wireapp · mohitrajain · Apr 2, 2026 · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026
diff --git a/.github/workflows/changelog-verify.yml b/.github/workflows/changelog-verify.yml
@@ -2,6 +2,8 @@ name: Changelog verification
 on:
   pull_request:
     branches: ["**"]
+  push:
+    branches: ["master"]
 
 permissions:
   contents: read

diff --git a/ansible/files/wiab_server_nftables.conf.j2 b/ansible/files/wiab_server_nftables.conf.j2
@@ -67,7 +67,9 @@ table ip nat {
   chain POSTROUTING {
     type nat hook postrouting priority 100;
     oifname != docker0 ip saddr 172.17.0.0/16 counter masquerade
+{% if not (private_deployment | default(true) | bool) %}
     oifname $INF_WAN counter masquerade comment "{{ wire_comment }} masquerade outgoing traffic"
+{% endif %}
   }
   chain DOCKER {
     iifname docker0 counter return

diff --git a/ansible/inventory/demo/host.yml b/ansible/inventory/demo/host.yml
@@ -57,7 +57,6 @@ wiab:
       - databases-ephemeral
       - postgresql
       - reaper
-      - smallstep-accomp
       - wire-server
       - webapp
       - account-pages

diff --git a/ansible/inventory/demo/wiab-staging.yml b/ansible/inventory/demo/wiab-staging.yml
@@ -6,4 +6,6 @@ wiab-staging:
       ansible_user: 'demo'
       ansible_ssh_private_key_file: "~/.ssh/id_ed25519"
   vars:
-    artifact_hash: 2200257f7a528f3a8157e8878fc7ee1c945594d1
+    artifact_hash: 7da2319729ba792f91d7ccba4e026c21cd3a3691
+    # when enabled, disable WAN SNAT/masquerading for VMs on the private network
+    private_deployment: true
diff --git a/ansible/wiab-staging-provision.yml b/ansible/wiab-staging-provision.yml
@@ -298,9 +298,8 @@
         kubenode2_ip: "{{ kubenode_ip_result.results[1].stdout }}"
         kubenode3_ip: "{{ kubenode_ip_result.results[2].stdout }}"
         wire_comment: "wiab-stag"
-
     tags: always
 
 - name: Configure nftables
   import_playbook: ./wiab-staging-nftables.yaml
-  tags: nftables
+  tags: [never, nftables]
diff --git a/bin/helm-operations.sh b/bin/helm-operations.sh
@@ -5,7 +5,7 @@ set -Eeo pipefail
 # Read values from environment variables with defaults
 BASE_DIR="${BASE_DIR:-/wire-server-deploy}"
 TARGET_SYSTEM="${TARGET_SYSTEM:-example.com}"
-CERT_MASTER_EMAIL="certmaster@${CERT_MASTER_EMAIL}:-certmaster@${TARGET_SYSTEM}"
+CERT_MASTER_EMAIL="${CERT_MASTER_EMAIL:-certmaster@example.com}"
 
 # DEPLOY_CERT_MANAGER env variable is used to decide if cert_manager and nginx-ingress-services charts should get deployed
 # default is set to TRUE to deploy it unless changed
@@ -60,7 +60,7 @@ process_values() {
 
   ENV=$1
   TYPE=$2
-  charts=(fake-aws smtp rabbitmq databases-ephemeral reaper wire-server webapp account-pages team-settings smallstep-accomp ingress-nginx-controller nginx-ingress-services coturn sftd cert-manager)
+  charts=(fake-aws smtp rabbitmq databases-ephemeral reaper wire-server webapp account-pages team-settings ingress-nginx-controller nginx-ingress-services coturn sftd cert-manager)
 
   if [[ "$ENV" != "prod" ]] || [[ -z "$TYPE" ]] ; then
     echo "Error: This function only supports prod deployments with TYPE as values or secrets. ENV must be 'prod', got: '$ENV' and '$TYPE'"
@@ -214,7 +214,7 @@ sync_pg_secrets
 configure_values
 
 # deploying with external datastores, useful for prod setup
-deploy_charts cassandra-external elasticsearch-external minio-external postgresql-external fake-aws smtp rabbitmq-external databases-ephemeral reaper wire-server webapp account-pages team-settings smallstep-accomp ingress-nginx-controller
+deploy_charts cassandra-external elasticsearch-external minio-external postgresql-external fake-aws smtp rabbitmq-external databases-ephemeral reaper wire-server webapp account-pages team-settings ingress-nginx-controller
 
 # deploying cert-manager only when the env var DEPLOY_CERT_MANAGER is set to TRUE 
 if [[ "$DEPLOY_CERT_MANAGER" == "TRUE" ]]; then 

diff --git a/changelog.d/3-deploy-builds/disable-smallstep b/changelog.d/3-deploy-builds/disable-smallstep
@@ -0,0 +1 @@
+Fixed: stop deploying smallstep in wiab-staging and wiab-dev environments
diff --git a/changelog.d/3-deploy-builds/wiab-stag-nftables-snat-fix b/changelog.d/3-deploy-builds/wiab-stag-nftables-snat-fix
@@ -0,0 +1,5 @@
+Added: variable private_deployment with default true to disable SNAT on adminhost
-Added: variable private_deployment with default true to disable SNAT on adminhost
+Added: variable private_deployment (default false) to optionally disable SNAT on adminhost (SNAT enabled by default unless explicitly set)
-Added: variable private_deployment with default true to disable SNAT on adminhost
+Added: variable private_deployment (default false) to optionally disable SNAT on adminhost (SNAT enabled by default unless explicitly set)
+Fixed: cert_master_email env var parsing in helm-operations.sh 
+Fixed: made running wiab-staging-nftables.yaml playbook explicit
+Added: wiab-staging.md documentation to add details about default SNAT access being denied and how to enable it
+Added: wiab-staging.md network flow diagram
diff --git a/offline/wiab-staging.md b/offline/wiab-staging.md
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Fixed: stop deploying smallstep in wiab-staging and wiab-dev environments