Release 2026-06-12 - (expected chart version 5.33.0)

CHANGELOG.md

@@ -1,10 +1,94 @@
+# [2026-06-12] (Chart Release 5.33.0)
+
+## Release notes
+
+
+* The background-worker migration timeout configuration was renamed from `migrateConversationsOptions` to `migrationOptions`. The old key is no longer read, so update any custom Helm overrides to the new name to avoid unexpected defaults. (#5244)
+
+* Add public `/meetings` endpoints to galley nginz routing (WPB-26338). (#5258)
+
+* Support for the kyber based hybrid post quantum ciphersuite was removed, because it is not supported by wire branch of openmls. (#5224)
+
+
+## API changes
+
+
+* In API version V16 `DELETE /conversations/:domain/:cid/members/:domain/:uid` may return a new error 403 `adminless-conversation` (#5254)
+
+* Remove redundant "get-app" end-point (use `POST /list-users` instead). (#PR_NOT_FOUND)
+
+* Finalize API version v16 and create new dev version v17. (#5257)
+
+
+## Features
+
+
+* Enforced history client invariants for conversation history sharing: enabled requires exactly one history client, disabled requires none. (#5217)
+
+* Prevent adminless groups (#5254, #5256)
+
+* Added a team feature to configure adminless group prevention. (#5233)
+
+* Added a team feature flag for background effects. (#5246)
+
+* nginx-ingress-services: allow a federator-only cert-manager issuer (e.g. AWS Private CA via AWSPCAClusterIssuer) by setting federator.tls.issuer.{name,kind,group} without having to enable the global tls.useCertManager flag. The wildcard-backed federator-certificate-secret is suppressed in that case so cert-manager can own the secret. (#5249)
+
+* Allow storing user data in PostgreSQL.
+
+  This is currently not the default and is experimental. The migration path from Cassandra is yet to be implemented.
+
+  However, new installations can use this by configuring the wire-server Helm chart like this:
+
+  ```yaml
+  galley:
+    config:
+      postgresqlMigration:
+        user: postgresql
+  ```
+
+  (#4951)
+
+
+## Bug fixes and other updates
+
+
+* Reset the MLS group info on conversation reset (#5229)
+
+* Refresh ES index after app update, emit event. (#5231)
+
+* Allow team members with role `Member` to browse collaborators. (#PR_NOT_FOUND)
+
+* Make migration locks release safely on failure (#5238)
+
+* Reduce connection usage and number of SQL queries for checking for pending PostgreSQL migration cleanup. (#5234)
+
+* Reconnect and retry queries when the PostgreSQL server restarts (#5216)
+
+
+## Internal changes
+
+
+* Add meeting cleaner job in `background-worker`. (#5207)
+
+* Integration test comparing different team-search end-points. (#5230)
+
+* Add timeout and duration metrics to Cassandra-to-PostgreSQL migration options (#5244)
+
+* Internal `/i/domain-registration` API made available for testing (#5245)
+
+* Bump wire-server-enterprise submodule (introduces gitignoreSource Nix fix) (#5253)
+
+* Fix SBOM generation scripts: stop merging stderr into stdout, which polluted the devShell and image name lists with nix warnings (#5264)
+
+* wire-ingress chart: Add a ALPN ClienTrafficPolicy (#5228)
+
+
 # [2026-05-12] (Chart Release 5.32.0)
 
 ## Release notes
 
 
 * - `postgresMigration` now has a single source of truth in the Galley chart values. Galley, Brig, and background-worker all read their PostgreSQL migration settings from there.
-  - If your deployment overrides the full `postgresMigration` object, add the new `domainRegistration` field to that override. Otherwise services may fail to start because the config is incomplete.
   - To migrate domain registration data to PostgreSQL, set `postgresMigration.domainRegistration` to `migration-to-postgresql`, run the background-worker migration with `migrateDomainRegistration: true`, and switch the setting to `postgresql` after completion.
   - The domain registration migration covers these Cassandra tables:
     `domain_registration`, `domain_registration_by_team`, and `domain_registration_challenge`. (#5195)

charts/elasticsearch-index/templates/migrate-data.yaml

@@ -71,6 +71,8 @@ spec:
             {{- end }}
             - --pg-settings
             - {{ toJson .Values.postgresql | quote }}
+            - --user-storage-location
+            - {{ .Values.postgresMigration.user }}
           volumeMounts:
           {{- if hasKey .Values.secrets "elasticsearch" }}
             - name: "elasticsearch-index-secrets"

charts/elasticsearch-index/values.yaml

@@ -49,6 +49,9 @@ postgresqlPool:
   agingTimeout: 1d
   idlenessTimeout: 10m
 
+postgresMigration:
+  user: cassandra
+
 galley:
   host: galley
   port: 8080

charts/integration/templates/configmap.yaml

@@ -54,7 +54,7 @@ data:
       port: 8080
 
     backgroundWorker:
-      host: backgroundWorker.{{ .Release.Namespace }}.svc.cluster.local
+      host: background-worker.{{ .Release.Namespace }}.svc.cluster.local
       port: 8080
       # Background jobs defaults for integration tests
       backgroundJobs:
@@ -145,7 +145,7 @@ data:
         port: 8080
 
       backgroundWorker:
-        host: backgroundWorker.{{ .Release.Namespace }}-fed2.svc.cluster.local
+        host: background-worker.{{ .Release.Namespace }}-fed2.svc.cluster.local
         port: 8080
 
       stern:
@@ -212,7 +212,7 @@ data:
         host: proxy.wire-federation-v0.svc.cluster.local
         port: 8080
       backgroundWorker:
-        host: backgroundWorker.wire-federation-v0.svc.cluster.local
+        host: background-worker.wire-federation-v0.svc.cluster.local
         port: 8080
       stern:
         host: stern.wire-federation-v0.svc.cluster.local
@@ -255,7 +255,7 @@ data:
         host: proxy.wire-federation-v1.svc.cluster.local
         port: 8080
       backgroundWorker:
-        host: backgroundWorker.wire-federation-v1.svc.cluster.local
+        host: background-worker.wire-federation-v1.svc.cluster.local
         port: 8080
       stern:
         host: stern.wire-federation-v1.svc.cluster.local
@@ -298,7 +298,7 @@ data:
         host: proxy.wire-federation-v2.svc.cluster.local
         port: 8080
       backgroundWorker:
-        host: backgroundWorker.wire-federation-v2.svc.cluster.local
+        host: background-worker.wire-federation-v2.svc.cluster.local
         port: 8080
       stern:
         host: stern.wire-federation-v2.svc.cluster.local

charts/nginx-ingress-services/templates/certificate_federator.yaml

@@ -4,7 +4,8 @@
 {{- if and .Values.federator.enabled .Values.config.isAdditionalIngress -}}
   {{ fail "Federation and multi-backend-domain (multi-ingress) cannot be configured together." }}
 {{- end -}}
-{{- if and .Values.federator.enabled (and .Values.tls.enabled .Values.tls.useCertManager) }}
+{{- $federatorUsesCertManager := or .Values.tls.useCertManager .Values.federator.tls.issuer.name -}}
+{{- if and .Values.federator.enabled .Values.tls.enabled $federatorUsesCertManager }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:

charts/nginx-ingress-services/templates/secret_federator.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.federator.enabled (not .Values.tls.useCertManager) }}
+{{- if and .Values.federator.enabled (not .Values.tls.useCertManager) (not .Values.federator.tls.issuer.name) }}
 {{- if .Values.config.isAdditionalIngress -}}
   {{ fail "Federation and multi-backend-domain (multi-ingress) cannot be configured together." }}
 {{- end -}}

charts/nginz/values.yaml

@@ -551,6 +551,36 @@ nginx_conf:
       envs:
         - all
       disable_zauth: true
+    - path: /i/domain-registration/([^/]*)/lock$
+      envs:
+        - staging
+      disable_zauth: true
+      basic_auth: true
+      versioned: false
+    - path: /i/domain-registration/([^/]*)/unlock$
+      envs:
+        - staging
+      disable_zauth: true
+      basic_auth: true
+      versioned: false
+    - path: /i/domain-registration/([^/]*)/preauthorize$
+      envs:
+        - staging
+      disable_zauth: true
+      basic_auth: true
+      versioned: false
+    - path: /i/domain-registration/([^/]*)/unauthorize$
+      envs:
+        - staging
+      disable_zauth: true
+      basic_auth: true
+      versioned: false
+    - path: /i/domain-registration/([^/]*)$
+      envs:
+        - staging
+      disable_zauth: true
+      basic_auth: true
+      versioned: false
     - path: /domain-verification/([^/]*)/team/challenges/([^/]*)
       envs:
         - all
@@ -746,6 +776,9 @@ nginx_conf:
       disable_zauth: true
       basic_auth: true
       versioned: false
+    - path: /meetings(.*)
+      envs:
+      - all
     gundeck:
     - path: /push
       envs:

charts/wire-ingress/README.md

@@ -80,7 +80,8 @@ name overrides, etc.) can be found in `values.yaml`.
 |---|---|---|
 | `gateway.create` | `true` | If `false`, no `Gateway` resource is created — set `gateway.name` to reference an existing one. Useful when sharing a Gateway across multiple releases. |
 | `gateway.className` | `""` | **Required.** Name of the `GatewayClass` installed by the Envoy Gateway controller (e.g. `envoy`). Must match the `GatewayClass` object whose `spec.controllerName` is `gateway.envoyproxy.io/gatewayclass-controller`. |
-| `gateway.listeners.https.hostname` | `""` | **Required when `federator.enabled: true`.** Restricts the HTTPS listener to a specific hostname (e.g. `*.example.com`). Without this, both the HTTPS and federator listeners are catch-all on the same port, causing Envoy to degrade ALPN to HTTP/1.1-only (`OverlappingTLSConfig`). |
+| `gateway.alpn.enabled` | `true` | Enables ALPN configuration via `ClientTrafficPolicy` to support HTTP/2 despite overlapping certificate SANs across multiple service listeners. When disabled, ALPN defaults to HTTP/1.1 only. |
+| `gateway.alpn.protocols` | `[h2, http/1.1]` | List of ALPN protocols to advertise to clients. Defaults to HTTP/2 with HTTP/1.1 fallback. |
 | `gateway.listeners.http.enabled` | `false` | Enables the HTTP listener on port 80. Required for HTTP01 ACME challenges via cert-manager's `gatewayHTTPRoute` solver — see [HTTP01 certificate challenges](#http01-certificate-challenges). |
 | `gateway.envoyProxy.create` | `true` | If `false`, no `EnvoyProxy` resource is created. Set `gateway.envoyProxy.name` to reference an existing one, or leave it empty to inherit the GatewayClass-level `EnvoyProxy`. |
 | `gateway.envoyProxy.name` | _(derived)_ | When `create: true` — name of the created resource. When `create: false` — name of an existing `EnvoyProxy` to reference via `infrastructure.parametersRef`. |
@@ -285,14 +286,25 @@ federator:
 
 ---
 
+### HTTP/2 support with ALPN ClientTrafficPolicy
+
+The chart creates a `ClientTrafficPolicy` resource that explicitly configures ALPN protocols when `gateway.alpn.enabled: true`. This is necessary because when a single certificate with multiple SANs is used across multiple listeners on the same port, Envoy would otherwise disable HTTP/2 as a safety measure to prevent connection coalescing attacks.
+
+The policy sets `spec.tls.alpnProtocols` to:
+```yaml
+- h2        # HTTP/2
+- http/1.1  # HTTP/1.1 fallback
+```
+
+This allows HTTP/2 to be negotiated while maintaining support for older clients via HTTP/1.1 fallback.
+
 ### Federator mTLS uses Envoy Gateway policies
 
 Federator mTLS is implemented using:
 
 - `ClientTrafficPolicy` to configure TLS settings on the federator `Gateway` listener (client
   certificate validation, verify depth)
-- A separate `Gateway` listener (or dedicated `Gateway`) for the federator so that mTLS settings
-  apply only to that listener
+- A separate `Gateway` listener for the federator so that mTLS settings apply only to that listener
 - `X-SSL-Certificate` header forwarding is handled via an `EnvoyExtensionPolicy` with an inline
   Lua filter that reads the URL-encoded PEM client certificate from the connection and injects it
   as a request header, matching nginx's `$ssl_client_escaped_cert` behaviour

charts/wire-ingress/templates/clienttrafficpolicy-alpn.yaml

@@ -0,0 +1,24 @@
+{{- if .Values.gateway.alpn.enabled }}
+{{/* Envoy Gateway-specific (gateway.envoyproxy.io/v1alpha1).
+     Configures ALPN to allow HTTP/2 despite overlapping certificate SANs
+     when using multiple listeners with the same certificate. */}}
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: ClientTrafficPolicy
+metadata:
+  name: {{ include "wire-ingress.gatewayName" . }}-alpn
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+spec:
+  targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: {{ include "wire-ingress.gatewayName" . | quote }}
+  tls:
+    alpnProtocols:
+      {{- range .Values.gateway.alpn.protocols }}
+      - {{ . }}
+      {{- end }}
+{{- end }}

charts/wire-ingress/values.yaml

@@ -81,6 +81,15 @@ gateway:
       # Optional hostname restriction for the HTTP listener. Set alongside
       # listeners.https.hostname when using mergeGateways.
       hostname: ""
+  # ALPN configuration for HTTP/2 support with multiple listeners.
+  # When using multiple listeners with overlapping certificate SANs,
+  # Envoy Gateway may downgrade to HTTP/1.1. This ClientTrafficPolicy
+  # explicitly configures ALPN to allow HTTP/2.
+  alpn:
+    enabled: true
+    protocols:
+      - h2        # HTTP/2
+      - http/1.1  # HTTP/1.1 fallback
   # Set to false to skip creating EnvoyPatchPolicy resources.
   # EnvoyPatchPolicy requires extensionApis.enableEnvoyPatchPolicy: true
   # in the EnvoyGateway ConfigMap (see README).

charts/wire-server/templates/background-worker/configmap.yaml

@@ -84,13 +84,17 @@ data:
     migrateConversationCodes: {{ .migrateConversationCodes }}
     migrateTeamFeatures: {{ .migrateTeamFeatures }}
     migrateDomainRegistration: {{ .migrateDomainRegistration }}
-    migrateConversationsOptions:
-{{toYaml .migrateConversationsOptions | indent 6 }}
+    migrationOptions:
+{{toYaml .migrationOptions | indent 6 }}
 
     backendNotificationPusher:
 {{toYaml .backendNotificationPusher | indent 6 }}
     {{- with .backgroundJobs }}
     backgroundJobs:
+{{ toYaml . | indent 6 }}
+    {{- end }}
+    {{- with .meetingsCleanup }}
+    meetingsCleanup:
 {{ toYaml . | indent 6 }}
     {{- end }}
     {{- if $.Values.galley.config.postgresMigration }}