From 6e313aa28f4b97d1fabb5a0c5bb6463776928214 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vedran=20Ivankovi=C4=87?=
 <33936733+Veki301@users.noreply.github.com>
Date: Thu, 10 Jul 2025 13:23:50 +0200
Subject: [PATCH 1/3] add missing postgresql variable to wire-server secrets
 templates

---
 values/wire-server/demo-secrets.example.yaml | 1 +
 values/wire-server/prod-secrets.example.yaml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/values/wire-server/demo-secrets.example.yaml b/values/wire-server/demo-secrets.example.yaml
index 1c6413d8e..bcc36ecd7 100644
--- a/values/wire-server/demo-secrets.example.yaml
+++ b/values/wire-server/demo-secrets.example.yaml
@@ -6,6 +6,7 @@ elasticsearch-index:
       password: changeme
 brig:
   secrets:
+    pgPassword: verysecurepassword
     smtpPassword: dummyPassword
     zAuth:
       # generate zauth public/private keys with the 'zauth' executable from wire-server:
diff --git a/values/wire-server/prod-secrets.example.yaml b/values/wire-server/prod-secrets.example.yaml
index 051ece86c..1d07694c1 100644
--- a/values/wire-server/prod-secrets.example.yaml
+++ b/values/wire-server/prod-secrets.example.yaml
@@ -1,6 +1,7 @@
 # CHANGEME-PROD: All values here should be changed/reviewed
 brig:
   secrets:
+    pgPassword: verysecurepassword
     smtpPassword: dummyPassword
     zAuth:
       # generate zauth public/private keys with the 'zauth' executable from wire-server:

From d717d7f080ad29ffd9e7d665518eece8f13acc14 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vedran=20Ivankovi=C4=87?=
 <33936733+Veki301@users.noreply.github.com>
Date: Thu, 10 Jul 2025 13:27:23 +0200
Subject: [PATCH 2/3] fix: add hairpin nat to POSTROUTING chain for
 cert-manager in nftables template

---
 ansible/files/hetzner_server_nftables.conf.j2 | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ansible/files/hetzner_server_nftables.conf.j2 b/ansible/files/hetzner_server_nftables.conf.j2
index 19e50b1ad..191d08d77 100644
--- a/ansible/files/hetzner_server_nftables.conf.j2
+++ b/ansible/files/hetzner_server_nftables.conf.j2
@@ -53,6 +53,9 @@ table ip nat {
   }
   chain POSTROUTING {
     type nat hook postrouting priority 100;
+
+    ip saddr 192.168.122.0/24 ip daddr 192.168.122.0/24 oifname virbr0 counter masquerade comment "hairpin NAT for ingress"
+
     oifname != docker0 ip saddr 172.17.0.0/16 counter masquerade
     oifname $INF_WAN counter masquerade comment "masquerade outgoing traffic"
   }

From 2f91543ec16f755255f4edd22365ebff6cf5c32e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vedran=20Ivankovi=C4=87?=
 <33936733+Veki301@users.noreply.github.com>
Date: Thu, 10 Jul 2025 13:30:35 +0200
Subject: [PATCH 3/3] add temporary solution for cert-manager-crds

---
 offline/docs_ubuntu_22.04.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/offline/docs_ubuntu_22.04.md b/offline/docs_ubuntu_22.04.md
index 93c9083d3..29a93e2da 100644
--- a/offline/docs_ubuntu_22.04.md
+++ b/offline/docs_ubuntu_22.04.md
@@ -825,6 +825,12 @@ Set your domain name with sed:
 sed -i "s/example.com/YOURDOMAINHERE/" values/nginx-ingress-services/values.yaml
 ```
 
+TODO: newer cert-manager release no longer installs CRDs with `installCRDs=true`, `crds.enabled=true` is the new standard, but that one is also failing during install. Install CRDs manually with:
+
+```
+d kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.3/cert-manager.crds.yaml
+```
+
 Install `cert-manager` into a new namespace `cert-manager-ns`.
 ```
 d kubectl create namespace cert-manager-ns