wireapp · fisx · Apr 21, 2026 · Mar 24, 2026 · Mar 25, 2026 · Mar 25, 2026
@@ -1,3 +1,76 @@
+# [2026-04-20] (Chart Release 5.30.0)
+
+## Release notes
+
+
+* `background-worker` now reuses `galley`'s configmap and secrets for cassandra, postgres and federation domain settings. This removes redundant settings and keeps the two services aligned. No operator action is strictly required; however, we advise removing the `background-worker` value overrides for galley's cassandra, postgres, and federation domain settings, as they are duplicated and no longer needed:
+
+    - background-worker.config.cassandraGalley
+    - background-worker.config.postgresql
+    - background-worker.secrets.pgPassword
+    - background-worker.config.federationDomain (#5180)
+
+* Operators upgrading from the previous wire-server chart release, where the service charts were consolidated into the umbrella chart, must now set `tags.proxy` explicitly again.
+
+  If your currently installed values no longer contain a `proxy` tag because of that consolidation, add one before upgrading to this release and set it to the intended state:
+  - `tags.proxy: true` to deploy the `proxy` chart
+  - `tags.proxy: false` to keep the `proxy` chart disabled (#5161)
+
+* The Restund helm chart and code stops being supported and shipped. If you have not already, please migrate to coturn which continues to be supported. (#5162)
+
+
+## Features
+
+
+* Send team.member-join to all apps in team. (#5187)
+
+
+## Bug fixes and other updates
+
+
+* Remove the Server response header value for entire API. (#5179)
+
+* Integration tests for user events when user type is app.  Replace redundant app-created event with team.member-join. (#5139)
+
+* (Un-)suspend apps if en-/disabled in the team. (#5177)
+
+* Apps from outside own team do not appear in contact search. (#5173)
+
+* Fix: apps cannot form connections accross teams.  Integration test for cross-team conversations working with apps as expected. (#5171)
+
+* Prevent password reset for SAML users (#5191)
+
+* Remove apps from conversations when apps are disabled in conversation. (#5176)
+
+* Fix: allow removal of bots from conversation after switching it to MLS. (#5186)
+
+* Hotfix: handle NULL in brig-cassandra:user.user_type. (#5193)
+
+* Fix bug where the mls-users tool would crash for users with null `supported_protocols` (#5190)
+
+
+## Documentation
+
+
+* Make schema-profunctor schema names derived and avoid name clashes between scopes. (#5151)
+
+
+## Internal changes
+
+
+* Propagate error from brig on stern API call `GET i/domain-registration/:domain` (#5179)
+
+* The status code for rate limit responses from nginz and cannon is now configurable and set to 420 per default (#5154)
+
+* Moved code from galley to ClientSubsystem (#5154, #5147, #5157, #5156, #5165, #5168)
+
+* The defaults in k8ssandra-test-cluster should now work for both a fresh cassandra 4.1 pod as well as an upgrade of an existing previous k8ssandra-test-cluster deployment. We assume k8ssandra-operator helm chart version 1.20.2. (#5091)
+
+* Use sbomnix to generate SBOMs for Nix-built Docker images and devShells. Adjust Helm chart values for inlined wire-server chart. (#5167)
+
+* Remove tom-bombadil SBOM creation targets from `Makefile`. There's a better approach to create SBOMs in place (in `Makefile` and CI). (#5181)
+
+
 # [2026-03-24] (Chart Release 5.29.0)
 
 ## Release notes

@@ -7,7 +7,7 @@ DOCKER_TAG            ?= $(USER)
 # default helm chart version must be 0.0.42 for local development (because 42 is the answer to the universe and everything)
 HELM_SEMVER           ?= 0.0.42
 # The list of helm charts needed on internal kubernetes testing environments
-CHARTS_INTEGRATION    := wire-server databases-ephemeral rabbitmq fake-aws ingress-nginx-controller nginx-ingress-services fluent-bit kibana restund k8ssandra-test-cluster wire-server-enterprise
+CHARTS_INTEGRATION    := wire-server databases-ephemeral rabbitmq fake-aws ingress-nginx-controller nginx-ingress-services fluent-bit kibana k8ssandra-test-cluster wire-server-enterprise
 # The list of helm charts to publish on S3
 # FUTUREWORK: after we "inline local subcharts",
 # (e.g. move charts/brig to charts/wire-server/brig)
@@ -17,7 +17,7 @@ CHARTS_RELEASE := wire-server redis-ephemeral rabbitmq rabbitmq-external databas
 fake-aws fake-aws-s3 fake-aws-sqs aws-ingress fluent-bit kibana backoffice		\
 calling-test demo-smtp elasticsearch-curator elasticsearch-external				\
 elasticsearch-ephemeral minio-external cassandra-external						\
-ingress-nginx-controller nginx-ingress-services reaper restund \
+ingress-nginx-controller nginx-ingress-services reaper \
 k8ssandra-test-cluster ldap-scim-bridge wire-server-enterprise
 KIND_CLUSTER_NAME     := wire-server
 HELM_PARALLELISM      ?= 1 # 1 for sequential tests; 6 for all-parallel tests
@@ -699,22 +699,9 @@ diff-live-manifest: clean-charts charts-integration
 	DIFF_OUTPUT_FILE="$(DIFF_OUTPUT_FILE)" ./hack/bin/diff-wire-server-manifests.sh "$(LIVE_MANIFEST_FILE)" /tmp/wire-server.yaml
 
 render-ci-manifest: clean-charts charts-integration
-	VALUES_FILE="$${VALUES_FILE:-$$(mktemp).yaml}"; \
-  ./hack/bin/helm-render-ci-values.sh \
-  ./hack/bin/render-manifest.sh "$$VALUES_FILE"
-
-sbom.json:
-	nix -Lv build '.#wireServer.bomDependencies' && \
-	nix run 'github:wireapp/tom-bombadil#create-sbom' -- --root-package-name "wire-server"
-
-# Ask the security team for the `DEPENDENCY_TRACK_API_KEY` (if you need it)
-.PHONY: upload-bombon
-upload-bombon: sbom.json
-	nix run 'github:wireapp/tom-bombadil#upload-bom' -- \
-		--project-name "wire-server"  \
-		--project-version $(HELM_SEMVER) \
-		--auto-create \
-		--bom-file ./sbom.json
+	VALUES_FILE="$${VALUES_FILE:-$$(mktemp).yaml}"; export VALUES_FILE; \
+	./hack/bin/helm-render-ci-values.sh && \
+	./hack/bin/render-manifest.sh "$$VALUES_FILE"
 
 # SBOM creation and uploading (Helm charts, Helmfile, docker-compose)
 #
@@ -729,9 +716,9 @@ upload-bombon: sbom.json
 # Targets should be independently executable and creating a Nix env in a Nix
 # env doesn't play well.
 
-# Generate all SBOMs (Helm + Docker Compose + Helmfile)
+# Generate all SBOMs (Helm + Docker Compose + Helmfile + Nix Docker Images + Nix DevShell)
 .PHONY: sboms
-sboms: sboms-helm sboms-docker-compose sboms-helmfile
+sboms: sboms-helm sboms-docker-compose sboms-helmfile sboms-nix-docker-images sboms-nix-devshell
 
 # Generate SBOMs for Helm charts
 .PHONY: sboms-helm
@@ -756,6 +743,26 @@ sboms-helmfile: .local/charts
 	fi
 	./hack/bin/create-helmfile-sboms.sh tmp/sboms/helmfile $(HELM_SEMVER)
 
+# Generate SBOMs for Nix-built Docker images using sbomnix
+# This generates SBOMs from the Nix store paths of executables that go into Docker images
+.PHONY: sboms-nix-docker-images
+sboms-nix-docker-images:
+	@if [ "$(HELM_SEMVER)" = "0.0.42" ]; then \
+		echo "Environment variable HELM_SEMVER not set to non-default value. Re-run with HELM_SEMVER=<version>"; \
+		exit 1; \
+	fi
+	./hack/bin/create-nix-docker-image-sboms.sh tmp/sboms/nix-docker-images $(HELM_SEMVER) imagesUnoptimizedNoDocs
+
+# Generate SBOMs for Nix devShells using sbomnix
+# This generates SBOMs from the Nix store paths of packages in the development environments
+.PHONY: sboms-nix-devshell
+sboms-nix-devshell:
+	@if [ "$(HELM_SEMVER)" = "0.0.42" ]; then \
+		echo "Environment variable HELM_SEMVER not set to non-default value. Re-run with HELM_SEMVER=<version>"; \
+		exit 1; \
+	fi
+	./hack/bin/create-nix-devshell-sbom.sh tmp/sboms/nix-devshell $(HELM_SEMVER)
+
 # Validate all SBOM files using cyclonedx
 .PHONY: validate-sboms
 validate-sboms:

@@ -30,7 +30,6 @@ This repository contains the following source code:
    - **cannon**: WebSocket Push Notifications
    - **cargohold**: Asset (image, file, ...) Storage
    - **proxy**: 3rd Party API Integration
-   - **restund**: STUN/TURN server for use in Audio/Video calls
    - **spar**: Single-Sign-On (SSO)
 
 - **tools**

@@ -4,7 +4,6 @@ index-state: 2023-10-03T15:17:00Z
 packages:
     integration
   , libs/bilge/
-  , libs/brig-types/
   , libs/cargohold-types/
   , libs/cassandra-util/
   , libs/extended/
@@ -57,7 +56,6 @@ packages:
   , tools/db/repair-brig-clients-table/
   , tools/db/service-backfill/
   , tools/rabbitmq-consumer
-  , tools/rex/
   , tools/stern/
   , tools/mlsstats/
   , tools/test-stats/

@@ -6,6 +6,10 @@ kind: Job
 metadata:
   name: check-cluster-job
   namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "10"
 spec:
   template:
     spec:

@@ -7,6 +7,7 @@ spec:
   auth: false
   cassandra:
     serverVersion: "4.1.10"
+    serverImage: "docker.io/k8ssandra/cass-management-api:4.1.10-ubi"
     telemetry:
       prometheus:
         enabled: {{ .Values.prometheus.enabled }}
@@ -30,6 +31,9 @@ spec:
         client_encryption_options:
           enabled: {{ .Values.client_encryption_options.enabled }}
           optional: {{ .Values.client_encryption_options.optional }}
+        server_encryption_options:
+          internode_encryption: none
+
     datacenters:
         - metadata:
             name: datacenter-1

@@ -16,7 +16,7 @@ storageSize: 10G
 #  https://cassandra.apache.org/doc/stable/cassandra/configuration/cass_yaml_file.html#client_encryption_options
 client_encryption_options:
   enabled: false
-  optional: true
+  optional: false
   # The password could be secured better. However, this chart is meant to be
   # used as test setup. And, protecting a self-signed certificate isn't very
   # useful.

@@ -4,7 +4,7 @@ metadata:
   name: {{ include "nginx-ingress-services.getIngressName" . | quote }}
   {{- if .Values.config.renderCSPInIngress }}
   annotations:
-    {{- if not (contains .Values.config.ingressClass "nginx") }}
+    {{- if not (hasPrefix "nginx" .Values.config.ingressClass) }}
         {{ fail "In ingress CSP header setting only works with a 'nginx' controller. (Rename it to 'nginx-*' if it is one.)" }}
     {{- end }}
     {{/* We need to add CSP headers here for webapp, team-settings and

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
@@ -0,0 +1,4 @@
+apiVersion: v1
+description: Proxy (part of Wire Server) - 3rd party proxy service
+name: proxy
+version: 0.0.42
@@ -0,0 +1,8 @@
+{{/* Allow KubeVersion to be overridden. */}}
+{{- define "kubeVersion" -}}
+  {{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride -}}
+{{- end -}}
+
+{{- define "includeSecurityContext" -}}
+  {{- (semverCompare ">= 1.24-0" (include "kubeVersion" .)) -}}
+{{- end -}}
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "proxy"
+data:
+  proxy.yaml: |
+    logFormat: {{ .Values.config.logFormat }}
+    logLevel: {{ .Values.config.logLevel }}
+    logNetStrings: {{ .Values.config.logNetStrings }}
+    disabledAPIVersions: {{ toJson .Values.config.disabledAPIVersions }}
+    proxy:
+      host: 0.0.0.0
+      port: {{ .Values.service.internalPort }}
+    httpPoolSize: 1000
+    maxConns: 5000
+    secretsConfig: /etc/wire/proxy/secrets/proxy.config
@@ -8,12 +8,12 @@ metadata:
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 spec:
-  replicas: {{ .Values.proxy.replicaCount }}
+  replicas: {{ .Values.replicaCount }}
   strategy:
     type: RollingUpdate
     rollingUpdate:
       maxUnavailable: 0
-      maxSurge: {{ .Values.proxy.replicaCount }}
+      maxSurge: {{ .Values.replicaCount }}
   selector:
     matchLabels:
       app: proxy
@@ -24,8 +24,8 @@ spec:
         release: {{ .Release.Name }}
       annotations:
         # An annotation of the configmap checksum ensures changes to the configmap cause a redeployment upon `helm upgrade`
-        checksum/configmap: {{ include (print .Template.BasePath "/proxy/configmap.yaml") . | sha256sum }}
-        checksum/secret: {{ include (print .Template.BasePath "/proxy/secret.yaml") . | sha256sum }}
+        checksum/configmap: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }}
+        checksum/secret: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }}
     spec:
       topologySpreadConstraints:
         - maxSkew: 1
@@ -43,19 +43,19 @@ spec:
             secretName: "proxy"
       containers:
         - name: proxy
-          image: "{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}"
-          imagePullPolicy: {{ default "" .Values.proxy.imagePullPolicy | quote }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ default "" .Values.imagePullPolicy | quote }}
           {{- if eq (include "includeSecurityContext" .) "true" }}
           securityContext:
-            {{- toYaml .Values.proxy.podSecurityContext | nindent 12 }}
+            {{- toYaml .Values.podSecurityContext | nindent 12 }}
           {{- end }}
           volumeMounts:
           - name: "proxy-secrets"
             mountPath: "/etc/wire/proxy/secrets"
           - name: "proxy-config"
             mountPath: "/etc/wire/proxy/conf"
           env:
-          {{- with .Values.proxy.config.proxy }}
+          {{- with .Values.config.proxy }}
           {{- if .httpProxy }}
           - name: http_proxy
             value: {{ .httpProxy | quote }}
@@ -74,18 +74,18 @@ spec:
           - name: NO_PROXY
             value: {{ join "," .noProxyList | quote }}
           {{- end }}
-          {{- end }} 
+          {{- end }}
           ports:
-            - containerPort: {{ .Values.proxy.service.internalPort }}
+            - containerPort: {{ .Values.service.internalPort }}
           livenessProbe:
             httpGet:
               scheme: HTTP
               path: /i/status
-              port: {{ .Values.proxy.service.internalPort }}
+              port: {{ .Values.service.internalPort }}
           readinessProbe:
             httpGet:
               scheme: HTTP
               path: /i/status
-              port: {{ .Values.proxy.service.internalPort }}
+              port: {{ .Values.service.internalPort }}
           resources:
-{{ toYaml .Values.proxy.resources | indent 12 }}
+{{ toYaml .Values.resources | indent 12 }}
@@ -1,4 +1,4 @@
-{{- if gt (int .Values.proxy.replicaCount) 1 }}
+{{- if gt (int .Values.replicaCount) 1 }}
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
@@ -9,7 +9,7 @@ metadata:
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 spec:
-  maxUnavailable: {{ sub (int .Values.proxy.replicaCount) 1 }}
+  maxUnavailable: {{ sub (int .Values.replicaCount) 1 }}
   selector:
     matchLabels:
       app: proxy

@@ -9,4 +9,4 @@ metadata:
     heritage: "{{ .Release.Service }}"
 type: Opaque
 data:
-  proxy.config: {{ .Values.proxy.secrets.proxy_config | b64enc | quote }}
+  proxy.config: {{ .Values.secrets.proxy_config | b64enc | quote }}
@@ -17,8 +17,8 @@ spec:
   type: ClusterIP
   ports:
     - name: http
-      port: {{ .Values.proxy.service.externalPort }}
-      targetPort: {{ .Values.proxy.service.internalPort }}
+      port: {{ .Values.service.externalPort }}
+      targetPort: {{ .Values.service.internalPort }}
   selector:
     app: proxy
     release: {{ .Release.Name }}
@@ -1,4 +1,4 @@
-{{- if .Values.proxy.metrics.serviceMonitor.enabled }}
+{{- if .Values.metrics.serviceMonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata: