wireapp · fisx · Jan 28, 2026 · Jan 13, 2026 · Jan 13, 2026 · Jan 14, 2026
@@ -1,3 +1,68 @@
+# [2026-01-26] (Chart Release 5.26.0)
+
+## Release notes
+
+
+* User search provides information about user type (regular, app, legacy bot) now.  Also, Elasticsearch re-indexing requires postgres access now.  If you run `brig-index` directly anywhere, make sure to add the relevant settings.  The Elasticsearch index must be refilled from Cassandra in order for the changes to the search results to take effect.  See https://docs.wire.com/latest/developer/reference/elastic-search.html?h=index#refill-es-documents-from-cassandra (#4913, #4957)
+
+* Conversation codes can now be migrated to PostgreSQL. For existing installations:
+  - Set `postgresMigration.conversationCodes: migration-to-postgresql` in both `galley` and `background-worker`.
+  - Run the backfill with `migrateConversationCodes: true`.
+  - Wait for `wire_conv_codes_migration_finished` to reach `1.0`.
+  - Switch to `postgresMigration.conversationCodes: postgresql` and disable `migrateConversationCodes`. (#4961)
+
+* The background-worker defaults for the postgres migration now match galley and point to cassandra (previously postgres). This currenlty only affects the background job, which is not expected to run before postgres is in use. However, if you relied on the defaults after migrating to postgres, please update your config to keep using postgres. (#4965)
+
+* Drop support for kubernetes versions below 1.27 (#4969)
+
+
+## API changes
+
+
+* New end-point `GET /teams/:tid/apps` listing all team apps. (#4960)
+
+* Add `type` field to search results received from `GET /search/contacts` (#4913)
+
+
+## Features
+
+
+* nginx-ingress-services: Add `federator.tls.issuer` option to use a separate ClusterIssuer for federation mTLS certificates. (#4964)
+
+* Log changes to IdP configurations made via the IdP REST API to syslog. (#4935)
+
+* Allow commit bundles to contain one application message. The message must be for the epoch *after* the commit, and it gets sent after the commit has been accepted. (#4929)
+
+
+## Bug fixes and other updates
+
+
+* `background-worker`'s default settings for `postgresMigration` have been correctly set to `cassandra`. (#4965)
+
+
+## Internal changes
+
+
+* Circumvent potential performance issue with `TVar (Map ...)` (#4948)
+
+* Migration of conversation codes from cassandra to postgres (#4959, #4961)
+
+* - Test for team and user email templates added
+  - Refactoring to make email rendering testable
+  - Removed SMS and call templates (#4699)
+
+* Drop `cryptobox`, handle prekey in pure Haskell. (#4719)
+
+* Move Feature Flags read to `wire-subsystems`. (#4918, #4974)
+
+* Federator: Replace Linux-only hinotify with cross-platform fsnotify library
+  for certificate file monitoring. This enables native file system watching
+  on both Linux and macOS, removing the need for platform-specific stubs. (#4955)
+
+* Simplify and modernize the Nix setup of `rusty-jwt-tools`. This includes
+  updating to version `0.14.0`. (#4952)
+
+
 # [2026-01-13] (Chart Release 5.25.0)
 
 ## Release notes

@@ -21,7 +21,6 @@ ingress-nginx-controller nginx-ingress-services reaper restund \
 k8ssandra-test-cluster ldap-scim-bridge wire-server-enterprise
 KIND_CLUSTER_NAME     := wire-server
 HELM_PARALLELISM      ?= 1 # 1 for sequential tests; 6 for all-parallel tests
-# (run `psql -h localhost -p 5432 -d backendA -U wire-server -w` for the list of options for PSQL_DB)
 PSQL_DB               ?= backendA
 export PSQL_DB
 
@@ -339,7 +338,7 @@ cassandra-schema: db-migrate cassandra-schema-impl
 cassandra-schema-impl:
 	./hack/bin/cassandra_dump_schema > ./cassandra-schema.cql
 
-.PHONY: postgres-reset postgres-schema-impl
+.PHONY: postgres-schema
 postgres-schema: postgres-reset postgres-schema-impl
 
 .PHONY: postgres-schema-impl
@@ -355,8 +354,8 @@ cqlsh:
 .PHONY: psql
 psql:
 	@grep -q wire-server:wire-server ~/.pgpass || \
-	  echo "consider running 'echo localhost:5432:wire-server:wire-server:posty-the-gres > ~/.pgpass ; chmod 600 ~/.pgpass '"
-	pg_dump -h localhost -p 5432 $(PSQL_DB) -U wire-server -w --schema-only || \
+	  echo "consider running 'echo localhost:5432:$(PSQL_DB):wire-server:posty-the-gres > ~/.pgpass ; chmod 600 ~/.pgpass '"
+	psql -h localhost -p 5432 $(PSQL_DB) -U wire-server -w || \
 	  echo 'if the database is missing, consider running "make postgres-reset", or setting $$PSQL_DB to the correct table space.'
 
