2.15.1

Dockerfile.base

@@ -0,0 +1,84 @@
+# Copyright 2023 New Vector Ltd
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+FROM python:3.11-slim-bookworm AS build
+RUN apt --yes update && apt --yes install git curl libc-bin && \
+    ls -l /usr/lib/locale
+
+FROM build AS base-builder
+ARG TARGETPLATFORM
+
+WORKDIR /workspace
+
+RUN mkdir -p /etc/ansible \
+  && echo "localhost ansible_connection=local" > /etc/ansible/hosts \
+  && echo '[defaults]' > /etc/ansible/ansible.cfg \
+  && echo 'roles_path = /element.io/roles' >> /etc/ansible/ansible.cfg \
+  && echo 'collections_path = /ansible/collections' >> /etc/ansible/ansible.cfg \
+  && echo 'library = /usr/share/ansible/openshift' >> /etc/ansible/ansible.cfg
+
+ENV TINI_VERSION=v0.19.0
+ENV OPERATOR_SDK_VERSION=v1.31.0
+
+RUN curl -L -o /workspace/tini-$( sh -c 'echo ${TARGETPLATFORM#"linux/"}') https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini-$( sh -c 'echo ${TARGETPLATFORM#"linux/"}') && \
+    curl -L -o /workspace/tini-$( sh -c 'echo ${TARGETPLATFORM#"linux/"}').sha256 https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini-$( sh -c 'echo ${TARGETPLATFORM#"linux/"}').sha256sum && \
+    sha256sum --check --status /workspace/tini-$( sh -c 'echo ${TARGETPLATFORM#"linux/"}').sha256 && \
+    mv /workspace/tini-$( sh -c 'echo ${TARGETPLATFORM#"linux/"}') /usr/local/bin/tini
+# We use operator-sdk because the ansible-operator-plugins v1.31.0 has a regression with MarkUnsafe
+# https://github.com/operator-framework/ansible-operator-plugins/issues/41
+RUN curl -L -o /workspace/ansible-operator_linux_$( sh -c 'echo ${TARGETPLATFORM#"linux/"}') https://github.com/operator-framework/operator-sdk/releases/download/${OPERATOR_SDK_VERSION}/ansible-operator_linux_$( sh -c 'echo ${TARGETPLATFORM#"linux/"}') && \
+    curl -L -o /workspace/checksums.txt https://github.com/operator-framework/operator-sdk/releases/download/${OPERATOR_SDK_VERSION}/checksums.txt && \
+    sed -i -n "/ansible-operator_linux_"$( sh -c 'echo ${TARGETPLATFORM#"linux/"}')"/p" /workspace/checksums.txt && \
+    sha256sum --check --status /workspace/checksums.txt && \
+    mv /workspace/ansible-operator_linux_$( sh -c 'echo ${TARGETPLATFORM#"linux/"}') /usr/local/bin/ansible-operator
+
+# Ensure directory permissions are properly set
+RUN chmod +x /usr/local/bin/tini && /usr/local/bin/tini --version && \
+    chmod +x /usr/local/bin/ansible-operator && /usr/local/bin/ansible-operator version
+
+WORKDIR /element.io
+COPY requirements.yml /element.io/requirements.yml
+COPY requirements.txt /tmp/requirements.txt
+
+RUN  pip install -r /tmp/requirements.txt
+
+RUN ansible-galaxy collection install -r /element.io/requirements.yml -p /ansible/collections
+
+
+# We prepare required libs here because we can determine the path using uname -m in RUN
+RUN mkdir /required-libs && \
+    cp /lib/$( sh -c 'uname -m' )-linux-gnu/libselinux.so.1 /required-libs && \
+    cp /lib/$( sh -c 'uname -m' )-linux-gnu/libpcre2-8.so.0 /required-libs
+
+FROM gcr.io/distroless/python3-debian12 as base
+
+# Label this image with the repo and commit that built it, for freshmaking purposes.
+ARG GIT_COMMIT=devel
+LABEL git_commit=$GIT_COMMIT
+
+COPY --from=base-builder /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
+COPY --from=base-builder /etc/ansible /etc/ansible
+COPY --from=base-builder /ansible /ansible
+COPY --from=base-builder /usr/local/bin /usr/local/bin
+# /bin/sh is required or ansible complains with
+#  failed to find the executable specified /bin/sh. Please verify if the executable exists and re-try
+COPY --from=base-builder /usr/bin/dash /bin/sh
+# Copy required binaries
+COPY --from=base-builder /bin/sleep /bin/sleep
+COPY --from=base-builder /bin/chmod /bin/chmod
+COPY --from=base-builder /bin/mkdir /bin/mkdir
+COPY --from=base-builder /bin/rm /bin/rm
+# Copy shared libraries into distroless image
+COPY --from=base-builder /required-libs /lib/
+COPY --from=base-builder /usr/local/lib /usr/local/lib
+COPY --from=base-builder /usr/lib/locale/C.utf8 /usr/lib/locale/C.utf8
+COPY --from=base-builder --chown=nonroot:nonroot /element.io /element.io
+
+USER nonroot
+
+WORKDIR /element.io
+ENV LC_ALL "C.UTF-8"
+ENV LANG "C.UTF-8"
+ENV PATH "/usr/local/bin:$PATH"
+ENTRYPOINT ["/usr/local/bin/tini", "--", "/usr/local/bin/ansible-operator", "run", "--watches-file=/element.io/watches.yaml"]

