From 8a5998e0c0721c873b6d6a345966cdaac8a70423 Mon Sep 17 00:00:00 2001 From: ci-bot Date: Wed, 31 Jan 2024 09:42:30 +0000 Subject: [PATCH 1/2] update ks-core helm chart --- src/test/ks-core/Chart.yaml | 2 +- ...nant.kubesphere.io_workspacetemplates.yaml | 3 + src/test/ks-core/templates/_helpers.tpl | 38 +++++- src/test/ks-core/templates/globalroles.yaml | 8 +- src/test/ks-core/templates/ingress.yaml | 6 +- .../ks-core/templates/ks-console-config.yml | 3 +- .../ks-core/templates/kubesphere-config.yaml | 42 +++---- .../ks-core/templates/serviceaccount.yaml | 2 +- src/test/ks-core/templates/tls-secrets.yaml | 6 +- src/test/ks-core/templates/webhook.yaml | 8 +- src/test/ks-core/values.yaml | 115 ++++++++---------- 11 files changed, 120 insertions(+), 113 deletions(-) diff --git a/src/test/ks-core/Chart.yaml b/src/test/ks-core/Chart.yaml index 82d0a3e60..e686e79f2 100644 --- a/src/test/ks-core/Chart.yaml +++ b/src/test/ks-core/Chart.yaml @@ -7,7 +7,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.5.5 +version: 0.5.7 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/src/test/ks-core/crds/tenant.kubesphere.io_workspacetemplates.yaml b/src/test/ks-core/crds/tenant.kubesphere.io_workspacetemplates.yaml index ba41ba498..0aa5c53a2 100644 --- a/src/test/ks-core/crds/tenant.kubesphere.io_workspacetemplates.yaml +++ b/src/test/ks-core/crds/tenant.kubesphere.io_workspacetemplates.yaml @@ -217,6 +217,9 @@ spec: - name type: object type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map type: object template: properties: diff --git a/src/test/ks-core/templates/_helpers.tpl b/src/test/ks-core/templates/_helpers.tpl index 268439810..37c7789fb 100644 --- a/src/test/ks-core/templates/_helpers.tpl +++ b/src/test/ks-core/templates/_helpers.tpl @@ -55,10 +55,42 @@ app.kubernetes.io/instance: {{ .Release.Name }} Create the name of the service account to use */}} {{- define "ks-core.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} - {{- default (include "ks-core.fullname" .) .Values.serviceAccount.name }} +{{- default "kubesphere" .Values.serviceAccount.name }} +{{- end }} + +{{- define "portal.host" -}} +{{- if and .Values.portal.https .Values.portal.https.port }} +{{- if eq (int .Values.portal.https.port) 443 }} +{{- printf "https://%s" .Values.portal.hostname }} +{{- else }} +{{- printf "https://%s:%d" .Values.portal.hostname (int .Values.portal.https.port) }} +{{- end }} +{{- else }} +{{- if eq (int .Values.portal.http.port) 80 }} +{{- printf "http://%s" .Values.portal.hostname }} +{{- else }} +{{- printf "http://%s:%d" .Values.portal.hostname (int .Values.portal.http.port) }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "jwtSecret" -}} +{{- if eq .Values.role "host" }} +{{- with lookup "v1" "ConfigMap" (printf "%s" .Release.Namespace) "kubesphere-config" }} +{{- with (fromYaml (index .data "kubesphere.yaml")) }} +{{- if and .authentication .authentication.issuer .authentication.issuer.jwtSecret }} +{{- .authentication.issuer.jwtSecret }} +{{- else }} +{{- $.Values.authentication.issuer.jwtSecret | default (randAlphaNum 32 ) }} +{{- end }} +{{- else }} +{{- $.Values.authentication.issuer.jwtSecret | default (randAlphaNum 32 ) }} +{{- end }} +{{- else }} +{{- $.Values.authentication.issuer.jwtSecret | default (randAlphaNum 32 ) }} +{{- end }} {{- else }} - {{- default "default" .Values.serviceAccount.name }} +{{- .Values.authentication.issuer.jwtSecret }} {{- end }} {{- end }} diff --git a/src/test/ks-core/templates/globalroles.yaml b/src/test/ks-core/templates/globalroles.yaml index 41f7646dd..df7ad8e6d 100644 --- a/src/test/ks-core/templates/globalroles.yaml +++ b/src/test/ks-core/templates/globalroles.yaml @@ -4,11 +4,7 @@ metadata: name: anonymous rules: - nonResourceURLs: - - /dist/* - verbs: - - GET - - nonResourceURLs: - - /static/images/* + - '/static/images/*' verbs: - GET @@ -127,7 +123,7 @@ rules: - get - list - nonResourceURLs: - - /static/images/* + - '/static/images/*' verbs: - GET diff --git a/src/test/ks-core/templates/ingress.yaml b/src/test/ks-core/templates/ingress.yaml index 3982ebe5f..84a9ac851 100644 --- a/src/test/ks-core/templates/ingress.yaml +++ b/src/test/ks-core/templates/ingress.yaml @@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ template "ks-core.fullname" . }} + name: ks-console namespace: {{ .Release.Namespace }} annotations: {{- if .Values.internalTLS }} @@ -34,7 +34,7 @@ spec: ingressClassName: {{ .Values.ingress.ingressClassName }} {{- end }} rules: - - host: {{ .Values.hostname }} + - host: {{ .Values.portal.hostname }} http: paths: - backend: @@ -61,7 +61,7 @@ spec: {{- if .Values.ingress.tls.enabled }} tls: - hosts: - - {{ .Values.hostname }} + - {{ .Values.portal.hostname }} secretName: {{ .Values.ingress.tls.secretName }} {{- end }} {{- end }} \ No newline at end of file diff --git a/src/test/ks-core/templates/ks-console-config.yml b/src/test/ks-core/templates/ks-console-config.yml index f1f11b62d..cb8eaccd2 100644 --- a/src/test/ks-core/templates/ks-console-config.yml +++ b/src/test/ks-core/templates/ks-console-config.yml @@ -26,9 +26,8 @@ data: client: version: kubesphere: {{ .Chart.AppVersion }} - kubernetes: {{ .Values.kubeVersion }} + kubernetes: {{ .Capabilities.KubeVersion.Version }} enableKubeConfig: true - defaultClusterName: {{ .Values.console.defaultClusterName }} kind: ConfigMap metadata: name: ks-console-config diff --git a/src/test/ks-core/templates/kubesphere-config.yaml b/src/test/ks-core/templates/kubesphere-config.yaml index f2f985ed3..018170c80 100644 --- a/src/test/ks-core/templates/kubesphere-config.yaml +++ b/src/test/ks-core/templates/kubesphere-config.yaml @@ -1,30 +1,24 @@ -{{- if .Values.config.create -}} apiVersion: v1 kind: ConfigMap metadata: name: kubesphere-config - namespace: kubesphere-system data: kubesphere.yaml: | authentication: - authenticateRateLimiterMaxTries: {{ .Values.config.authentication.authenticateRateLimiterMaxTries | default 10 }} - authenticateRateLimiterDuration: {{ .Values.config.authentication.authenticationRateLimiterDuration | default "10m0s" }} - loginHistoryRetentionPeriod: {{ .Values.config.authentication.loginHistoryRetentionPeriod | default "168h" }} - maximumClockSkew: {{ .Values.config.authentication.maximumClockSkew | default "10s" }} - multipleLogin: {{ .Values.config.authentication.enableMultiLogin | default true }} -{{- if eq .Values.role "host" }} - {{- with lookup "v1" "ConfigMap" (printf "%s" .Release.Namespace) "kubesphere-config" }} - jwtSecret: "{{ (fromYaml (index .data "kubesphere.yaml")).authentication.jwtSecret }}" - {{- else }} - jwtSecret: "{{ .Values.config.jwtSecret | default (randAlphaNum 32 ) }}" - {{- end }} -{{- else }} - jwtSecret: "{{ .Values.config.jwtSecret }}" -{{- end }} -{{- if eq .Values.role "member" }} - oauthOptions: + authenticateRateLimiterMaxTries: {{ .Values.authentication.authenticateRateLimiterMaxTries | default 10 }} + authenticateRateLimiterDuration: {{ .Values.authentication.authenticationRateLimiterDuration | default "10m0s" }} + loginHistoryRetentionPeriod: {{ .Values.authentication.loginHistoryRetentionPeriod | default "168h" }} + multipleLogin: {{ .Values.authentication.enableMultiLogin | default true }} + issuer: + host: {{ include "portal.host" . | quote }} + jwtSecret: {{ include "jwtSecret" . | quote }} + maximumClockSkew: {{ .Values.authentication.issuer.maximumClockSkew | default "10s" }} + {{- if eq .Values.role "member" }} accessTokenMaxAge: 0 -{{- end }} + {{- else }} + accessTokenMaxAge: {{ .Values.authentication.issuer.accessTokenMaxAge }} + {{- end }} + accessTokenInactivityTimeout: {{ .Values.authentication.issuer.accessTokenInactivityTimeout }} multicluster: clusterRole: {{ .Values.role }} terminal: @@ -35,11 +29,11 @@ data: helmExecutor: image: {{ template "helm.image" . }} extension: - imageRegistry: {{- .Values.extension.imageRegistry }} + imageRegistry: {{ default .Values.extension.imageRegistry "" | quote }} + {{- if .Values.extension.nodeSelector }} nodeSelector: {{- toYaml .Values.extension.nodeSelector | nindent 8 }} - -{{- if .Values.devMode }} + {{- end }} + {{- if .Values.devMode }} telemetry: ksCloudURL: "https://clouddev.kubesphere.io" -{{- end }} -{{- end }} + {{- end }} \ No newline at end of file diff --git a/src/test/ks-core/templates/serviceaccount.yaml b/src/test/ks-core/templates/serviceaccount.yaml index 67223275c..35e35be61 100644 --- a/src/test/ks-core/templates/serviceaccount.yaml +++ b/src/test/ks-core/templates/serviceaccount.yaml @@ -10,7 +10,6 @@ metadata: annotations: {{- toYaml . | nindent 4 }} {{- end }} -{{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 @@ -25,3 +24,4 @@ subjects: - kind: ServiceAccount name: {{ include "ks-core.serviceAccountName" . }} namespace: kubesphere-system +{{- end }} diff --git a/src/test/ks-core/templates/tls-secrets.yaml b/src/test/ks-core/templates/tls-secrets.yaml index 63c98b3e0..5c1067d28 100644 --- a/src/test/ks-core/templates/tls-secrets.yaml +++ b/src/test/ks-core/templates/tls-secrets.yaml @@ -1,6 +1,6 @@ {{- if ne .Values.ingress.tls.source "letsEncrypt" -}} {{- if and (not (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1")) (not (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2")) (not (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1")) (not (.Capabilities.APIVersions.Has "cert-manager.io/v1")) }} -{{- $ca := genCA .Values.hostname 3650 -}} +{{- $ca := genCA "self-signed-ca" 3650 -}} {{- $cert := genSignedCert "ks-apiserver" nil (list "ks-apiserver" (printf "%s.%s" "ks-apiserver" .Release.Namespace) (printf "%s.%s.%s" "ks-apiserver" .Release.Namespace "svc")) 3650 $ca -}} {{- if .Values.internalTLS }} apiVersion: v1 @@ -16,7 +16,7 @@ data: {{- end }} --- -{{- $consolecert := genSignedCert "ks-console" nil (list "ks-console" (printf "%s.%s" "ks-console" .Release.Namespace) (printf "%s.%s.%s" "ks-console" .Release.Namespace "svc")) 3650 $ca -}} +{{- $consolecert := genSignedCert "ks-console" nil (list "ks-console" (printf "%s.%s" "ks-console" .Release.Namespace) (printf "%s.%s.%s" "ks-console" .Release.Namespace "svc") .Values.portal.hostname) 3650 $ca -}} {{- if .Values.internalTLS }} apiVersion: v1 kind: Secret @@ -31,7 +31,7 @@ data: {{- end }} --- -{{- $ingresscert := genSignedCert .Values.hostname nil (list .Values.hostname) 3650 $ca -}} +{{- $ingresscert := genSignedCert .Values.portal.hostname nil (list .Values.portal.hostname) 3650 $ca -}} {{- if and ( .Values.ingress.enabled ) ( .Values.ingress.tls.enabled ) (eq .Values.ingress.tls.source "generation") }} apiVersion: v1 kind: Secret diff --git a/src/test/ks-core/templates/webhook.yaml b/src/test/ks-core/templates/webhook.yaml index d9aeb0685..a9021abd8 100644 --- a/src/test/ks-core/templates/webhook.yaml +++ b/src/test/ks-core/templates/webhook.yaml @@ -1,4 +1,4 @@ -{{- $ca := genCA "ks-controller-manager-ca" 3650 }} +{{- $ca := genCA "self-signed-ca" 3650 }} {{- $cn := printf "%s-admission-webhook" .Release.Name }} {{- $altName1 := printf "ks-controller-manager.%s" .Release.Namespace }} {{- $altName2 := printf "ks-controller-manager.%s.svc" .Release.Namespace }} @@ -30,7 +30,7 @@ webhooks: namespace: kubesphere-system path: /validate-iam-kubesphere-io-v1beta1-user port: 443 - failurePolicy: Fail + failurePolicy: Ignore matchPolicy: Exact name: users.iam.kubesphere.io namespaceSelector: {} @@ -192,7 +192,7 @@ webhooks: namespace: kubesphere-system path: /validate--v1-secret port: 443 - failurePolicy: Fail + failurePolicy: Ignore matchPolicy: Exact name: validator.config.kubesphere.io namespaceSelector: {} @@ -330,7 +330,7 @@ webhooks: namespace: kubesphere-system path: /mutate--v1-secret port: 443 - failurePolicy: Fail + failurePolicy: Ignore matchPolicy: Exact name: defaulter.config.kubesphere.io namespaceSelector: {} diff --git a/src/test/ks-core/values.yaml b/src/test/ks-core/values.yaml index fc0c44c5a..195a0db0a 100644 --- a/src/test/ks-core/values.yaml +++ b/src/test/ks-core/values.yaml @@ -5,12 +5,6 @@ global: tag: ksc imagePullSecrets: [] -## @section Common parameters -## - -## @param kubeVersion Override Kubernetes version -## -kubeVersion: "" ## @param nameOverride String to partially override common.names.fullname ## nameOverride: "" @@ -24,21 +18,32 @@ commonLabels: {} ## commonAnnotations: {} +## Role represents the role of the current cluster, +## and it can have one of two values: "host" or "member". role: host +portal: + ## The IP address or hostname to access ks-console service. + ## DO NOT use IP address if ingress is enabled. + hostname: "ks-console.kubesphere-system.svc" + http: + port: 30880 +# https: +# port: 30443 + adminPassword: "" -config: - # Specifies whether the kubesphere-config configmap should be created - create: true - authentication: - authenticateRateLimiterMaxTries: 10 - authenticationRateLimiterDuration: 10m0s - loginHistoryRetentionPeriod: 168h +authentication: + authenticateRateLimiterMaxTries: 10 + authenticationRateLimiterDuration: 10m0s + loginHistoryRetentionPeriod: 168h + enableMultiLogin: true + issuer: maximumClockSkew: 10s - enableMultiLogin: true - # Jwt Secret is required by ks-apiserver, a random string would be generated if it's empty - jwtSecret: "" + # Jwt Secret is required by ks-apiserver, a random string would be generated if it's empty + jwtSecret: "" + accessTokenMaxAge: 2h + accessTokenInactivityTimeout: 30m serviceAccount: # Specifies whether a service account should be created @@ -46,22 +51,8 @@ serviceAccount: # Annotations to add to the service account annotations: {} # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template name: "kubesphere" -podAnnotations: {} - -podSecurityContext: {} -# fsGroup: 2000 - -securityContext: {} -# capabilities: -# drop: -# - ALL -# readOnlyRootFilesystem: true -# runAsNonRoot: true -# runAsUser: 1000 - tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule @@ -80,7 +71,8 @@ affinity: {} nodeSelector: {} -## deployment specific configuration +## enable tls communication between all components +internalTLS: false apiserver: replicaCount: 1 @@ -90,10 +82,10 @@ apiserver: tag: "" digest: "" pullPolicy: Always - ## Optionally specify an array of imagePullSecrets. + ## Optionally, specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: + ## e.g.: ## pullSecrets: ## - myRegistryKeySecretName ## @@ -104,10 +96,8 @@ apiserver: - protocol: TCP containerPort: 9090 nodePort: 30881 - ## ks-apiserver resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param resources.limits The resources limits for the haproxy containers - ## @param resources.requests The requested resources for the haproxy containers + ## @param resources.limits The resource limits for the ks-apiserver containers + ## @param resources.requests The requested resources for the ks-apiserver containers ## resources: limits: @@ -121,17 +111,17 @@ apiserver: command: - ks-apiserver - --logtostderr=true - ## @param extraEnvVars Array with extra environment variables to add to haproxy nodes - ## e.g: + ## @param extraEnvVars Array with extra environment variables to add to ks-apiserver + ## e.g.: ## extraEnvVars: ## - name: FOO ## value: "bar" ## extraEnvVars: [] - ## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for the haproxy container(s) + ## @param extraVolumeMounts Optionally specify an extra list of additional volumeMounts for the ks-apiserver container(s) ## extraVolumeMounts: [] - ## @param extraVolumes Optionally specify extra list of additional volumes for the haproxy pod(s) + ## @param extraVolumes Optionally specify an extra list of additional volumes for the ks-apiserver pod(s) ## extraVolumes: [] @@ -143,21 +133,20 @@ console: tag: "" digest: "" pullPolicy: Always - ## Optionally specify an array of imagePullSecrets. + ## Optionally, specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: + ## e.g.: ## pullSecrets: ## - myRegistryKeySecretName ## pullSecrets: [] - ## @param containerPorts [array] List of container ports to enable in the ks-apiserver container + ## @param containerPorts [array] List of container ports to enable in the ks-console container ## containerPorts: [] nodePort: 30880 - defaultClusterName: "default" - ## @param resources.limits The resources limits for the haproxy containers - ## @param resources.requests The requested resources for the haproxy containers + ## @param resources.limits The resource limits for the ks-console containers + ## @param resources.requests The requested resources for the ks-console containers ## resources: limits: @@ -169,13 +158,13 @@ console: ## @param command Override default container command (useful when using custom images) ## command: [] - ## @param extraEnvVars Array with extra environment variables to add to haproxy nodes + ## @param extraEnvVars Array with extra environment variables to add to ks-console ## extraEnvVars: [] - ## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for the haproxy container(s) + ## @param extraVolumeMounts Optionally specify an extra list of additional volumeMounts for the ks-console container(s) ## extraVolumeMounts: [] - ## @param extraVolumes Optionally specify extra list of additional volumes for the haproxy pod(s) + ## @param extraVolumes Optionally specify an extra list of additional volumes for the ks-console pod(s) ## extraVolumes: [] @@ -187,23 +176,23 @@ controller: tag: "" digest: "" pullPolicy: Always - ## Optionally specify an array of imagePullSecrets. + ## Optionally, specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: + ## e.g.: ## pullSecrets: ## - myRegistryKeySecretName ## pullSecrets: [] - ## @param containerPorts [array] List of container ports to enable in the ks-apiserver container + ## @param containerPorts [array] List of container ports to enable in the ks-controller-manager container ## containerPorts: - containerPort: 8080 protocol: TCP - containerPort: 8443 protocol: TCP - ## @param resources.limits The resources limits for the haproxy containers - ## @param resources.requests The requested resources for the haproxy containers + ## @param resources.limits The resource limits for the ks-controller-manager containers + ## @param resources.requests The requested resources for the ks-controller-manager containers ## resources: limits: @@ -219,13 +208,13 @@ controller: - --logtostderr=true - --leader-elect=true - --controllers=* - ## @param extraEnvVars Array with extra environment variables to add to haproxy nodes + ## @param extraEnvVars Array with extra environment variables to add to ks-controller-manager ## extraEnvVars: [] - ## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for the haproxy container(s) + ## @param extraVolumeMounts Optionally specify an extra list of additional volumeMounts for the ks-controller-manager container(s) ## extraVolumeMounts: [] - ## @param extraVolumes Optionally specify extra list of additional volumes for the haproxy pod(s) + ## @param extraVolumes Optionally specify an extra list of additional volumes for the ks-controller-manager pod(s) ## extraVolumes: [] @@ -246,13 +235,6 @@ kubectl: tag: "v1.27.4" pullPolicy: IfNotPresent -# Set to enable/disable internal tls -# - false (default) -# - true -internalTLS: false - -hostname: example.com - ingress: # If set to false, ingress will not be created # Defaults to true @@ -286,7 +268,8 @@ nodeShell: extension: imageRegistry: "" - nodeSelector: {} + nodeSelector: + key: value upgrade: disabled: false From f989d2ddc9418319dee80c6234b2deba972f39f7 Mon Sep 17 00:00:00 2001 From: hongming Date: Wed, 31 Jan 2024 18:13:58 +0800 Subject: [PATCH 2/2] upgrade helm version to 3.14.0 --- build.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.sh b/build.sh index 1000fe20c..8c0aff0bc 100755 --- a/build.sh +++ b/build.sh @@ -17,7 +17,7 @@ helm() { "${currentDir}/helm" $@ } -helmVersion=3.6.3 +helmVersion=3.14.0 prepareHelm() { local helmUrl=https://get.helm.sh/helm-v$helmVersion-linux-amd64.tar.gz echo "Downloading Helm Client from '$helmUrl' ..."