2.17.24

Dockerfile.updater

@@ -18,5 +18,4 @@ COPY roles/teardown   /element.io/roles/teardown/
 COPY roles/generic_apply  /element.io/roles/generic_apply/
 COPY playbooks/elementdeployment.yml playbooks/any.yml /element.io/playbooks/
 
-
 RUN chmod -R 0755 /element.io

README.md

@@ -37,89 +37,52 @@ This document will walk you through how to get started with our Element Starter
 
 The first step is to start on a machine with helm v3 installed and configured with your kubernetes cluster and pull down the two charts that you will need.
 
+First, let's add the starter edition repository to helm:
 
 ```bash
 helm repo add ess-starter-edition-core https://element-hq.github.io/ess-starter-edition-core
 ```
 
-To install the helm charts and actually deploy the `element-updater` and the `element-operator` with their default configurations, simply run:
+Now that we have the repositories configured, we can verify this by:
 
 ```bash
-helm install element-updater ess-starter-edition-core/element-updater --namespace element-updater --create-namespace
-helm install element-operator ess-starter-edition-core/element-operator --namespace element-operator --create-namespace
+helm repo list
 ```
 
-*N.B. This guide assumes that you are using the `element-updater` and  `element-operator`  namespaces. You can call it whatever you want and if it doesn't exist yet, you can create it with: `kubectl create ns <name>`.*
-
-#### Generating a TLS secret for the webhook
-
-The conversion webhooks need their own self-signed CA and TLS certificate to be integrated into kubernetes.
+and should see the following in that output:
 
-For example using `easy-rsa` : 
 ```
-easyrsa init-pki
-easyrsa --batch "--req-cn=ESS-CA`date +%s`" build-ca nopass
-easyrsa --subject-alt-name="DNS:element-operator-conversion-webhook.element-operator"\
-  --days=10000 \
-  build-server-full element-operator-conversion-webhook nopass
-easyrsa --subject-alt-name="DNS:element-updater-conversion-webhook.element-updater"\
-  --days=10000 \
-  build-server-full element-updater-conversion-webhook nopass
+NAME                                    URL
+ess-starter-edition-core                https://element-hq.github.io/ess-starter-edition-core
 ```
 
-Create a secret for each of these two certificates : 
+#### Creating namespaces for the `element-operator` and `element-updater`
 
-```
-kubectl create secret tls element-operator-conversion-webhook --cert=pki/issued/element-operator-conversion-webhook.crt --key=pki/private/element-operator-conversion-webhook.key  --namespace element-operator
-kubectl create secret tls element-updater-conversion-webhook --cert=pki/issued/element-updater-conversion-webhook.crt --key=pki/private/element-updater-conversion-webhook.key  --namespace element-updater
-```
+To be able to run the helm charts, they will need a namespace to run in. You can make this whatever you would like, but for the sake of this guide, we will create an `element-operator` namespace and an `element-updater` namespace. To do this, please follow this step:
 
-#### Installing the helm chart for the `element-updater` and the `element-operator`
-
-Create the following values file to deploy the controller managers in their namespace :
-
-`values.element-operator.yml` : 
-```
-clusterDeployment: true
-deployCrds: true  # Deploys the CRDs and the Conversion Webhooks
-deployCrdRoles: true  # Deploys roles to give permissions to users to manage specific ESS CRs
-deployManager: true  # Deploys the controller managers
-crds:
-  conversionWebhook:
-    caBundle: # Paste here the content of `base64 pki/ca.crt -w 0`
-    tlsSecretName: element-operator-conversion-webhook
+```bash
+kubectl create ns element-operator
+kubectl create ns element-updater
 ```
 
-`values.element-updater.yml` : 
-```
-clusterDeployment: true
-deployCrds: true  # Deploys the CRDs and the Conversion Webhooks
-deployCrdRoles: true  # Deploys roles to give permissions to users to manage specific ESS CRs
-deployManager: true  # Deploys the controller managers
-crds:
-  conversionWebhook:
-    caBundle: # Paste here the content of `base64 pki/ca.crt -w 0`
-    tlsSecretName: element-updater-conversion-webhook
-```
+#### Installing the helm charts for the `element-updater` and the `element-operator`
 
-Run the helm install command : 
+To install the helm charts and actually deploy the `element-updater` and the `element-operator` with their default configurations, simply run:
 
-```
-helm install element-operator element-operator/element-operator --namespace element-operator -f values.yaml 
-helm install element-updater element-updater/element-updater --namespace element-updater -f values.yaml
+```bash
+helm install element-updater ess-starter-edition-core/element-updater --namespace element-updater
+helm install element-operator ess-starter-edition-core/element-operator --namespace element-operator
 ```
 
-Now at this point, you should have the following 4 containers up and running:
+Now at this point, you should have the following two containers up and running:
 
-```
-[user@helm ~]$ kubectl get pods -n element-operator
-NAMESPACE            NAME                                                   READY   STATUS    RESTARTS        AGE
-element-operator     element-operator-controller-manager-c8fc5c47-nzt2t     2/2     Running   0               6m5s
-element-operator     element-operator-conversion-webhook-7477d98c9b-xc89s   1/1     Running   0               6m5s
+```bash
 [user@helm ~]$ kubectl get pods -n element-updater
-NAMESPACE            NAME                                                   READY   STATUS    RESTARTS        AGE
-element-updater      element-updater-controller-manager-6f8476f6cb-74nx5    2/2     Running   0               106s
-element-updater      element-updater-conversion-webhook-65ddcbb569-qzbfs    1/1     Running   0               81s
+NAME                                                  READY   STATUS    RESTARTS     AGE
+element-updater-controller-manager-5b4f9cc5d4-9krv6   2/2     Running   6 (8h ago)   2d
+[user@helm ~]$ kubectl get pods -n element-operator
+NAME                                                   READY   STATUS    RESTARTS     AGE
+element-operator-controller-manager-778c8bfbcf-4zzpl   2/2     Running   6 (8h ago)   2d
 ```
 
 #### Generating the ElementDeployment CRD to Deploy Element Server Suite

config/crd/bases/starter-core/matrix.element.io_synapses.yaml

@@ -91,7 +91,7 @@ spec:
                       description: Image digest in the repository to use for Synapse's Redis
                       type: string
                     passUserIdToSynapse:
-                      description: Whether to override detection of UID environment flag passed into the synapse docker image
+                      description: Deprecated, ignored. Whether to override detection of UID environment flag passed into the synapse docker image
                       type: string
                       enum:
                         - Always

config/crd/element-deployment/inline-patches/starter-core/kustomization.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 New Vector Ltd
+# Copyright 2023-2024 New Vector Ltd
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 

config/crd/patches/starter-core/kustomization.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 New Vector Ltd
+# Copyright 2023-2024 New Vector Ltd
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 

helm/operator/Chart.yaml

@@ -20,9 +20,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.17.21
+version: 2.17.24
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 2.17.21
+appVersion: 2.17.24

helm/operator/build.sh

@@ -37,7 +37,6 @@ for entry in ./*proxy.yaml ./*metrics*.yaml; do
   echo "{{ end }}" >> $entry
 done
 
-# Generate users-facing roles
 yq "$(cat ../yq/resource-editor-role.yq)" ../../../watches.yaml -s '["ClusterRole", .metadata.name] | join("-") | downcase + ".yaml"'
 yq "$(cat ../yq/resource-viewer-role.yq)" ../../../watches.yaml -s '["ClusterRole", .metadata.name] | join("-") | downcase + ".yaml"'
 
@@ -69,7 +68,6 @@ for entry in ./clusterrole*.yaml; do
   }}' $entry
 done
 
-
 cat ../fragments/Operator-Permissions.yaml >> clusterrole-manager.yaml
 
 cp ../fragments/Deployment-element-operator-controller-manager.yaml ./deployment-element-operator-controller-manager.yaml

helm/operator/fragments/Operator-Permissions.yaml

@@ -47,12 +47,3 @@
       - get
       - list
       - watch
-
-  - apiGroups:
-      - project.openshift.io
-    resources:
-      - projects
-    verbs:
-      - get
-      - list
-      - watch

helm/operator/fragments/_helpers.tpl

@@ -31,6 +31,8 @@
 {{ end -}}
 {{- end -}}
 
+
+
 {{- define "__CHART_FUNCTIONS_NAMESPACE__.managerMaxReconciliationProcesses" }}
 {{- $memoryLimit := .Values.__VALUES_MANAGER_PARENT_KEY__.manager.resources.limits.memory -}}
 {{- $value := regexFind "\\d+" $memoryLimit -}}
@@ -42,3 +44,4 @@
 {{- end -}}
 {{ $reconciliationProcesses }}
 {{- end -}}
+

helm/operator/templates/clusterrole-manager.yaml

@@ -125,12 +125,3 @@ rules:
       - get
       - list
       - watch
-
-  - apiGroups:
-      - project.openshift.io
-    resources:
-      - projects
-    verbs:
-      - get
-      - list
-      - watch

helm/operator/templates/customresourcedefinition-synapses.matrix.element.io.yaml

@@ -634,7 +634,7 @@ spec:
                       description: Image tag in the repository to use for Synapse's Haproxy
                       type: string
                     passUserIdToSynapse:
-                      description: Whether to override detection of UID environment flag passed into the synapse docker image
+                      description: Deprecated, ignored. Whether to override detection of UID environment flag passed into the synapse docker image
                       enum:
                         - Always
                         - Never
@@ -1485,7 +1485,7 @@ spec:
                       description: Image tag in the repository to use for Synapse's Haproxy
                       type: string
                     passUserIdToSynapse:
-                      description: Whether to override detection of UID environment flag passed into the synapse docker image
+                      description: Deprecated, ignored. Whether to override detection of UID environment flag passed into the synapse docker image
                       enum:
                         - Always
                         - Never

helm/operator/templates/helpers.tpl

@@ -31,6 +31,8 @@
 {{ end -}}
 {{- end -}}
 
+
+
 {{- define "elementOperator.managerMaxReconciliationProcesses" }}
 {{- $memoryLimit := .Values.operator.manager.resources.limits.memory -}}
 {{- $value := regexFind "\\d+" $memoryLimit -}}
@@ -42,3 +44,4 @@
 {{- end -}}
 {{ $reconciliationProcesses }}
 {{- end -}}
+

helm/operator/values.yaml

@@ -34,7 +34,7 @@ crds:
     imagePullPolicy: Always
     image:
       repository: docker.io/vectorim/ess-core-operator-conversion-webhook
-      tag: 2.17.21
+      tag: 2.17.24
 
 operator:
   extraPodSpec:
@@ -69,7 +69,7 @@ operator:
     imagePullPolicy: Always
     image:
       repository: docker.io/vectorim/ess-core-operator
-      tag: 2.17.21
+      tag: 2.17.24
 
   rbacProxy:
     resources:

helm/updater/Chart.yaml

@@ -20,9 +20,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.17.21
+version: 2.17.24
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 2.17.21
+appVersion: 2.17.24

helm/updater/build.sh

@@ -51,7 +51,6 @@ for entry in ./customresourcedefinition-*; do
   echo "{{ end }}" >> $entry
 done
 
-# Generate the updater main role, which is based on watches.updater.yaml + standard watches.yaml
 yq ". *+ load(\"../../../watches.updater.yaml\") | $(cat ../../operator/yq/main-role.yq)" ../../../watches.yaml  | sed "s/__CHART_FUNCTIONS_NAMESPACE__/$chart_functions_namespace/g" >clusterrole-manager.yaml
 
 # For each clusterrole & clusterrolebinding, we add a conditional namespace field under name:
@@ -60,7 +59,6 @@ for entry in ./clusterrole*.yaml; do
     r ../../operator/fragments/ClusterRole-Namespace.yaml
   }}' $entry
 done
-
 cat ../fragments/Updater-Permissions.yaml >>clusterrole-manager.yaml
 
 cp ../fragments/Deployment-element-updater-controller-manager.yaml ./deployment-element-updater-controller-manager.yaml

helm/updater/templates/_helpers.tpl

@@ -31,6 +31,8 @@
 {{ end -}}
 {{- end -}}
 
+
+
 {{- define "elementUpdater.managerMaxReconciliationProcesses" }}
 {{- $memoryLimit := .Values.updater.manager.resources.limits.memory -}}
 {{- $value := regexFind "\\d+" $memoryLimit -}}
@@ -42,3 +44,4 @@
 {{- end -}}
 {{ $reconciliationProcesses }}
 {{- end -}}
+

helm/updater/values.yaml

@@ -34,7 +34,7 @@ crds:
     imagePullPolicy: Always
     image:
       repository: docker.io/vectorim/ess-core-updater-conversion-webhook
-      tag: 2.17.21
+      tag: 2.17.24
 
 updater:
   extraPodSpec:
@@ -69,7 +69,7 @@ updater:
           - ALL
     image:
       repository: docker.io/vectorim/ess-core-updater
-      tag: 2.17.21
+      tag: 2.17.24
 
   rbacProxy:
     resources:

roles/elementdeployment/templates/synapse/synapse.yaml.j2

@@ -67,11 +67,6 @@ spec:
     | to_nice_yaml(indent=2)
     | indent(4)
     }}
-{% if component_k8s_security_context_force_uid_gid %}
-    passUserIdToSynapse: Always
-{% else %}
-    passUserIdToSynapse: Never
-{% endif %}
   workloads:
     haproxy:
     {{ lookup('template', 'templates/any/k8s-workloads.yaml.j2', template_vars={'_component_item': _component_item, '_subcomponent':'haproxy'})

roles/synapse/defaults/main/main.yml

@@ -14,26 +14,11 @@ image_haproxy_pull_policy: "{{ image_haproxy_has_digest | ternary('IfNotPresent'
 image_redis_has_digest: "{{ (image.redis_digest | default('')) | length > 0 }}"
 image_redis_pull_policy: "{{ image_redis_has_digest | ternary('IfNotPresent', 'Always') }}"
 
-_pass_uid_lookup:
-  Always: true
-  Never: false
-
-_pass_uid_default: 'Always'
-_pass_uid: "{{ is_openshift and _pass_uid_lookup[image.pass_user_id_to_synapse | default(_pass_uid_default)] }}"
-
 env_underrides: []
 env_user: "{{ workloads.synapse.extra_env | default([]) }}"
-env_overrides: "{{ env_default + (_pass_uid | ternary(env_openshift, [])) }}"
-env_default:
-- name: SYNAPSE_WORKER
-  value: "{{ process_app }}"
+env_overrides:
 - name: SSL_CERT_DIR
   value: "/etc/ssl/certs"
-env_openshift:
-- name: UID
-  value: "{{ openshift_uid_base | default(100000) }}"
-- name: GID
-  value: "0"
 
 # We convert all the items to dicts, merge them (removing duplicates), and extract them out to items again
 env: "{{ {} | combine([env_underrides, env_user, env_overrides] | map('items2dict', key_name='name'))

roles/synapse/tasks/main.yml

@@ -4,37 +4,6 @@
 
 
 ---
-- name: "Save whether OpenShift or not"
-  ansible.builtin.set_fact:
-    is_openshift: >-
-      {{
-        ('project.openshift.io/v1' in _cluster_info.apis)
-        and ('Project' in _cluster_info.apis['project.openshift.io/v1'])
-      }}
-
-- name: "Detect OpenShift project metadata"
-  when: is_openshift
-  block:
-  - name: Detect Openshift project
-    ansible.builtin.set_fact:
-      _project: >-
-        {{
-          query('k8s',
-                api_version="project.openshift.io/v1",
-                kind="Project",
-                resource_name=ansible_operator_meta.namespace,
-              )
-        }}
-
-  - name: "Read out flags"
-    ansible.builtin.debug:
-      msg: "Got >{{ _pass_uid }}< from >{{ image.pass_user_id_to_synapse | default('MISSING') }}, maybe look at >{{ image }}<"
-
-  - name: "Save OpenShift UID/GID ranges"
-    ansible.builtin.set_fact:
-      openshift_uid_base: "{{ _project[0].metadata.annotations['openshift.io/sa.scc.uid-range'].split('/')[0] }}"
-      openshift_gid_base: "{{ _project[0].metadata.annotations['openshift.io/sa.scc.supplemental-groups'].split('/')[0] }}"
-
 - name: Validation
   ansible.builtin.import_tasks: validation.yml