Dockerfile.operator

@@ -0,0 +1,42 @@
+# Copyright 2023 New Vector Ltd
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+ARG DISTROLESS_BASE_IMAGE=registry.gitlab.element.io/engineering/ess/operator/element-kubernetes-operator/base:latest
+
+
+# We need to run a first build step to remove elementdeployment role
+FROM python:3.11-slim-bookworm AS build
+ARG TARGETPLATFORM
+ENV HELM_VERSION=v3.12.3
+
+# Install Helm
+RUN apt update && apt install -y wget && \
+  export HELM_ARCH=$( sh -c 'echo ${TARGETPLATFORM#"linux/"}') && \
+  echo https://get.helm.sh/helm-${HELM_VERSION}-linux-$( sh -c 'echo ${TARGETPLATFORM#"linux/"}').tar.gz && \
+  wget https://get.helm.sh/helm-${HELM_VERSION}-linux-$( sh -c 'echo ${TARGETPLATFORM#"linux/"}').tar.gz && \
+  wget https://get.helm.sh/helm-${HELM_VERSION}-linux-$( sh -c 'echo ${TARGETPLATFORM#"linux/"}').tar.gz.sha256sum && \
+  sha256sum --check --status helm-${HELM_VERSION}-linux-$( sh -c 'echo ${TARGETPLATFORM#"linux/"}').tar.gz.sha256sum && \
+  tar xf helm-${HELM_VERSION}-linux-$( sh -c 'echo ${TARGETPLATFORM#"linux/"}').tar.gz && \
+  cp linux-$( sh -c 'echo ${TARGETPLATFORM#"linux/"}')/helm /bin && \
+  rm -rfv linux-$( sh -c 'echo ${TARGETPLATFORM#"linux/"}') helm-${HELM_VERSION}-linux-$( sh -c 'echo ${TARGETPLATFORM#"linux/"}').tar.gz && \
+  apt remove -y wget
+
+COPY LICENSES/operator /element.io/LICENSES
+COPY watches.yaml /element.io/watches.yaml
+
+COPY roles/ /tmp/prepare/roles/
+COPY playbooks/ /tmp/prepare/playbooks/
+# We copy to the target directory using rsync to be able to exclude some files
+RUN apt update && apt install -y rsync && \
+    rsync -av --progress /tmp/prepare/ /element.io/ --exclude roles/elementdeployment --exclude playbooks/elementdeployment.yml && \
+    apt remove -y rsync
+
+FROM $DISTROLESS_BASE_IMAGE as base
+
+# Label this image with the repo and commit that built it, for freshmaking purposes.
+ARG GIT_COMMIT=devel
+LABEL git_commit=$GIT_COMMIT
+
+COPY --from=build /bin/helm /bin/helm
+COPY --from=build --chown=nonroot:nonroot /element.io /element.io

Dockerfile.updater

@@ -2,35 +2,18 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
+ARG DISTROLESS_BASE_IMAGE=registry.gitlab.element.io/engineering/ess/operator/element-kubernetes-operator/base:latest
 
-FROM quay.io/operator-framework/ansible-operator:v1.31.0
-ARG TARGETPLATFORM
-ARG BUILDPLATFORM
+FROM $DISTROLESS_BASE_IMAGE as base
 
-USER root
-RUN yum install -y git
+# Label this image with the repo and commit that built it, for freshmaking purposes.
+ARG GIT_COMMIT=devel
+LABEL git_commit=$GIT_COMMIT
 
-COPY requirements.txt /root/requirements.txt
-RUN pip3 install -r /root/requirements.txt && rm /root/requirements.txt
+COPY --chown=nonroot:nonroot LICENSES/updater ${HOME}/element.io/LICENSES
+COPY --chown=nonroot:nonroot watches.updater.yaml ${HOME}/element.io/watches.yaml
 
