From b0ffd2810916ddc06d0b116664ed618e673c6acd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ga=C3=ABl=20Goinvic?= Date: Wed, 5 Jun 2024 14:26:21 +0000 Subject: [PATCH] 2.17.24 --- Dockerfile.updater | 1 - README.md | 83 +++++-------------- .../matrix.element.io_synapses.yaml | 2 +- .../starter-core/kustomization.yaml | 2 +- .../patches/starter-core/kustomization.yaml | 2 +- helm/operator/Chart.yaml | 4 +- helm/operator/build.sh | 2 - .../fragments/Operator-Permissions.yaml | 9 -- helm/operator/fragments/_helpers.tpl | 3 + .../templates/clusterrole-manager.yaml | 9 -- ...definition-synapses.matrix.element.io.yaml | 4 +- helm/operator/templates/helpers.tpl | 3 + helm/operator/values.yaml | 4 +- helm/updater/Chart.yaml | 4 +- helm/updater/build.sh | 2 - helm/updater/templates/_helpers.tpl | 3 + helm/updater/values.yaml | 4 +- .../templates/synapse/synapse.yaml.j2 | 5 -- roles/synapse/defaults/main/main.yml | 17 +--- roles/synapse/tasks/main.yml | 31 ------- .../manifests/synapse_statefulset.yaml.j2 | 3 +- roles/synapse/templates/worker.yaml.j2 | 1 + 22 files changed, 49 insertions(+), 149 deletions(-) diff --git a/Dockerfile.updater b/Dockerfile.updater index 382a8eb..47d46cb 100644 --- a/Dockerfile.updater +++ b/Dockerfile.updater @@ -18,5 +18,4 @@ COPY roles/teardown /element.io/roles/teardown/ COPY roles/generic_apply /element.io/roles/generic_apply/ COPY playbooks/elementdeployment.yml playbooks/any.yml /element.io/playbooks/ - RUN chmod -R 0755 /element.io diff --git a/README.md b/README.md index e9f1136..bdbfc2e 100644 --- a/README.md +++ b/README.md @@ -37,89 +37,52 @@ This document will walk you through how to get started with our Element Starter The first step is to start on a machine with helm v3 installed and configured with your kubernetes cluster and pull down the two charts that you will need. +First, let's add the starter edition repository to helm: ```bash helm repo add ess-starter-edition-core https://element-hq.github.io/ess-starter-edition-core ``` -To install the helm charts and actually deploy the `element-updater` and the `element-operator` with their default configurations, simply run: +Now that we have the repositories configured, we can verify this by: ```bash -helm install element-updater ess-starter-edition-core/element-updater --namespace element-updater --create-namespace -helm install element-operator ess-starter-edition-core/element-operator --namespace element-operator --create-namespace +helm repo list ``` -*N.B. This guide assumes that you are using the `element-updater` and `element-operator` namespaces. You can call it whatever you want and if it doesn't exist yet, you can create it with: `kubectl create ns `.* - -#### Generating a TLS secret for the webhook - -The conversion webhooks need their own self-signed CA and TLS certificate to be integrated into kubernetes. +and should see the following in that output: -For example using `easy-rsa` : ``` -easyrsa init-pki -easyrsa --batch "--req-cn=ESS-CA`date +%s`" build-ca nopass -easyrsa --subject-alt-name="DNS:element-operator-conversion-webhook.element-operator"\ - --days=10000 \ - build-server-full element-operator-conversion-webhook nopass -easyrsa --subject-alt-name="DNS:element-updater-conversion-webhook.element-updater"\ - --days=10000 \ - build-server-full element-updater-conversion-webhook nopass +NAME URL +ess-starter-edition-core https://element-hq.github.io/ess-starter-edition-core ``` -Create a secret for each of these two certificates : +#### Creating namespaces for the `element-operator` and `element-updater` -``` -kubectl create secret tls element-operator-conversion-webhook --cert=pki/issued/element-operator-conversion-webhook.crt --key=pki/private/element-operator-conversion-webhook.key --namespace element-operator -kubectl create secret tls element-updater-conversion-webhook --cert=pki/issued/element-updater-conversion-webhook.crt --key=pki/private/element-updater-conversion-webhook.key --namespace element-updater -``` +To be able to run the helm charts, they will need a namespace to run in. You can make this whatever you would like, but for the sake of this guide, we will create an `element-operator` namespace and an `element-updater` namespace. To do this, please follow this step: -#### Installing the helm chart for the `element-updater` and the `element-operator` - -Create the following values file to deploy the controller managers in their namespace : - -`values.element-operator.yml` : -``` -clusterDeployment: true -deployCrds: true # Deploys the CRDs and the Conversion Webhooks -deployCrdRoles: true # Deploys roles to give permissions to users to manage specific ESS CRs -deployManager: true # Deploys the controller managers -crds: - conversionWebhook: - caBundle: # Paste here the content of `base64 pki/ca.crt -w 0` - tlsSecretName: element-operator-conversion-webhook +```bash +kubectl create ns element-operator +kubectl create ns element-updater ``` -`values.element-updater.yml` : -``` -clusterDeployment: true -deployCrds: true # Deploys the CRDs and the Conversion Webhooks -deployCrdRoles: true # Deploys roles to give permissions to users to manage specific ESS CRs -deployManager: true # Deploys the controller managers -crds: - conversionWebhook: - caBundle: # Paste here the content of `base64 pki/ca.crt -w 0` - tlsSecretName: element-updater-conversion-webhook -``` +#### Installing the helm charts for the `element-updater` and the `element-operator` -Run the helm install command : +To install the helm charts and actually deploy the `element-updater` and the `element-operator` with their default configurations, simply run: -``` -helm install element-operator element-operator/element-operator --namespace element-operator -f values.yaml -helm install element-updater element-updater/element-updater --namespace element-updater -f values.yaml +```bash +helm install element-updater ess-starter-edition-core/element-updater --namespace element-updater +helm install element-operator ess-starter-edition-core/element-operator --namespace element-operator ``` -Now at this point, you should have the following 4 containers up and running: +Now at this point, you should have the following two containers up and running: -``` -[user@helm ~]$ kubectl get pods -n element-operator -NAMESPACE NAME READY STATUS RESTARTS AGE -element-operator element-operator-controller-manager-c8fc5c47-nzt2t 2/2 Running 0 6m5s -element-operator element-operator-conversion-webhook-7477d98c9b-xc89s 1/1 Running 0 6m5s +```bash [user@helm ~]$ kubectl get pods -n element-updater -NAMESPACE NAME READY STATUS RESTARTS AGE -element-updater element-updater-controller-manager-6f8476f6cb-74nx5 2/2 Running 0 106s -element-updater element-updater-conversion-webhook-65ddcbb569-qzbfs 1/1 Running 0 81s +NAME READY STATUS RESTARTS AGE +element-updater-controller-manager-5b4f9cc5d4-9krv6 2/2 Running 6 (8h ago) 2d +[user@helm ~]$ kubectl get pods -n element-operator +NAME READY STATUS RESTARTS AGE +element-operator-controller-manager-778c8bfbcf-4zzpl 2/2 Running 6 (8h ago) 2d ``` #### Generating the ElementDeployment CRD to Deploy Element Server Suite diff --git a/config/crd/bases/starter-core/matrix.element.io_synapses.yaml b/config/crd/bases/starter-core/matrix.element.io_synapses.yaml index 6afda12..7dd2710 100644 --- a/config/crd/bases/starter-core/matrix.element.io_synapses.yaml +++ b/config/crd/bases/starter-core/matrix.element.io_synapses.yaml @@ -91,7 +91,7 @@ spec: description: Image digest in the repository to use for Synapse's Redis type: string passUserIdToSynapse: - description: Whether to override detection of UID environment flag passed into the synapse docker image + description: Deprecated, ignored. Whether to override detection of UID environment flag passed into the synapse docker image type: string enum: - Always diff --git a/config/crd/element-deployment/inline-patches/starter-core/kustomization.yaml b/config/crd/element-deployment/inline-patches/starter-core/kustomization.yaml index 8c0af4e..87c39b5 100644 --- a/config/crd/element-deployment/inline-patches/starter-core/kustomization.yaml +++ b/config/crd/element-deployment/inline-patches/starter-core/kustomization.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 New Vector Ltd +# Copyright 2023-2024 New Vector Ltd # # SPDX-License-Identifier: AGPL-3.0-or-later diff --git a/config/crd/patches/starter-core/kustomization.yaml b/config/crd/patches/starter-core/kustomization.yaml index 7f73646..1b5d74c 100644 --- a/config/crd/patches/starter-core/kustomization.yaml +++ b/config/crd/patches/starter-core/kustomization.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 New Vector Ltd +# Copyright 2023-2024 New Vector Ltd # # SPDX-License-Identifier: AGPL-3.0-or-later diff --git a/helm/operator/Chart.yaml b/helm/operator/Chart.yaml index f23f9c6..ebaa81b 100644 --- a/helm/operator/Chart.yaml +++ b/helm/operator/Chart.yaml @@ -20,9 +20,9 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.17.21 +version: 2.17.24 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 2.17.21 +appVersion: 2.17.24 diff --git a/helm/operator/build.sh b/helm/operator/build.sh index 075a688..39c6988 100644 --- a/helm/operator/build.sh +++ b/helm/operator/build.sh @@ -37,7 +37,6 @@ for entry in ./*proxy.yaml ./*metrics*.yaml; do echo "{{ end }}" >> $entry done -# Generate users-facing roles yq "$(cat ../yq/resource-editor-role.yq)" ../../../watches.yaml -s '["ClusterRole", .metadata.name] | join("-") | downcase + ".yaml"' yq "$(cat ../yq/resource-viewer-role.yq)" ../../../watches.yaml -s '["ClusterRole", .metadata.name] | join("-") | downcase + ".yaml"' @@ -69,7 +68,6 @@ for entry in ./clusterrole*.yaml; do }}' $entry done - cat ../fragments/Operator-Permissions.yaml >> clusterrole-manager.yaml cp ../fragments/Deployment-element-operator-controller-manager.yaml ./deployment-element-operator-controller-manager.yaml diff --git a/helm/operator/fragments/Operator-Permissions.yaml b/helm/operator/fragments/Operator-Permissions.yaml index cafbea1..67c6306 100644 --- a/helm/operator/fragments/Operator-Permissions.yaml +++ b/helm/operator/fragments/Operator-Permissions.yaml @@ -47,12 +47,3 @@ - get - list - watch - - - apiGroups: - - project.openshift.io - resources: - - projects - verbs: - - get - - list - - watch diff --git a/helm/operator/fragments/_helpers.tpl b/helm/operator/fragments/_helpers.tpl index 9ee0725..9b3304e 100644 --- a/helm/operator/fragments/_helpers.tpl +++ b/helm/operator/fragments/_helpers.tpl @@ -31,6 +31,8 @@ {{ end -}} {{- end -}} + + {{- define "__CHART_FUNCTIONS_NAMESPACE__.managerMaxReconciliationProcesses" }} {{- $memoryLimit := .Values.__VALUES_MANAGER_PARENT_KEY__.manager.resources.limits.memory -}} {{- $value := regexFind "\\d+" $memoryLimit -}} @@ -42,3 +44,4 @@ {{- end -}} {{ $reconciliationProcesses }} {{- end -}} + diff --git a/helm/operator/templates/clusterrole-manager.yaml b/helm/operator/templates/clusterrole-manager.yaml index 2915d7c..2cc5aff 100644 --- a/helm/operator/templates/clusterrole-manager.yaml +++ b/helm/operator/templates/clusterrole-manager.yaml @@ -125,12 +125,3 @@ rules: - get - list - watch - - - apiGroups: - - project.openshift.io - resources: - - projects - verbs: - - get - - list - - watch diff --git a/helm/operator/templates/customresourcedefinition-synapses.matrix.element.io.yaml b/helm/operator/templates/customresourcedefinition-synapses.matrix.element.io.yaml index 480fbc6..f995a44 100644 --- a/helm/operator/templates/customresourcedefinition-synapses.matrix.element.io.yaml +++ b/helm/operator/templates/customresourcedefinition-synapses.matrix.element.io.yaml @@ -634,7 +634,7 @@ spec: description: Image tag in the repository to use for Synapse's Haproxy type: string passUserIdToSynapse: - description: Whether to override detection of UID environment flag passed into the synapse docker image + description: Deprecated, ignored. Whether to override detection of UID environment flag passed into the synapse docker image enum: - Always - Never @@ -1485,7 +1485,7 @@ spec: description: Image tag in the repository to use for Synapse's Haproxy type: string passUserIdToSynapse: - description: Whether to override detection of UID environment flag passed into the synapse docker image + description: Deprecated, ignored. Whether to override detection of UID environment flag passed into the synapse docker image enum: - Always - Never diff --git a/helm/operator/templates/helpers.tpl b/helm/operator/templates/helpers.tpl index f4a0200..d1f5a52 100644 --- a/helm/operator/templates/helpers.tpl +++ b/helm/operator/templates/helpers.tpl @@ -31,6 +31,8 @@ {{ end -}} {{- end -}} + + {{- define "elementOperator.managerMaxReconciliationProcesses" }} {{- $memoryLimit := .Values.operator.manager.resources.limits.memory -}} {{- $value := regexFind "\\d+" $memoryLimit -}} @@ -42,3 +44,4 @@ {{- end -}} {{ $reconciliationProcesses }} {{- end -}} + diff --git a/helm/operator/values.yaml b/helm/operator/values.yaml index 12418c7..33d7df9 100644 --- a/helm/operator/values.yaml +++ b/helm/operator/values.yaml @@ -34,7 +34,7 @@ crds: imagePullPolicy: Always image: repository: docker.io/vectorim/ess-core-operator-conversion-webhook - tag: 2.17.21 + tag: 2.17.24 operator: extraPodSpec: @@ -69,7 +69,7 @@ operator: imagePullPolicy: Always image: repository: docker.io/vectorim/ess-core-operator - tag: 2.17.21 + tag: 2.17.24 rbacProxy: resources: diff --git a/helm/updater/Chart.yaml b/helm/updater/Chart.yaml index 4e8db46..c511661 100644 --- a/helm/updater/Chart.yaml +++ b/helm/updater/Chart.yaml @@ -20,9 +20,9 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.17.21 +version: 2.17.24 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 2.17.21 +appVersion: 2.17.24 diff --git a/helm/updater/build.sh b/helm/updater/build.sh index 65f0f19..f36895d 100644 --- a/helm/updater/build.sh +++ b/helm/updater/build.sh @@ -51,7 +51,6 @@ for entry in ./customresourcedefinition-*; do echo "{{ end }}" >> $entry done -# Generate the updater main role, which is based on watches.updater.yaml + standard watches.yaml yq ". *+ load(\"../../../watches.updater.yaml\") | $(cat ../../operator/yq/main-role.yq)" ../../../watches.yaml | sed "s/__CHART_FUNCTIONS_NAMESPACE__/$chart_functions_namespace/g" >clusterrole-manager.yaml # For each clusterrole & clusterrolebinding, we add a conditional namespace field under name: @@ -60,7 +59,6 @@ for entry in ./clusterrole*.yaml; do r ../../operator/fragments/ClusterRole-Namespace.yaml }}' $entry done - cat ../fragments/Updater-Permissions.yaml >>clusterrole-manager.yaml cp ../fragments/Deployment-element-updater-controller-manager.yaml ./deployment-element-updater-controller-manager.yaml diff --git a/helm/updater/templates/_helpers.tpl b/helm/updater/templates/_helpers.tpl index c7ded82..233d0cd 100644 --- a/helm/updater/templates/_helpers.tpl +++ b/helm/updater/templates/_helpers.tpl @@ -31,6 +31,8 @@ {{ end -}} {{- end -}} + + {{- define "elementUpdater.managerMaxReconciliationProcesses" }} {{- $memoryLimit := .Values.updater.manager.resources.limits.memory -}} {{- $value := regexFind "\\d+" $memoryLimit -}} @@ -42,3 +44,4 @@ {{- end -}} {{ $reconciliationProcesses }} {{- end -}} + diff --git a/helm/updater/values.yaml b/helm/updater/values.yaml index d5cf24a..a2f4c3a 100644 --- a/helm/updater/values.yaml +++ b/helm/updater/values.yaml @@ -34,7 +34,7 @@ crds: imagePullPolicy: Always image: repository: docker.io/vectorim/ess-core-updater-conversion-webhook - tag: 2.17.21 + tag: 2.17.24 updater: extraPodSpec: @@ -69,7 +69,7 @@ updater: - ALL image: repository: docker.io/vectorim/ess-core-updater - tag: 2.17.21 + tag: 2.17.24 rbacProxy: resources: diff --git a/roles/elementdeployment/templates/synapse/synapse.yaml.j2 b/roles/elementdeployment/templates/synapse/synapse.yaml.j2 index c1f2484..a6b6ccb 100644 --- a/roles/elementdeployment/templates/synapse/synapse.yaml.j2 +++ b/roles/elementdeployment/templates/synapse/synapse.yaml.j2 @@ -67,11 +67,6 @@ spec: | to_nice_yaml(indent=2) | indent(4) }} -{% if component_k8s_security_context_force_uid_gid %} - passUserIdToSynapse: Always -{% else %} - passUserIdToSynapse: Never -{% endif %} workloads: haproxy: {{ lookup('template', 'templates/any/k8s-workloads.yaml.j2', template_vars={'_component_item': _component_item, '_subcomponent':'haproxy'}) diff --git a/roles/synapse/defaults/main/main.yml b/roles/synapse/defaults/main/main.yml index 3e92aa4..adcd0a7 100644 --- a/roles/synapse/defaults/main/main.yml +++ b/roles/synapse/defaults/main/main.yml @@ -14,26 +14,11 @@ image_haproxy_pull_policy: "{{ image_haproxy_has_digest | ternary('IfNotPresent' image_redis_has_digest: "{{ (image.redis_digest | default('')) | length > 0 }}" image_redis_pull_policy: "{{ image_redis_has_digest | ternary('IfNotPresent', 'Always') }}" -_pass_uid_lookup: - Always: true - Never: false - -_pass_uid_default: 'Always' -_pass_uid: "{{ is_openshift and _pass_uid_lookup[image.pass_user_id_to_synapse | default(_pass_uid_default)] }}" - env_underrides: [] env_user: "{{ workloads.synapse.extra_env | default([]) }}" -env_overrides: "{{ env_default + (_pass_uid | ternary(env_openshift, [])) }}" -env_default: -- name: SYNAPSE_WORKER - value: "{{ process_app }}" +env_overrides: - name: SSL_CERT_DIR value: "/etc/ssl/certs" -env_openshift: -- name: UID - value: "{{ openshift_uid_base | default(100000) }}" -- name: GID - value: "0" # We convert all the items to dicts, merge them (removing duplicates), and extract them out to items again env: "{{ {} | combine([env_underrides, env_user, env_overrides] | map('items2dict', key_name='name')) diff --git a/roles/synapse/tasks/main.yml b/roles/synapse/tasks/main.yml index e4d8876..5ad5ff4 100644 --- a/roles/synapse/tasks/main.yml +++ b/roles/synapse/tasks/main.yml @@ -4,37 +4,6 @@ --- -- name: "Save whether OpenShift or not" - ansible.builtin.set_fact: - is_openshift: >- - {{ - ('project.openshift.io/v1' in _cluster_info.apis) - and ('Project' in _cluster_info.apis['project.openshift.io/v1']) - }} - -- name: "Detect OpenShift project metadata" - when: is_openshift - block: - - name: Detect Openshift project - ansible.builtin.set_fact: - _project: >- - {{ - query('k8s', - api_version="project.openshift.io/v1", - kind="Project", - resource_name=ansible_operator_meta.namespace, - ) - }} - - - name: "Read out flags" - ansible.builtin.debug: - msg: "Got >{{ _pass_uid }}< from >{{ image.pass_user_id_to_synapse | default('MISSING') }}, maybe look at >{{ image }}<" - - - name: "Save OpenShift UID/GID ranges" - ansible.builtin.set_fact: - openshift_uid_base: "{{ _project[0].metadata.annotations['openshift.io/sa.scc.uid-range'].split('/')[0] }}" - openshift_gid_base: "{{ _project[0].metadata.annotations['openshift.io/sa.scc.supplemental-groups'].split('/')[0] }}" - - name: Validation ansible.builtin.import_tasks: validation.yml diff --git a/roles/synapse/templates/manifests/synapse_statefulset.yaml.j2 b/roles/synapse/templates/manifests/synapse_statefulset.yaml.j2 index 9c5b989..a15f409 100644 --- a/roles/synapse/templates/manifests/synapse_statefulset.yaml.j2 +++ b/roles/synapse/templates/manifests/synapse_statefulset.yaml.j2 @@ -96,7 +96,8 @@ spec: - "-cx" - > sed "s/REPLACE_HOSTNAME/$(hostname -s | sed 's/.*-synapse-//g')/g" /config/instance_template.yaml > /config/rendered/instance.yaml; - /start.py run --config-path=/config/homeserver.yaml + [ -e "/usr/lib/`uname -m`-linux-gnu/libjemalloc.so.2" ] && export LD_PRELOAD="/usr/lib/`uname -m`-linux-gnu/libjemalloc.so.2"; + python3 -m {{ process_app }} --config-path=/config/homeserver.yaml {%- if not (bootstrap | default(false)) and 'shared.yaml' in _fetched_synapse_secrets[0].data -%} {% raw %} {% endraw %}--config-path=/secrets/shared.yaml {%- endif -%} diff --git a/roles/synapse/templates/worker.yaml.j2 b/roles/synapse/templates/worker.yaml.j2 index 1fc9bcd..72ca6da 100644 --- a/roles/synapse/templates/worker.yaml.j2 +++ b/roles/synapse/templates/worker.yaml.j2 @@ -70,6 +70,7 @@ database: keepalives_interval: 10 keepalives_count: 3 + {% if _include_media_storage_providers %} media_storage_providers: {% if not has_media %}