chore: Add Traefik persistent volume permissions workaround

.drone.yml

@@ -1,226 +0,0 @@
-kind: pipeline
-type: kubernetes
-name: 'Packer Build'
-
-volumes:
-- name: output
-  claim:
-    name: flexvolsmb-drone-output
-- name: scratch
-  claim:
-    name: flexvolsmb-drone-scratch
-
-trigger:
-  event:
-    exclude:
-    - tag
-
-steps:
-- name: Debugging information
-  image: bv11-cr01.bessems.eu/library/packer-extended
-  pull: always
-  commands:
-  - ansible --version
-  - ovftool --version
-  - packer --version
-  - yamllint --version
-
-- name: Linting
-  image: bv11-cr01.bessems.eu/library/packer-extended
-  pull: always
-  commands:
-  - |
-    yamllint -d "{extends: relaxed, rules: {line-length: disable}}" \
-      ansible \
-      packer/preseed/UbuntuServer22.04/user-data \
-      scripts
-
-- name: Semantic Release (Dry-run)
-  image: bv11-cr01.bessems.eu/proxy/library/node:20-slim
-  pull: always
-  commands:
-  - |
-    apt-get update
-  - |
-    apt-get install -y --no-install-recommends \
-      curl \
-      git-core \
-      jq \
-      ca-certificates
-  - |
-    curl -L https://api.github.com/repos/mikefarah/yq/releases/latest | \
-      jq -r '.assets[] | select(.name | endswith("yq_linux_amd64")) | .browser_download_url' | \
-      xargs -I {} curl -L -o /bin/yq {} && \
-    chmod +x /bin/yq
-  - |
-    npm install \
-      semantic-release \
-      @semantic-release/commit-analyzer \
-      @semantic-release/exec \
-  - |
-    export K8S_VERSION=$(yq '.components.clusterapi.workload.version.k8s' < ./ansible/vars/metacluster.yml)
-    export GIT_CREDENTIALS=$${GIT_USERNAME}:$${GIT_APIKEY}
-  - |
-    npx semantic-release \
-      --package @semantic-release/exec \
-      --package semantic-release \
-      --branches ${DRONE_BRANCH} \
-      --tag-format "K8s_$${K8S_VERSION}-v\$${version}" \
-      --dry-run \
-      --plugins @semantic-release/commit-analyzer,@semantic-release/exec \
-      --analyzeCommits @semantic-release/commit-analyzer \
-      --verifyRelease @semantic-release/exec \
-      --verifyReleaseCmd 'echo "$${nextRelease.version}" > .version'
-  environment:
-    GIT_APIKEY:
-      from_secret: git_apikey
-    GIT_USERNAME: djpbessems
-
-- name: Install Ansible Galaxy collections
-  image: bv11-cr01.bessems.eu/library/packer-extended
-  pull: always
-  commands:
-  - |
-    ansible-galaxy collection install \
-      -r ansible/requirements.yml \
-      -p ./ansible/collections
-
-- name: Kubernetes Bootstrap Appliance
-  image: bv11-cr01.bessems.eu/library/packer-extended
-  pull: always
-  commands:
-  - |
-    sed -i -e "s/<<img-password>>/$${SSH_PASSWORD}/g" \
-      packer/preseed/UbuntuServer22.04/user-data
-  - |
-    export K8S_VERSION=$(yq '.components.clusterapi.workload.version.k8s' < ./ansible/vars/metacluster.yml)
-    export APPLIANCE_VERSION=$(cat .version)
-  - |
-    packer init -upgrade \
-      ./packer
-  - |
-    packer validate \
-      -only=vsphere-iso.bootstrap \
-      -var vm_name=${DRONE_BUILD_NUMBER}-${DRONE_COMMIT_SHA:0:10}-$(openssl rand -hex 3) \
-      -var docker_username=$${DOCKER_USERNAME} \
-      -var docker_password=$${DOCKER_PASSWORD} \
-      -var repo_username=$${REPO_USERNAME} \
-      -var repo_password=$${REPO_PASSWORD} \
-      -var ssh_password=$${SSH_PASSWORD} \
-      -var vsphere_password=$${VSPHERE_PASSWORD} \
-      -var k8s_version=$K8S_VERSION \
-      -var appliance_version=$APPLIANCE_VERSION \
-      ./packer
-  - |
-    packer build \
-      -on-error=cleanup -timestamp-ui \
-      -only=vsphere-iso.bootstrap \
-      -var vm_name=${DRONE_BUILD_NUMBER}-${DRONE_COMMIT_SHA:0:10}-$(openssl rand -hex 3) \
-      -var docker_username=$${DOCKER_USERNAME} \
-      -var docker_password=$${DOCKER_PASSWORD} \
-      -var repo_username=$${REPO_USERNAME} \
-      -var repo_password=$${REPO_PASSWORD} \
-      -var ssh_password=$${SSH_PASSWORD} \
-      -var vsphere_password=$${VSPHERE_PASSWORD} \
-      -var k8s_version=$K8S_VERSION \
-      -var appliance_version=$APPLIANCE_VERSION \
-      ./packer
-  environment:
-    DOCKER_USERNAME:
-      from_secret: docker_username
-    DOCKER_PASSWORD:
-      from_secret: docker_password
-    # PACKER_LOG: 1
-    REPO_USERNAME:
-      from_secret: repo_username
-    REPO_PASSWORD:
-      from_secret: repo_password
-    SSH_PASSWORD:
-      from_secret: ssh_password
-    VSPHERE_PASSWORD:
-      from_secret: vsphere_password
-  volumes:
-  - name: output
-    path: /output
-  - name: scratch
-    path: /scratch
-
-- name: Kubernetes Upgrade Appliance
-  image: bv11-cr01.bessems.eu/library/packer-extended
-  pull: alwaysquery(
-  commands:
-  - |
-    sed -i -e "s/<<img-password>>/$${SSH_PASSWORD}/g" \
-      packer/preseed/UbuntuServer22.04/user-data
-  - |
-    export K8S_VERSION=$(yq '.components.clusterapi.workload.version.k8s' < ./ansible/vars/metacluster.yml)
-    export APPLIANCE_VERSION=$(cat .version)
-  - |
-    packer init -upgrade \
-      ./packer
-  - |
-    packer validate \
-      -only=vsphere-iso.upgrade \
-      -var vm_name=${DRONE_BUILD_NUMBER}-${DRONE_COMMIT_SHA:0:10}-$(openssl rand -hex 3) \
-      -var docker_username=$${DOCKER_USERNAME} \
-      -var docker_password=$${DOCKER_PASSWORD} \
-      -var repo_username=$${REPO_USERNAME} \
-      -var repo_password=$${REPO_PASSWORD} \
-      -var ssh_password=$${SSH_PASSWORD} \
-      -var vsphere_password=$${VSPHERE_PASSWORD} \
-      -var k8s_version=$K8S_VERSION \
-      -var appliance_version=$APPLIANCE_VERSION \
-      ./packer
-  - |
-    packer build \
-      -on-error=cleanup -timestamp-ui \
-      -only=vsphere-iso.upgrade \
-      -var vm_name=${DRONE_BUILD_NUMBER}-${DRONE_COMMIT_SHA:0:10}-$(openssl rand -hex 3) \
-      -var docker_username=$${DOCKER_USERNAME} \
-      -var docker_password=$${DOCKER_PASSWORD} \
-      -var repo_username=$${REPO_USERNAME} \
-      -var repo_password=$${REPO_PASSWORD} \
-      -var ssh_password=$${SSH_PASSWORD} \
-      -var vsphere_password=$${VSPHERE_PASSWORD} \
-      -var k8s_version=$K8S_VERSION \
-      -var appliance_version=$APPLIANCE_VERSION \
-      ./packer
-  environment:
-    DOCKER_USERNAME:
-      from_secret: docker_username
-    DOCKER_PASSWORD:
-      from_secret: docker_password
-    # PACKER_LOG: 1
-    REPO_USERNAME:
-      from_secret: repo_username
-    REPO_PASSWORD:
-      from_secret: repo_password
-    SSH_PASSWORD:
-      from_secret: ssh_password
-    VSPHERE_PASSWORD:
-      from_secret: vsphere_password
-  volumes:
-  - name: output
-    path: /output
-  - name: scratch
-    path: /scratch
-
-- name: Remove temporary resources
-  image: bv11-cr01.bessems.eu/library/packer-extended
-  commands:
-  - |
-    pwsh -file scripts/Remove-Resources.ps1 \
-      -VMName $DRONE_BUILD_NUMBER-${DRONE_COMMIT_SHA:0:10} \
-      -VSphereFQDN 'bv11-vc.bessems.lan' \
-      -VSphereUsername 'administrator@vsphere.local' \
-      -VSpherePassword $${VSPHERE_PASSWORD}
-  environment:
-    VSPHERE_PASSWORD:
-      from_secret: vsphere_password
-  volumes:
-  - name: scratch
-    path: /scratch
-  when:
-    status:
-    - success
-    - failure

.gitea/workflows/actions.yaml

@@ -83,12 +83,9 @@ jobs:
 
           echo "BUILD_COMMIT=$(echo ${{ gitea.sha }} | cut -c 1-10)" >> $GITHUB_ENV
           echo "BUILD_SUFFIX=$(openssl rand -hex 3)" >> $GITHUB_ENV
-      - name: Run `packer validate`
+      - name: Validate packer template files
         id: validate
         run: |
-          # BUILD_COMMIT=$(echo "${{ gitea.sha }}" | cut -c 1-10)
-          # BUILD_SUFFIX=$(openssl rand -hex 3)
-
           packer validate \
             -only=vsphere-iso.bootstrap \
             -var vm_name=${{ gitea.run_number }}-${BUILD_COMMIT}-${BUILD_SUFFIX} \
@@ -101,12 +98,10 @@ jobs:
             -var k8s_version=${{ steps.get_k8sversion.outputs.result }} \
             -var appliance_version=${{ needs.semrel_dryrun.outputs.version }} \
             ./packer
-      - name: Run `packer build`
+      - name: Build packer template
         run: |
-          # BUILD_COMMIT=$(echo "${{ gitea.sha }}" | cut -c 1-10)
-          # BUILD_SUFFIX=$(openssl rand -hex 3)
-
           packer build \
+            -on-error=cleanup -timestamp-ui \
             -only=vsphere-iso.bootstrap \
             -var vm_name=${{ gitea.run_number }}-${BUILD_COMMIT}-${BUILD_SUFFIX} \
             -var docker_username=${{ secrets.DOCKER_USERNAME }} \
@@ -121,7 +116,6 @@ jobs:
         # env:
         #   PACKER_LOG: 1
 
-
   # semrel:
   #   name: Semantic Release
   #   runs-on: dind-rootless

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/ingress.yml

@@ -6,7 +6,11 @@
             initContainers:
               - name: volume-permissions
                 image: busybox:1
-                command: ["sh", "-c", "touch /data/acme.json && chmod -Rv 600 /data/* && chown 65532:65532 /data/acme.json"]
+                command: ["sh", "-c", "touch /data/acme.json; chown 65532 /data/acme.json; chmod -v 600 /data/acme.json"]
+                securityContext:
+                  runAsNonRoot: false
+                  runAsGroup: 0
+                  runAsUser: 0
                 volumeMounts:
                   - name: data
                     mountPath: /data

packer/source.pkr.hcl

@@ -58,4 +58,6 @@ source "vsphere-iso" "ubuntu" {
   export {
     output_directory             = "/data/scratch"
   }
+
+  destroy                        = true
 }