 .PHONY: db-reset-package
@@ -394,21 +393,43 @@ postgres-reset: c
 	./dist/brig -c ./services/brig/brig.integration.yaml migrate-postgres --reset --dbname dyn-2
 	./dist/brig -c ./services/brig/brig.integration.yaml migrate-postgres --reset --dbname dyn-3
 
+.PHONY: postgres-migrate
+postgres-migrate: c
+	./dist/brig -c ./services/brig/brig.integration.yaml migrate-postgres --dbname backendA
+	./dist/brig -c ./services/brig/brig.integration.yaml migrate-postgres --dbname backendB
+	./dist/brig -c ./services/brig/brig.integration.yaml migrate-postgres --dbname dyn-1
+	./dist/brig -c ./services/brig/brig.integration.yaml migrate-postgres --dbname dyn-2
+	./dist/brig -c ./services/brig/brig.integration.yaml migrate-postgres --dbname dyn-3
+
 .PHONY: es-reset
 es-reset: c
 	./dist/brig-index reset \
 		--elasticsearch-index-prefix directory \
 		--elasticsearch-server https://localhost:9200 \
-	  --elasticsearch-ca-cert ./libs/wire-subsystems/test/resources/elasticsearch-ca.pem \
+		--elasticsearch-ca-cert ./libs/wire-subsystems/test/resources/elasticsearch-ca.pem \
 		--elasticsearch-credentials ./libs/wire-subsystems/test/resources/elasticsearch-credentials.yaml > /dev/null
 	./dist/brig-index reset \
 		--elasticsearch-index-prefix directory2 \
 		--elasticsearch-server https://localhost:9200 \
-	  --elasticsearch-ca-cert ./libs/wire-subsystems/test/resources/elasticsearch-ca.pem \
+		--elasticsearch-ca-cert ./libs/wire-subsystems/test/resources/elasticsearch-ca.pem \
 		--elasticsearch-credentials ./libs/wire-subsystems/test/resources/elasticsearch-credentials.yaml > /dev/null
 	./integration/scripts/integration-dynamic-backends-brig-index.sh \
 		--elasticsearch-server https://localhost:9200 \
-	  --elasticsearch-ca-cert ./libs/wire-subsystems/test/resources/elasticsearch-ca.pem \
+		--elasticsearch-ca-cert ./libs/wire-subsystems/test/resources/elasticsearch-ca.pem \
+		--elasticsearch-credentials ./libs/wire-subsystems/test/resources/elasticsearch-credentials.yaml > /dev/null
+	@echo -e "\n'brig-index reset' only deletes the index and regenerates the mapping, but doesn't generate or populate a new index, so you need to call 'make es-reindex explicitly now!\n"
+
+.PHONY: es-reindex
+es-reindex: c
+	./dist/brig-index reindex \
+		--pg-pool-size 10 \
+		--pg-pool-acquisition-timeout 10s \
+		--pg-pool-aging-timeout 1d \
+		--pg-pool-idleness-timeout 1h \
+		--pg-settings '{"host":"127.0.0.1","port":"5432","user":"wire-server","dbname":"backendA"}' \
+		--pg-password-file ./libs/wire-subsystems/test/resources/postgres-credentials.yaml \
+		--elasticsearch-server https://localhost:9200 \
+		--elasticsearch-ca-cert ./libs/wire-subsystems/test/resources/elasticsearch-ca.pem \
 		--elasticsearch-credentials ./libs/wire-subsystems/test/resources/elasticsearch-credentials.yaml > /dev/null
 
