/wire-server-5.24.0.md index 891f546..6082758 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.24.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.24.0.md @@ -104,7 +104,7 @@ d kubectl get secret postgresql-external -o jsonpath='{.data.password}' | base64 Why: `background-worker` now runs jobs that need PostgreSQL access and that talk directly to the Cassandra keyspaces of `brig` and `galley`. The federation domain is needed for federation-related background tasks. -> **Warning about the `postgresMigration.conversation` default.** At this release the `background-worker` chart defaults `postgresMigration.conversation` to `postgresql`. That default must **not** be left in place when conversations haven't been migrated yet. The data is still in Cassandra, so a `postgresql` setting points the worker at an empty table. See the migration section below. This is the bug that may have caused conversations to disappear at `5.25` for installs that didn't migrate. +> **Warning about the `postgresMigration.conversation` default.** At this release the `background-worker` chart defaults `postgresMigration.conversation` to `postgresql`. That default must **not** be left in place when conversations haven't been migrated yet. If they have not yet been migrated, the data will still be in Cassandra, so a `postgresql` setting points the worker at an empty table. See the migration section below. This is the bug that may have caused conversations to disappear at `5.25` for installs that didn't migrate. ### 4. Update `gundeck.config.redis.host` From d3d5fbeed6c384b5864b34ec4c7b7dec1f09da4a Mon Sep 17 00:00:00 2001 From: Julia Longtin Date: Thu, 30 Apr 2026 22:55:23 +0000 Subject: [PATCH 35/37] Update src/how-to/upgrade/config-references/wire-server-5.24.0.md --- src/how-to/upgrade/config-references/wire-server-5.24.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.24.0.md b/src/how-to/upgrade/config-references/wire-server-5.24.0.md index 6082758..09a752d 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.24.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.24.0.md @@ -108,7 +108,7 @@ Why: `background-worker` now runs jobs that need PostgreSQL access and that talk ### 4. Update `gundeck.config.redis.host` -The Redis service hostname changed from `{{ .Release.Name }}-master` to `{{ .Release.Name }}`. With the standard `redis-ephemeral` release name, the in-cluster service is just `redis-ephemeral` now (used to be `databases-ephemeral-redis-ephemeral-master`). +For those using the in-cluster Redis service shipped with our bundle, The Redis service hostname has changed from `{{ .Release.Name }}-master` to `{{ .Release.Name }}`. With the standard `redis-ephemeral` release name, the in-cluster service is just `redis-ephemeral` now (used to be `databases-ephemeral-redis-ephemeral-master`). Check the cluster: From 53aabdbedf016be55688d964a91c5b985d02f38a Mon Sep 17 00:00:00 2001 From: Julia Longtin Date: Thu, 30 Apr 2026 22:55:45 +0000 Subject: [PATCH 36/37] Update src/how-to/upgrade/config-references/wire-server-5.24.0.md --- src/how-to/upgrade/config-references/wire-server-5.24.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.24.0.md b/src/how-to/upgrade/config-references/wire-server-5.24.0.md index 09a752d..4567d08 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.24.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.24.0.md @@ -243,7 +243,7 @@ d helm upgrade --install wire-server ./charts/wire-server --timeout=15m0s \ --values ./values/wire-server/secrets.yaml ``` -From now on reads and writes both go to PostgreSQL. This configuration must be kept on every subsequent upgrade. +From this point forward reads and writes both go to PostgreSQL. This configuration must be kept on every subsequent upgrade. ## Optional changes From 3e3f93fe1b1589135432cf8689b1bccf2cdab2d3 Mon Sep 17 00:00:00 2001 From: Julia Longtin Date: Thu, 30 Apr 2026 22:56:05 +0000 Subject: [PATCH 37/37] Update src/how-to/upgrade/config-references/wire-server-5.24.0.md --- src/how-to/upgrade/config-references/wire-server-5.24.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/how-to/upgrade/config-references/wire-server-5.24.0.md b/src/how-to/upgrade/config-references/wire-server-5.24.0.md index 4567d08..ada9dde 100644 --- a/src/how-to/upgrade/config-references/wire-server-5.24.0.md +++ b/src/how-to/upgrade/config-references/wire-server-5.24.0.md @@ -247,7 +247,7 @@ From this point forward reads and writes both go to PostgreSQL. This configurati ## Optional changes -### `background-worker` tunables +### `background-worker` PostGreSQL tunables These are chart defaults, only set them when an actual change is needed: