From 13bd7a86750ea70d2d94cb052bc670801cba65d8 Mon Sep 17 00:00:00 2001 From: ci-bot Date: Tue, 5 Mar 2024 08:38:28 +0000 Subject: [PATCH] update ks-core helm chart --- src/test/ks-core/Chart.yaml | 2 +- ...pplication.kubesphere.io_applications.yaml | 13 ++++++ .../crds/application.kubesphere.io_repos.yaml | 7 +-- .../crds/kubesphere.io_extensionversions.yaml | 2 - .../templates/customresourcefilters.yaml | 45 +++++++++++++++++++ src/test/ks-core/templates/globalroles.yaml | 20 ++++++--- .../ks-core/templates/marketplace-config.yaml | 12 +++-- src/test/ks-core/templates/roletemplates.yaml | 16 +++++++ src/test/ks-core/templates/webhook.yaml | 32 ------------- src/test/ks-core/values.yaml | 14 +++++- 10 files changed, 111 insertions(+), 52 deletions(-) create mode 100644 src/test/ks-core/templates/customresourcefilters.yaml diff --git a/src/test/ks-core/Chart.yaml b/src/test/ks-core/Chart.yaml index b46e0e8e..ca18c2e6 100644 --- a/src/test/ks-core/Chart.yaml +++ b/src/test/ks-core/Chart.yaml @@ -7,7 +7,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.6.6 +version: 0.6.7 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/src/test/ks-core/crds/application.kubesphere.io_applications.yaml b/src/test/ks-core/crds/application.kubesphere.io_applications.yaml index 75fdafda..1cd42508 100644 --- a/src/test/ks-core/crds/application.kubesphere.io_applications.yaml +++ b/src/test/ks-core/crds/application.kubesphere.io_applications.yaml @@ -63,6 +63,19 @@ spec: type: array icon: type: string + resources: + items: + properties: + Group: + type: string + Kind: + type: string + Resource: + type: string + Version: + type: string + type: object + type: array type: object status: description: ApplicationStatus defines the observed state of Application diff --git a/src/test/ks-core/crds/application.kubesphere.io_repos.yaml b/src/test/ks-core/crds/application.kubesphere.io_repos.yaml index 36e39144..cf1e6e25 100644 --- a/src/test/ks-core/crds/application.kubesphere.io_repos.yaml +++ b/src/test/ks-core/crds/application.kubesphere.io_repos.yaml @@ -55,7 +55,6 @@ spec: description: RepoSpec defines the desired state of Repo properties: credential: - description: ' repo credential' properties: caFile: description: verify certificates of HTTPS-enabled servers using @@ -80,14 +79,12 @@ spec: type: string type: object description: - description: chart repo description from frontend type: string + global: + type: boolean syncPeriod: - description: sync period in seconds, no sync when SyncPeriod=0, the - minimum SyncPeriod is 180s type: integer url: - description: ' repo url' type: string required: - url diff --git a/src/test/ks-core/crds/kubesphere.io_extensionversions.yaml b/src/test/ks-core/crds/kubesphere.io_extensionversions.yaml index 29493883..1fa7c4c5 100644 --- a/src/test/ks-core/crds/kubesphere.io_extensionversions.yaml +++ b/src/test/ks-core/crds/kubesphere.io_extensionversions.yaml @@ -82,8 +82,6 @@ spec: additionalProperties: type: string type: object - docs: - type: string externalDependencies: description: ExternalDependencies items: diff --git a/src/test/ks-core/templates/customresourcefilters.yaml b/src/test/ks-core/templates/customresourcefilters.yaml new file mode 100644 index 00000000..12f73cfc --- /dev/null +++ b/src/test/ks-core/templates/customresourcefilters.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +stringData: + configuration.yaml: | + resource: + group: "kubesphere.io" + version: "v1alpha1" + kind: "Extension" + regoPolicy: | + package filter + + import rego.v1 + + default match := false + + match if { + not listAvailableExtension + } + + match if { + listAvailableExtension + isSubscribed + } + + match if { + listAvailableExtension + isInstalled + } + + match if { + listAvailableExtension + not hasExtensionID + } + + listAvailableExtension if ["available"][_] == input.filter.field + + isSubscribed if input.object.metadata.labels["marketplace.kubesphere.io/subscribed"] == "true" + + isInstalled if input.object.status.state != "" + + hasExtensionID if input.object.metadata.labels["marketplace.kubesphere.io/extension-id"] != "" +kind: Secret +metadata: + name: extensions.customresourcefilters.kubesphere + namespace: kubesphere-system +type: config.kubesphere.io/custom-resource-filter \ No newline at end of file diff --git a/src/test/ks-core/templates/globalroles.yaml b/src/test/ks-core/templates/globalroles.yaml index aca0109c..f0e36e67 100644 --- a/src/test/ks-core/templates/globalroles.yaml +++ b/src/test/ks-core/templates/globalroles.yaml @@ -129,13 +129,6 @@ rules: verbs: - get - list - - apiGroups: - - license.kubesphere.io - resources: - - licenses - verbs: - - get - - list - apiGroups: - cluster.kubesphere.io resources: @@ -155,6 +148,19 @@ metadata: annotations: kubesphere.io/creator: admin kubesphere.io/description: '{"zh": "管理 KubeSphere 平台上的所有资源。", "en": "Manage all resources on the KubeSphere platform."}' + iam.kubesphere.io/rego-override: >- + package authz + default allow = false + allow = true { + allowedScopes := ["Workspace","Namespace","Cluster"] + allowedScopes[_] == input.ResourceScope + allowedVerbs := ["get","list","watch"] + allowedVerbs[_] == input.Verb + } + allow = true { + allowedScopes := ["Workspace","Namespace","Cluster"] + allowedScopes[_] == input.ResourceScope + } labels: iam.kubesphere.io/auto-aggregate: "true" name: platform-admin diff --git a/src/test/ks-core/templates/marketplace-config.yaml b/src/test/ks-core/templates/marketplace-config.yaml index e23f487a..5eefed86 100644 --- a/src/test/ks-core/templates/marketplace-config.yaml +++ b/src/test/ks-core/templates/marketplace-config.yaml @@ -1,8 +1,9 @@ -{{ if eq .Values.role "host" }} +{{- if eq .Values.role "host" }} +{{- if .Values.cloud.enabled }} apiVersion: v1 stringData: configuration.yaml: | -{{- if .Values.devMode }} +{{- if eq .Values.cloud.env "clouddev.kubesphere.io" }} url: https://clouddev.kubesphere.io oauth: clientID: "client-a5cdf64c-7f84-415e-a6b1-8dfbfad493c3" @@ -13,7 +14,7 @@ stringData: url: https://app.clouddev.kubesphere.io repoName: marketplace syncPeriod: 60m -{{- else }} +{{- else if eq .Values.cloud.env "kubesphere.cloud" }} url: https://kubesphere.cloud oauth: clientID: "client-a5cdf64c-7f84-415e-a6b1-8dfbfad493c3" @@ -24,6 +25,8 @@ stringData: url: https://app.kubesphere.cloud repoName: marketplace syncPeriod: 60m +{{- else if .Values.cloud.customEnv }} + {{- toYaml .Values.cloud.customEnv | nindent 4 }} {{- end }} kind: Secret metadata: @@ -32,4 +35,5 @@ metadata: labels: config.kubesphere.io/type: marketplace type: config.kubesphere.io/marketplace -{{ end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/src/test/ks-core/templates/roletemplates.yaml b/src/test/ks-core/templates/roletemplates.yaml index 87b7dcac..7571232e 100644 --- a/src/test/ks-core/templates/roletemplates.yaml +++ b/src/test/ks-core/templates/roletemplates.yaml @@ -195,6 +195,15 @@ kind: RoleTemplate metadata: annotations: iam.kubesphere.io/role-template-rules: '{"clusters": "view"}' + iam.kubesphere.io/rego-override: |- + package authz + default allow = false + allow = true { + allowedScopes := ["Workspace","Namespace","Cluster"] + allowedScopes[_] == input.ResourceScope + allowedVerbs := ["get","list","watch"] + allowedVerbs[_] == input.Verb + } labels: iam.kubesphere.io/category: global-cluster-management iam.kubesphere.io/scope: "global" @@ -266,6 +275,13 @@ metadata: iam.kubesphere.io/dependencies: '["global-view-clusters"]' iam.kubesphere.io/role-template-rules: '{"clusters": "manage"}' kubesphere.io/description: '{"zh":"创建集群、删除集群和管理集群中的所有资源。"}' + iam.kubesphere.io/rego-override: |- + package authz + default allow = false + allow = true { + allowedScopes := ["Workspace","Namespace","Cluster"] + allowedScopes[_] == input.ResourceScope + } labels: iam.kubesphere.io/category: global-cluster-management iam.kubesphere.io/scope: "global" diff --git a/src/test/ks-core/templates/webhook.yaml b/src/test/ks-core/templates/webhook.yaml index 0fd1e180..a9021abd 100644 --- a/src/test/ks-core/templates/webhook.yaml +++ b/src/test/ks-core/templates/webhook.yaml @@ -317,38 +317,6 @@ webhooks: --- apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: license.kubesphere.io -webhooks: - - admissionReviewVersions: - - v1 - clientConfig: - caBundle: {{ b64enc $ca.Cert | quote }} - service: - name: ks-controller-manager - namespace: kubesphere-system - path: /license-cluster-checker - port: 443 - name: license-cluster-checker.kubesphere.io - failurePolicy: Ignore - matchPolicy: Exact - namespaceSelector: {} - objectSelector: {} - rules: - - apiGroups: - - cluster.kubesphere.io - apiVersions: - - v1alpha1 - operations: - - CREATE - resources: - - clusters - scope: '*' - sideEffects: None - timeoutSeconds: 30 ---- -apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: defaulter.config.kubesphere.io diff --git a/src/test/ks-core/values.yaml b/src/test/ks-core/values.yaml index acec123c..e25a66dd 100644 --- a/src/test/ks-core/values.yaml +++ b/src/test/ks-core/values.yaml @@ -287,6 +287,18 @@ nodeShell: tag: "3.18.4" pullPolicy: IfNotPresent +cloud: + enabled: true + ## kubesphere.cloud or clouddev.kubesphere.io + env: "kubesphere.cloud" + customEnv: +# url: https://kubesphere.cloud +# subscription: +# syncPeriod: 60m +# repository: +# url: https://app.kubesphere.cloud +# repoName: marketplace +# syncPeriod: 60m extension: imageRegistry: "" @@ -363,7 +375,7 @@ upgrade: - amd64 overrides: k: v - dynamicOptions: { } + dynamicOptions: {} devops: disabled: false priority: 100