 .PHONY: rabbitmq-reset
@@ -417,7 +438,7 @@ rabbitmq-reset: rabbit-clean
 # Migrate all keyspaces and reset the ES index
 # Does not migrate postgres as brig does that on startup.
 .PHONY: db-migrate
-db-migrate: c
+db-migrate: c postgres-migrate
 	./dist/brig-schema --keyspace brig_test --replication-factor 1 > /dev/null
 	./dist/galley-schema --keyspace galley_test --replication-factor 1 > /dev/null
 	./dist/gundeck-schema --keyspace gundeck_test --replication-factor 1 > /dev/null
@@ -427,20 +448,7 @@ db-migrate: c
 	./dist/gundeck-schema --keyspace gundeck_test2 --replication-factor 1 > /dev/null
 	./dist/spar-schema --keyspace spar_test2 --replication-factor 1 > /dev/null
 	./integration/scripts/integration-dynamic-backends-db-schemas.sh --replication-factor 1 > /dev/null
-	./dist/brig-index reset \
-		--elasticsearch-index-prefix directory \
-		--elasticsearch-server https://localhost:9200 \
-	  --elasticsearch-ca-cert ./libs/wire-subsystems/test/resources/elasticsearch-ca.pem \
-		--elasticsearch-credentials ./libs/wire-subsystems/test/resources/elasticsearch-credentials.yaml > /dev/null
-	./dist/brig-index reset \
-		--elasticsearch-index-prefix directory2 \
-		--elasticsearch-server https://localhost:9200 \
-	  --elasticsearch-ca-cert ./libs/wire-subsystems/test/resources/elasticsearch-ca.pem \
-		--elasticsearch-credentials ./libs/wire-subsystems/test/resources/elasticsearch-credentials.yaml > /dev/null
-	./integration/scripts/integration-dynamic-backends-brig-index.sh \
-		--elasticsearch-server https://localhost:9200 \
-	  --elasticsearch-ca-cert ./libs/wire-subsystems/test/resources/elasticsearch-ca.pem \
-		--elasticsearch-credentials ./libs/wire-subsystems/test/resources/elasticsearch-credentials.yaml > /dev/null
+	make es-reset
 
 #################################
 ## dependencies

@@ -90,6 +90,7 @@ data:
     {{- end }}
 
     migrateConversations: {{ .migrateConversations }}
+    migrateConversationCodes: {{ .migrateConversationCodes }}
     migrateConversationsOptions:
 {{toYaml .migrateConversationsOptions | indent 6 }}
 

@@ -69,6 +69,10 @@ config:
   migrateConversationsOptions:
     pageSize: 10000
     parallelism: 2
+  # This will start the migration of conversation codes.
+  # It's important to set `settings.postgresMigration.conversationCodes` to `migration-to-postgresql`
+  # before starting the migration.
+  migrateConversationCodes: false
 
   backendNotificationPusher:
     pushBackoffMinWait: 10000 # in microseconds, so 10ms
@@ -86,7 +90,8 @@ config:
 
   # Controls where conversation data is stored/accessed
   postgresMigration:
-    conversation: postgresql
+    conversation: cassandra
+    conversationCodes: cassandra
 
 secrets:
   {}

@@ -71,6 +71,7 @@ config:
 
   postgresMigration:
     conversation: cassandra
+    conversationCodes: cassandra
   settings:
     httpPoolSize: 128
     maxTeamSize: 10000

@@ -8,32 +8,6 @@
   {{- (semverCompare ">= 1.24-0" (include "kubeVersion" .)) -}}
 {{- end -}}
 
-{{/* Get Ingress API Version */}}
-{{- define "ingress.apiVersion" -}}
-  {{- if and ($.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19-0" (include "kubeVersion" .)) -}}
-      {{- print "networking.k8s.io/v1" -}}
-  {{- else if $.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}}
-    {{- print "networking.k8s.io/v1beta1" -}}
-  {{- else -}}
-    {{- print "extensions/v1beta1" -}}
-  {{- end -}}
-{{- end -}}
-
-{{/* Check Ingress stability */}}
-{{- define "ingress.isStable" -}}
-  {{- eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" -}}
-{{- end -}}
-
-{{/* Check Ingress supports pathType */}}
-{{/* pathType was added to networking.k8s.io/v1beta1 in Kubernetes 1.18 */}}
-{{- define "ingress.supportsPathType" -}}
-  {{- or (eq (include "ingress.isStable" .) "true") (and (eq (include "ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" (include "kubeVersion" .))) -}}
-{{- end -}}
-
-{{- define "ingress.FieldNotAnnotation" -}}
-  {{- (semverCompare ">= 1.27-0" (include "kubeVersion" .)) -}}
-{{- end -}}
-
 {{- define "integrationTestHelperNewLabels" -}}
   {{- (semverCompare ">= 1.23-0" (include "kubeVersion" .)) -}}
 {{- end -}}

@@ -1,18 +1,10 @@
-{{- $apiIsStable := eq (include "ingress.isStable" .) "true" -}}
-{{- $ingressFieldNotAnnotation := eq (include "ingress.FieldNotAnnotation" .) "true" -}}
-{{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}}
-{{- $ingressAPIVersion := include "ingress.apiVersion" . }}
-
 {{- range $name, $dynamicBackend := .Values.config.dynamicBackends }}
 ---
-apiVersion: {{ $ingressAPIVersion }}
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: integration-federator-{{ $name }}
   annotations:
-    {{- if not $ingressFieldNotAnnotation }}
-    kubernetes.io/ingress.class: "{{ $.Values.ingress.class }}"
-    {{- end }}
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
     nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
     nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
@@ -21,9 +13,7 @@ metadata:
     nginx.ingress.kubernetes.io/configuration-snippet: |
       proxy_set_header "X-SSL-Certificate" $ssl_client_escaped_cert;
 spec:
-  {{- if $ingressFieldNotAnnotation }}
   ingressClassName: "{{ $.Values.ingress.class }}"
-  {{- end }}
   tls:
   - hosts:
       - {{ $dynamicBackend.federatorExternalHostPrefix }}.{{ $.Release.Namespace }}.svc.cluster.local
@@ -33,17 +23,10 @@ spec:
       http:
         paths:
           - path: /
-            {{- if $ingressSupportsPathType }}
             pathType: Prefix
-            {{- end }}
             backend:
-              {{- if $apiIsStable }}
               service:
                 name: integration
                 port:
                   number: {{ $dynamicBackend.federatorExternalPort }}
-              {{- else }}
-              serviceName: integration
-              servicePort: {{ $dynamicBackend.federatorExternalPort }}
-              {{- end }}
 {{- end }}
@@ -1,12 +1,11 @@
-{{- $apiIsStable := eq (include "ingress.isStable" .) "true" -}}
-{{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}}
-apiVersion: {{ include "ingress.apiVersion" . }}
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: hold
   annotations:
     kubernetes.io/ingress.class: nginx
 spec:
+  ingressClassName: nginx
   # This assumes you have created the given cert
   # https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/PREREQUISITES.md#tls-certificates
   tls:
@@ -18,16 +17,9 @@ spec:
       http:
         paths:
           - path: /
-            {{- if $ingressSupportsPathType }}
             pathType: Prefix
-            {{- end }}
             backend:
-              {{- if $apiIsStable }}
               service:
                 name: "{{ .Release.Name }}-hold"
                 port:
                   number: 8080
-              {{- else }}
-              serviceName: "{{ .Release.Name }}-hold"
-              servicePort: 8080
-              {{- end }}
@@ -62,39 +62,13 @@ Returns the Letsencrypt API server URL based on whether testMode is enabled or d
 
 {{/* Allow KubeVersion to be overridden. */}}
 {{- define "kubeVersion" -}}
-  {{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride -}}
-{{- end -}}
-
-{{/* Get Ingress API Version */}}
-{{- define "ingress.apiVersion" -}}
-  {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19-0" (include "kubeVersion" .)) -}}
-      {{- print "networking.k8s.io/v1" -}}
-  {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}}
-    {{- print "networking.k8s.io/v1beta1" -}}
-  {{- else -}}
-    {{- print "extensions/v1beta1" -}}
-  {{- end -}}
-{{- end -}}
-
-{{/* Check Ingress stability */}}
-{{- define "ingress.isStable" -}}
-  {{- eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" -}}
-{{- end -}}
-
-{{/* Check Ingress supports pathType */}}
-{{/* pathType was added to networking.k8s.io/v1beta1 in Kubernetes 1.18 */}}
-{{- define "ingress.supportsPathType" -}}
-  {{- or (eq (include "ingress.isStable" .) "true") (and (eq (include "ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" (include "kubeVersion" .))) -}}
+{{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride -}}
 {{- end -}}
 
 {{- define "integrationTestHelperNewLabels" -}}
   {{- (semverCompare ">= 1.23-0" (include "kubeVersion" .)) -}}
 {{- end -}}
 
-{{- define "ingress.FieldNotAnnotation" -}}
-  {{- (semverCompare ">= 1.27-0" (include "kubeVersion" .)) -}}
-{{- end -}}
-
 {{/*
 Name of the ingress. Extracted as helper to reduce the complexity in the template
 itself. The default name is 'nginx-ingress' for backwards compatibility (it has