fix: wpb-23988 sync wire-server helm chart secrets for wiab-dev from prod values for 5.25

Author: mohitrajain

values/wire-server/demo-secrets.example.yaml

@@ -1,66 +1,82 @@
-# CHANGEME-DEMO: All values here should be changed/reviewed
+# CHANGEME-DEV: All values here should be changed/reviewed
+# check the ansible playbook ansible/wiab-demo/wire_secrets.yml on how these secrets are being randomly generated and rotated
+# make sure that any secrets related to external services like AWS, giphy, youtube, spotify etc are being updated before running the random secret generation (ansible/wiab-demo/wire_secrets.yml) at demo-secrets.example.yaml and before deploying the helm charts using the playbook (ansible/wiab-demo/helm_install.yml)
+
+# The secrets for services like elasticsearch, postgresql, rabbitmq and AWS (fake) secretID and key are configured in their helm charts. The values passed to these charts can be modified at wire-server-deploy/service-name/demo-[values|secrets].example.yaml
+# postgresql - https://github.com/wireapp/helm-charts/tree/dev/charts/postgresql
+# elasticsearch - https://github.com/wireapp/wire-server/blob/develop/charts/elasticsearch-ephemeral
+# rabbitMQ - https://github.com/wireapp/wire-server/tree/develop/charts/rabbitmq
+# fake-aws - https://github.com/wireapp/wire-server/tree/develop/charts/fake-aws
+# AWS - this needs to be checked with wire support if needs to use real AWS services
+
 elasticsearch-index:
   secrets:
     elasticsearch:
-      username: elastic
-      password: changeme
+      username: "elastic"
+      password: "changeme"
+
 brig:
   secrets:
+    pgPassword: verysecurepassword
     smtpPassword: dummyPassword
     zAuth:
       # generate zauth public/private keys with the 'zauth' executable from wire-server:
-      # ./dist/zauth -m gen-keypair -i 1
+      # sudo docker run $ZAUTH_CONTAINER -m gen-keypair
       publicKeys: "<public key>"
       privateKeys: "<private key>"
     turn:
       # generate a high-entropy random string, e.g. using
-      # openssl rand -base64 64 | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 42
+      # openssl rand -base64 64 | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 64
       secret: CHANGEMEE6KHMJU1uDhhgvsVWoIyzmn3u3GHRoWjTp
-    # these only need to be changed if using real AWS services
     awsKeyId: dummykey
     awsSecretKey: dummysecret
-    # These are only necessary if you wish to support sign up via SMS/calls
-    # And require accounts at twilio.com / nexmo.com
     rabbitmq:
       username: wire-server
       password: verysecurepassword
-    # PostgreSQL password is synced with the wire-postgresql-secret from k8s cluster
-    # To extract the secret from an existing Kubernetes cluster:
-    #   kubectl get secret wire-postgresql-secret -n postgresql -o jsonpath='{.data.password}' | base64 -d
-    pgPassword: dummyPassword # gets replaced by the actual secret
     elasticsearch:
       username: "elastic"
       password: "changeme"
     elasticsearchAdditional:
       username: "elastic"
       password: "changeme"
-cannon:
+
+cargohold:
   secrets:
+    awsKeyId: dummykey
+    awsSecretKey: dummysecret
     rabbitmq:
       username: wire-server
       password: verysecurepassword
 
-cargohold:
+cannon:
   secrets:
-    # these only need to be changed if using real AWS services
-    awsKeyId: dummykey
-    awsSecretKey: dummysecret
     rabbitmq:
       username: wire-server
       password: verysecurepassword
 
 galley:
   secrets:
-    # these only need to be changed if using real AWS services
-    awsKeyId: dummykey
-    awsSecretKey: dummysecret
-    # PostgreSQL password is synced with the wire-postgresql-secret from k8s cluster
-    # To extract the secret from an existing Kubernetes cluster:
-    #   kubectl get secret wire-postgresql-secret -n postgresql -o jsonpath='{.data.password}' | base64 -d
-    pgPassword: dummyPassword # gets replaced by the actual secret
     rabbitmq:
       username: wire-server
       password: verysecurepassword
+    pgPassword: verysecurepassword
+    # these only need to be changed if using real AWS services
+    awsKeyId: dummykey
+    awsSecretKey: dummysecret
+    mlsPrivateKeys:
+      removal:
+        ed25519: |
+          -----BEGIN PRIVATE KEY-----
+          -----END PRIVATE KEY-----
+        ecdsa_secp256r1_sha256: |
+          -----BEGIN PRIVATE KEY-----
+          -----END PRIVATE KEY-----
+        ecdsa_secp384r1_sha384: |
+          -----BEGIN PRIVATE KEY-----
+          -----END PRIVATE KEY-----
+        ecdsa_secp521r1_sha512: |
+          -----BEGIN PRIVATE KEY-----
+          -----END PRIVATE KEY-----
 
 gundeck:
   secrets:
@@ -93,9 +109,11 @@ nginz:
     # only necessary in test environments (env="staging"). See charts/nginz/README.md
     basicAuth: "<username>:<htpasswd-hashed-password>"
 
+
 # RabbitMQ credentials for background-worker.
 background-worker:
   secrets:
+    pgPassword: verysecurepassword
     rabbitmq:
       username: wire-server
       password: verysecurepassword

values/wire-server/demo-values.example.yaml

@@ -1,4 +1,4 @@
-# CHANGEME-PROD: All values here should be changed/reviewed
+# CHANGEME-DEV: All values here should be changed/reviewed
 tags:
   proxy: false # enable if you want/need giphy/youtube/etc proxying
   legalhold: false # Enable if you need legalhold