fix: helm-operations.sh for sonarcloud exceptions and update wiab-staging based on review

Author: mohitrajain

bin/helm-operations.sh

@@ -7,7 +7,7 @@ BASE_DIR="${BASE_DIR:-/wire-server-deploy}"
 TARGET_SYSTEM="${TARGET_SYSTEM:-example.com}"
 CERT_MASTER_EMAIL="certmaster@${CERT_MASTER_EMAIL}:-certmaster@${TARGET_SYSTEM}"
 
-# DEPLOY_CERT_MANAGER env variable to decide to check if cert_manager and nginx-ingress-services charts should get deployed
+# DEPLOY_CERT_MANAGER env variable is used to decide if cert_manager and nginx-ingress-services charts should get deployed
 # default is set to TRUE to deploy it unless changed
 DEPLOY_CERT_MANAGER="${DEPLOY_CERT_MANAGER:-TRUE}"
 
@@ -24,9 +24,11 @@ HOST_IP=$(wget -qO- https://api.ipify.org)
 fi
 
 function dump_debug_logs {
+  local exit_code=$?
   if [[ "$DUMP_LOGS_ON_FAIL" == "TRUE" ]]; then 
     "$BASE_DIR"/bin/debug_logs.sh
   fi
+  return $exit_code
 }
 trap dump_debug_logs ERR
 
@@ -49,6 +51,7 @@ sync_pg_secrets() {
     echo "⚠️  Warning: PostgreSQL secret 'wire-postgresql-secret' not found, skipping secret sync"
     echo "    Make sure databases-ephemeral chart is deployed before wire-server"
   fi
+  return $?
 }
 
 # Creates values.yaml from prod-values.example.yaml and secrets.yaml from prod-secrets.example.yaml

offline/wiab-staging.md

@@ -153,7 +153,7 @@ Since the inventory is ready, please continue with the following steps:
 
 **TLS / certificate behavior (cert-manager vs. Bring Your Own):**
 - By default, `bin/helm-operations.sh` has `DEPLOY_CERT_MANAGER=TRUE`, which installs cert-manager and configures a Let’s Encrypt (HTTP-01) issuer for the ingress charts.
-- If you **do not** want Let’s Encrypt / cert-manager (for example, you are using **[Bring Your Own certificates](docs_ubuntu_22.04.md#acquiring--deploying-ssl-certificates)**), disable this step by passing  env variable `DEPLOY_CERT_MANAGER=FALSE` when running `bin/helm-operations.sh`.
+- If you **do not** want Let’s Encrypt / cert-manager (for example, you are using **[Bring Your Own certificates](docs_ubuntu_22.04.md#acquiring--deploying-ssl-certificates)**), disable this step by passing the environment variable `DEPLOY_CERT_MANAGER=FALSE` when running `bin/helm-operations.sh`.
   - When choosing `DEPLOY_CERT_MANAGER=FALSE`, ensure your ingress is configured with your own TLS secret(s) as described at [Acquiring / Deploying SSL Certificates](docs_ubuntu_22.04.md#acquiring--deploying-ssl-certificates).
   - When choosing `DEPLOY_CERT_MANAGER=TRUE`, ensure if further network configuration is required by following [cert-manager behaviour in NAT / bridge environments](#cert-manager-behaviour-in-nat--bridge-environments).
 
@@ -240,8 +240,8 @@ When cert-manager performs HTTP-01 self-checks inside the cluster, traffic can h
 
 In NAT/bridge setups (for example, using `virbr0` on the host):
 
-- If nftables rules DNAT in `PREROUTING` without a matching SNAT on `virbr0 → virbr0`, return packets may bypass the host and break conntrack, causing HTTP-01 timeouts and certificate verification failures.
-- Strict `rp_filter` can drop asymmetric return packets.
+- If nftables DNAT rules exist in `PREROUTING` without a matching SNAT on `virbr0 → virbr0`, return packets may bypass the host and break conntrack, causing HTTP-01 timeouts and certificate verification failures.
+-  too strict of `rp_filter` settings can drop asymmetric return packets.
 
 Before changing anything, first verify whether certificate issuance is actually failing: