2.17.19

element-hq · May 23, 2024 · 0032400 · 0032400
1 parent 6a09bf8
commit 0032400
Show file tree

Hide file tree

Showing 14 changed files with 50 additions and 48 deletions.
diff --git a/Dockerfile.base b/Dockerfile.base
@@ -32,7 +32,9 @@ RUN mkdir -p /etc/ansible \
   && echo "internal_poll_interval = 0.05" >> /etc/ansible/ansible.cfg \
   && echo 'roles_path = /element.io/roles' >> /etc/ansible/ansible.cfg \
   && echo 'collections_path = /ansible/collections' >> /etc/ansible/ansible.cfg \
-  && echo 'library = /usr/share/ansible/openshift' >> /etc/ansible/ansible.cfg
+  && echo 'library = /usr/share/ansible/openshift' >> /etc/ansible/ansible.cfg \
+  && echo 'home = /.ansible' >> /etc/ansible/ansible.cfg \
+  && echo 'local_tmp = /.ansible/tmp' >> /etc/ansible/ansible.cfg
 
 ENV TINI_VERSION=v0.19.0
 ENV OPERATOR_SDK_VERSION=1.34.1
@@ -96,9 +98,8 @@ COPY --from=base-builder /bin/helm /bin/helm
 COPY --from=base-builder /required-libs /lib/
 COPY --from=base-builder /usr/local/lib /usr/local/lib
 COPY --from=base-builder /usr/lib/locale/C.utf8 /usr/lib/locale/C.utf8
-COPY --from=base-builder --chown=nonroot:nonroot /element.io /element.io
-
-USER nonroot
+COPY --from=base-builder /element.io /element.io
+RUN chmod -R 0755 /etc/ansible
 
 WORKDIR /element.io
 ENV LC_ALL "C.UTF-8"

diff --git a/Dockerfile.operator b/Dockerfile.operator
@@ -6,7 +6,7 @@ ARG DISTROLESS_BASE_IMAGE=registry.gitlab.element.io/engineering/ess/operator/el
 
 
 # We need to run a first build step to remove elementdeployment role
-FROM python:3.11-slim-bookworm AS build
+FROM python:3.11-slim-bookworm AS build-tmp
 
 COPY LICENSES/operator /element.io/LICENSES
 COPY watches.yaml /element.io/watches.yaml
@@ -26,4 +26,5 @@ FROM $DISTROLESS_BASE_IMAGE as base
 ARG GIT_COMMIT=devel
 LABEL git_commit=$GIT_COMMIT
 
-COPY --from=build --chown=nonroot:nonroot /element.io /element.io
+COPY --from=build-tmp   /element.io /element.io
+RUN chmod -R 0755 /element.io
diff --git a/Dockerfile.updater b/Dockerfile.updater
@@ -10,12 +10,13 @@ FROM $DISTROLESS_BASE_IMAGE as base
 ARG GIT_COMMIT=devel
 LABEL git_commit=$GIT_COMMIT
 
-COPY --chown=nonroot:nonroot LICENSES/updater ${HOME}/element.io/LICENSES
-COPY --chown=nonroot:nonroot watches.updater.yaml ${HOME}/element.io/watches.yaml
+COPY LICENSES/updater /element.io/LICENSES
+COPY watches.updater.yaml /element.io/watches.yaml
 
-COPY --chown=nonroot:nonroot roles/elementdeployment   ${HOME}/element.io/roles/elementdeployment/
-COPY --chown=nonroot:nonroot roles/teardown   ${HOME}/element.io/roles/teardown/
-COPY --chown=nonroot:nonroot roles/generic_apply   ${HOME}/element.io/roles/generic_apply/
-COPY --chown=nonroot:nonroot playbooks/elementdeployment.yml playbooks/any.yml ${HOME}/element.io/playbooks/
+COPY roles/elementdeployment   /element.io/roles/elementdeployment/
+COPY roles/teardown   /element.io/roles/teardown/
+COPY roles/generic_apply  /element.io/roles/generic_apply/
+COPY playbooks/elementdeployment.yml playbooks/any.yml /element.io/playbooks/
 
 
+RUN chmod -R 0755 /element.io
diff --git a/conversion/Dockerfile.operator b/conversion/Dockerfile.operator
@@ -1,4 +1,4 @@
-# Copyright 2023 New Vector Ltd
+# Copyright 2023-2024 New Vector Ltd
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -9,14 +9,14 @@ WORKDIR /app
 COPY . /app
 RUN go mod download
 RUN CGO_ENABLED=0 go build -o /app/conversion-webhook cmd/operator/main.go
+RUN chmod 755 /app/conversion-webhook
 
 FROM gcr.io/distroless/static-debian12
 # Label this image with the repo and commit that built it, for freshmaking purposes.
 ARG GIT_COMMIT=devel
 LABEL git_commit=$GIT_COMMIT
-USER nonroot
 WORKDIR /
 
-COPY --from=buildstage --chown=nonroot:nonroot /app/conversion-webhook /
+COPY --from=buildstage  /app/conversion-webhook /
 EXPOSE 8443
 ENTRYPOINT ["/conversion-webhook"]
diff --git a/conversion/Dockerfile.updater b/conversion/Dockerfile.updater
@@ -1,4 +1,4 @@
-# Copyright 2023 New Vector Ltd
+# Copyright 2023-2024 New Vector Ltd
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -9,16 +9,15 @@ WORKDIR /app
 COPY . /app
 RUN go mod download
 RUN CGO_ENABLED=0 go build -o /app/conversion-webhook cmd/updater/main.go
+RUN chmod 755 /app/conversion-webhook
 
 FROM gcr.io/distroless/static-debian12
 # Label this image with the repo and commit that built it, for freshmaking purposes.
 ARG GIT_COMMIT=devel
 LABEL git_commit=$GIT_COMMIT
-USER nonroot
 WORKDIR /
 
-COPY --from=buildstage --chown=nonroot:nonroot /app/conversion-webhook /
+COPY --from=buildstage  /app/conversion-webhook /
 
 EXPOSE 8443
-USER nonroot
 ENTRYPOINT ["/conversion-webhook"]
diff --git a/helm/operator/Chart.yaml b/helm/operator/Chart.yaml
@@ -20,9 +20,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.17.18
+version: 2.17.19
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 2.17.18
+appVersion: 2.17.19
diff --git a/helm/operator/fragments/Deployment-element-operator-controller-manager.yaml b/helm/operator/fragments/Deployment-element-operator-controller-manager.yaml
@@ -44,7 +44,7 @@ spec:
         - "/bin/sh"
         - "-xc"
         args:
-        - rm -rfv /tmp/* /tmp/.* /home/nonroot/.ansible/tmp/* /home/nonroot/.ansible/tmp/.* || true
+        - rm -rfv /tmp/* /tmp/.* /.ansible/tmp/* /.ansible/tmp/.* || true
         env:
         {{- include "elementOperator.managerEnv" . | nindent 8 }}
         image: '{{ .Values.operator.manager.image.repository }}{{ hasKey .Values.operator.manager.image "digest" | ternary (print "@" .Values.operator.manager.image.digest) (print ":" .Values.operator.manager.image.tag) }}'
@@ -60,7 +60,7 @@ spec:
         volumeMounts:
         - mountPath: /tmp
           name: manager-tmp
-        - mountPath: /home/nonroot/.ansible/tmp/
+        - mountPath: /.ansible/tmp/
           name: ansible-tmp
       containers:
 {{- if $.Values.clusterDeployment }}
@@ -146,7 +146,7 @@ spec:
         volumeMounts:
         - mountPath: /tmp
           name: manager-tmp
-        - mountPath: /home/nonroot/.ansible/tmp/
+        - mountPath: /.ansible/tmp/
           name: ansible-tmp
       serviceAccountName: '{{ include "elementOperator.controllerManagerFullname" . }}'
       terminationGracePeriodSeconds: 10

diff --git a/helm/operator/templates/deployment-element-operator-controller-manager.yaml b/helm/operator/templates/deployment-element-operator-controller-manager.yaml
@@ -45,7 +45,7 @@ spec:
         - "/bin/sh"
         - "-xc"
         args:
-        - rm -rfv /tmp/* /tmp/.* /home/nonroot/.ansible/tmp/* /home/nonroot/.ansible/tmp/.* || true
+        - rm -rfv /tmp/* /tmp/.* /.ansible/tmp/* /.ansible/tmp/.* || true
         env:
         {{- include "elementOperator.managerEnv" . | nindent 8 }}
         image: '{{ .Values.operator.manager.image.repository }}{{ hasKey .Values.operator.manager.image "digest" | ternary (print "@" .Values.operator.manager.image.digest) (print ":" .Values.operator.manager.image.tag) }}'
@@ -61,7 +61,7 @@ spec:
         volumeMounts:
         - mountPath: /tmp
           name: manager-tmp
-        - mountPath: /home/nonroot/.ansible/tmp/
+        - mountPath: /.ansible/tmp/
           name: ansible-tmp
       containers:
 {{- if $.Values.clusterDeployment }}
@@ -147,7 +147,7 @@ spec:
         volumeMounts:
         - mountPath: /tmp
           name: manager-tmp
-        - mountPath: /home/nonroot/.ansible/tmp/
+        - mountPath: /.ansible/tmp/
           name: ansible-tmp
       serviceAccountName: '{{ include "elementOperator.controllerManagerFullname" . }}'
       terminationGracePeriodSeconds: 10

diff --git a/helm/operator/values.yaml b/helm/operator/values.yaml
@@ -15,8 +15,8 @@ crds:
     extraPodSpec:
       securityContext:
         runAsNonRoot: true
-        runAsUser: 65532
-        fsGroup: 65532
+        runAsUser: 65200
+        fsGroup: 65200
     extraContainerSpec:
       securityContext:
         allowPrivilegeEscalation: false
@@ -34,14 +34,14 @@ crds:
     imagePullPolicy: Always
     image:
       repository: docker.io/vectorim/ess-core-operator-conversion-webhook
-      tag: 2.17.18
+      tag: 2.17.19
 
 operator:
   extraPodSpec:
     securityContext:
       runAsNonRoot: true
-      runAsUser: 65532
-      fsGroup: 65532
+      runAsUser: 65200
+      fsGroup: 65200
   manager:
     # maxConcurrentReconciles should be a factor of the memory limit
     # as a rule of thumb, each reconciles need ~256Mi at peak
@@ -69,7 +69,7 @@ operator:
     imagePullPolicy: Always
     image:
       repository: docker.io/vectorim/ess-core-operator
-      tag: 2.17.18
+      tag: 2.17.19
 
   rbacProxy:
     resources:

diff --git a/helm/updater/Chart.yaml b/helm/updater/Chart.yaml
@@ -20,9 +20,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.17.18
+version: 2.17.19
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 2.17.18
+appVersion: 2.17.19
diff --git a/helm/updater/fragments/Deployment-element-updater-controller-manager.yaml b/helm/updater/fragments/Deployment-element-updater-controller-manager.yaml
@@ -45,7 +45,7 @@ spec:
         - "/bin/sh"
         - "-xc"
         args:
-        - rm -rfv /tmp/* /tmp/.* /home/nonroot/.ansible/tmp/* /home/nonroot/.ansible/tmp/.* || true
+        - rm -rfv /tmp/* /tmp/.* /.ansible/tmp/* /.ansible/tmp/.* || true
         env:
         {{- include "elementUpdater.managerEnv" . | nindent 8 }}
         image: '{{ .Values.updater.manager.image.repository }}{{ hasKey .Values.updater.manager.image "digest" | ternary (print "@" .Values.updater.manager.image.digest) (print ":" .Values.updater.manager.image.tag) }}'
@@ -61,7 +61,7 @@ spec:
         volumeMounts:
         - mountPath: /tmp
           name: manager-tmp
-        - mountPath: /home/nonroot/.ansible/tmp/
+        - mountPath: /.ansible/tmp/
           name: ansible-tmp
       containers:
 {{- if $.Values.clusterDeployment }}
@@ -146,9 +146,9 @@ spec:
         volumeMounts:
         - mountPath: /tmp
           name: manager-tmp
-        - mountPath: /home/nonroot/.ansible/tmp/
+        - mountPath: /.ansible/tmp/
           name: ansible-tmp
-        - mountPath: /home/nonroot/.ansible_async
+        - mountPath: /.ansible_async
           name: ansible-async
       serviceAccountName: '{{ include "elementUpdater.controllerManagerFullname" . }}'
       terminationGracePeriodSeconds: 10

diff --git a/helm/updater/templates/deployment-element-updater-controller-manager.yaml b/helm/updater/templates/deployment-element-updater-controller-manager.yaml
@@ -46,7 +46,7 @@ spec:
         - "/bin/sh"
         - "-xc"
         args:
-        - rm -rfv /tmp/* /tmp/.* /home/nonroot/.ansible/tmp/* /home/nonroot/.ansible/tmp/.* || true
+        - rm -rfv /tmp/* /tmp/.* /.ansible/tmp/* /.ansible/tmp/.* || true
         env:
         {{- include "elementUpdater.managerEnv" . | nindent 8 }}
         image: '{{ .Values.updater.manager.image.repository }}{{ hasKey .Values.updater.manager.image "digest" | ternary (print "@" .Values.updater.manager.image.digest) (print ":" .Values.updater.manager.image.tag) }}'
@@ -62,7 +62,7 @@ spec:
         volumeMounts:
         - mountPath: /tmp
           name: manager-tmp
-        - mountPath: /home/nonroot/.ansible/tmp/
+        - mountPath: /.ansible/tmp/
           name: ansible-tmp
       containers:
 {{- if $.Values.clusterDeployment }}
@@ -147,9 +147,9 @@ spec:
         volumeMounts:
         - mountPath: /tmp
           name: manager-tmp
-        - mountPath: /home/nonroot/.ansible/tmp/
+        - mountPath: /.ansible/tmp/
           name: ansible-tmp
-        - mountPath: /home/nonroot/.ansible_async
+        - mountPath: /.ansible_async
           name: ansible-async
       serviceAccountName: '{{ include "elementUpdater.controllerManagerFullname" . }}'
       terminationGracePeriodSeconds: 10

diff --git a/helm/updater/values.yaml b/helm/updater/values.yaml
@@ -34,14 +34,14 @@ crds:
     imagePullPolicy: Always
     image:
       repository: docker.io/vectorim/ess-core-updater-conversion-webhook
-      tag: 2.17.18
+      tag: 2.17.19
 
 updater:
   extraPodSpec:
     securityContext:
       runAsNonRoot: true
-      runAsUser: 65532
-      fsGroup: 65532
+      runAsUser: 65201
+      fsGroup: 65201
   manager:
     # maxConcurrentReconciles should be a factor of the memory limit
     # as a rule of thumb, each reconciles need ~256Mi at peak
@@ -69,7 +69,7 @@ updater:
           - ALL
     image:
       repository: docker.io/vectorim/ess-core-updater
-      tag: 2.17.18
+      tag: 2.17.19
 
   rbacProxy:
     resources:

diff --git a/roles/synapse/tasks/main.yml b/roles/synapse/tasks/main.yml
@@ -20,7 +20,7 @@
       _project: >-
         {{
           query('k8s',
-                api_version="v1",
+                api_version="project.openshift.io/v1",
                 kind="Project",
                 resource_name=ansible_operator_meta.namespace,
               )