-USER ${USER_UID}
-
-RUN mkdir ${HOME}/element.io
-WORKDIR ${HOME}/element.io
-ENV ANSIBLE_ROLES_PATH ${HOME}/element.io/roles
-
-COPY requirements.yml ${HOME}/element.io/requirements.yml
-RUN ansible-galaxy collection install -r ${HOME}/element.io/requirements.yml \
-  && chmod -R ug+rwx ${HOME}/.ansible
-
-USER root
-RUN yum remove -y git
-
-USER ${USER_UID}
-COPY LICENSES/updater ${HOME}/element.io/LICENSES
-COPY watches.updater.yaml ${HOME}/element.io/watches.yaml
-RUN mkdir -p ${HOME}/element.io/roles ${HOME}/element.io/playbooks
-COPY roles/elementdeployment ${HOME}/element.io/roles/elementdeployment/
-COPY roles/teardown ${HOME}/element.io/roles/teardown/
-COPY roles/generic_apply ${HOME}/element.io/roles/generic_apply/
-COPY playbooks/elementdeployment.yml playbooks/any.yml ${HOME}/element.io/playbooks/
+COPY --chown=nonroot:nonroot roles/elementdeployment   ${HOME}/element.io/roles/elementdeployment/
+COPY --chown=nonroot:nonroot roles/teardown   ${HOME}/element.io/roles/teardown/
+COPY --chown=nonroot:nonroot roles/generic_apply   ${HOME}/element.io/roles/generic_apply/
+COPY --chown=nonroot:nonroot playbooks/elementdeployment.yml playbooks/any.yml ${HOME}/element.io/playbooks/

common.mk

@@ -1,4 +1,4 @@
-# Copyright 2023 New Vector Ltd
+# Copyright 2023-2024 New Vector Ltd
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 

config/crd/default-resources/starter-core/default-resources.yaml

@@ -11,62 +11,62 @@ spec:
       limits:
         memory: 200Mi
       requests:
-        cpu: 100m
+        cpu: 50m
         memory: 50Mi
     matrixContentScanner:
       icap:
         limits:
           memory: 1Gi
         requests:
           cpu: 100m
-          memory: 200Mi
+          memory: 100Mi
       clamAntiVirus:
         limits:
           memory: 4Gi
         requests:
           cpu: 100m
-          memory: 200Mi
+          memory: 100Mi
       matrixContentScanner:
         limits:
           memory: 500Mi
         requests:
           cpu: 100m
-          memory: 200Mi
+          memory: 100Mi
     slidingSync:
       api:
         limits:
           memory: 4Gi
         requests:
-          cpu: 200m
-          memory: 2Gi
+          cpu: 100m
+          memory: 200Mi
     synapse:
       haproxy:
         limits:
           memory: 200Mi
         requests:
-          cpu: 1
+          cpu: 100m
           memory: 100Mi
       redis:
         limits:
           memory: 50Mi
         requests:
-          cpu: 200m
+          cpu: 50m
           memory: 50Mi
       synapse:
         limits:
           memory: 4Gi
         requests:
-          cpu: 1
-          memory: 2Gi
+          cpu: 100m
+          memory: 100Mi
       workers:
         limits:
           memory: 4Gi
         requests:
-          cpu: 1
-          memory: 2Gi
+          cpu: 100m
+          memory: 100Mi
     wellKnownDelegation:
       limits:
         memory: 200Mi
       requests:
-        cpu: 100m
+        cpu: 50m
         memory: 50Mi

config/crd/element-deployment/replacements/starter-core/k8s-workloads.yaml

@@ -94,3 +94,30 @@ spec:
           type: string
       resources:
         description: This field will be replaced by kustomize
+      nodeSelector:
+        description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+        type: object
+        additionalProperties:
+          type: string
+      tolerations:
+        description: "Workload tolerations"
+        type: array
+        items:
+          description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
+          properties:
+            effect:
+              description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+              type: string
+            key:
+              description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+              type: string
+            operator:
+              description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
+              type: string
+            tolerationSeconds:
+              description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
+              type: number
+            value:
+              description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
+              type: string
+          type: object

config/crd/replacements/common/workloads.yaml

@@ -32,3 +32,30 @@ spec:
             value:
               description: Value of the environment variable
               type: string
+      nodeSelector:
+        description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+        type: object
+        additionalProperties:
+          type: string
+      tolerations:
+        description: "Workload tolerations"
+        type: array
+        items:
+          description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
+          properties:
+            effect:
+              description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+              type: string
+            key:
+              description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+              type: string
+            operator:
+              description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
+              type: string
+            tolerationSeconds:
+              description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
+              type: number
+            value:
+              description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
+              type: string
+          type: object

conversion/Dockerfile.operator

@@ -3,18 +3,20 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 
-FROM golang:1.21-alpine AS buildstage
-ARG TARGETPLATFORM
-ARG BUILDPLATFORM
+FROM golang:1.21 AS buildstage
 
 WORKDIR /app
 COPY . /app
 RUN go mod download
-RUN go build -o /app/conversion-webhook cmd/operator/main.go
+RUN CGO_ENABLED=0 go build -o /app/conversion-webhook cmd/operator/main.go
 
-FROM alpine:latest
+FROM gcr.io/distroless/static-debian12
+# Label this image with the repo and commit that built it, for freshmaking purposes.
+ARG GIT_COMMIT=devel
+LABEL git_commit=$GIT_COMMIT
+USER nonroot
 WORKDIR /
-COPY --from=buildstage /app/conversion-webhook /usr/bin/conversion-webhook
+
+COPY --from=buildstage --chown=nonroot:nonroot /app/conversion-webhook /
 EXPOSE 8443
-USER 1000:1000
-ENTRYPOINT ["/usr/bin/conversion-webhook"]
+ENTRYPOINT ["/conversion-webhook"]