update ks-core helm chart

src/test/ks-core/templates/_helpers.tpl

@@ -96,6 +96,26 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
+{{- define "role" -}}
+{{- if eq .Values.role "" }}
+{{- with lookup "v1" "ConfigMap" (printf "%s" .Release.Namespace) "kubesphere-config" }}
+{{- with (fromYaml (index .data "kubesphere.yaml")) }}
+{{- if and .multicluster (.multicluster).clusterRole }}
+{{- .multicluster.clusterRole }}
+{{- else }}
+{{- $.Values.role | default "host" }}
+{{- end }}
+{{- else }}
+{{- $.Values.role | default "host" }}
+{{- end }}
+{{- else }}
+{{- $.Values.role | default "host" }}
+{{- end }}
+{{- else }}
+{{- .Values.role }}
+{{- end }}
+{{- end }}
+
 {{/*
 Returns user's password or use default
 */}}

src/test/ks-core/templates/builtinroles.yaml

@@ -19,7 +19,6 @@ role:
     annotations:
       kubesphere.io/creator: system
       kubesphere.io/description: '{"zh": "管理项目中的所有资源。", "en": "Manage all resources in the project."}'
-    labels:
       iam.kubesphere.io/auto-aggregate: "true"
     name: admin
   rules:
@@ -53,7 +52,6 @@ role:
     annotations:
       kubesphere.io/creator: system
       kubesphere.io/description: '{"zh": "管理项目中除用户和角色之外的资源。", "en": "Manage resources other than users and roles in the project."}'
-    labels:
       iam.kubesphere.io/auto-aggregate: "true"
     name: operator
   rules:
@@ -107,7 +105,6 @@ role:
     annotations:
       kubesphere.io/creator: system
       kubesphere.io/description: '{"zh": "查看项目中的所有资源。", "en": "View all resources in the project."}'
-    labels:
       iam.kubesphere.io/auto-aggregate: "true"
     name: viewer
   rules:
@@ -150,7 +147,6 @@ role:
     annotations:
       kubesphere.io/creator: system
       kubesphere.io/description: '{"zh": "管理企业空间中的所有资源。", "en": "Manage all resources in the workspace."}'
-    labels:
       iam.kubesphere.io/auto-aggregate: "true"
     name: admin
   rules:
@@ -183,7 +179,6 @@ role:
     annotations:
       kubesphere.io/creator: system
       kubesphere.io/description: '{"zh": "查看企业空间设置。", "en": "View workspace settings."}'
-    labels:
       iam.kubesphere.io/auto-aggregate: "true"
     name: regular
   rules:
@@ -219,7 +214,6 @@ role:
     annotations:
       kubesphere.io/creator: system
       kubesphere.io/description: '{"zh": "查看企业设置、创建项目。", "en": "View workspace settings, create projects."}'
-    labels:
       iam.kubesphere.io/auto-aggregate: "true"
     name: self-provisioner
   rules: []
@@ -249,7 +243,6 @@ role:
     annotations:
       kubesphere.io/creator: system
       kubesphere.io/description: '{"zh": "查看企业空间中的所有资源。", "en": "View all resources in the workspace."}'
-    labels:
       iam.kubesphere.io/auto-aggregate: "true"
     name: viewer
   rules:

src/test/ks-core/templates/clusterroles.yaml

@@ -4,9 +4,8 @@ metadata:
   annotations:
     kubesphere.io/creator: system
     kubesphere.io/description: '{"zh": "管理集群中的所有资源。", "en": "Manage all resources in the cluster."}'
-  name: cluster-admin
-  labels:
     iam.kubesphere.io/auto-aggregate: "true"
+  name: cluster-admin
 aggregationRoleTemplates:
   roleSelector:
     matchLabels:
@@ -31,9 +30,8 @@ metadata:
   annotations:
     kubesphere.io/creator: system
     kubesphere.io/description: '{"zh": "查看集群中的所有资源。", "en": "View all resources in the cluster."}'
-  name: cluster-viewer
-  labels:
     iam.kubesphere.io/auto-aggregate: "true"
+  name: cluster-viewer
 aggregationRoleTemplates:
   roleSelector:
     matchLabels:

src/test/ks-core/templates/extension-categories.yaml

@@ -1,4 +1,4 @@
-{{ if eq .Values.role "host" }}
+{{ if eq (include "role" .) "host" }}
 ---
 apiVersion: kubesphere.io/v1alpha1
 kind: Category

src/test/ks-core/templates/globalroles.yaml

@@ -19,9 +19,8 @@ rules:
 apiVersion: iam.kubesphere.io/v1beta1
 kind: GlobalRole
 metadata:
-  labels:
-    iam.kubesphere.io/auto-aggregate: "true"
   annotations:
+    iam.kubesphere.io/auto-aggregate: "true"
     iam.kubesphere.io/rego-override: |-
       package authz
       default allow = false
@@ -129,13 +128,6 @@ rules:
     verbs:
       - get
       - list
-  - apiGroups:
-      - license.kubesphere.io
-    resources:
-      - licenses
-    verbs:
-      - get
-      - list
   - apiGroups:
       - cluster.kubesphere.io
     resources:
@@ -168,7 +160,6 @@ metadata:
         allowedScopes := ["Workspace","Namespace","Cluster"]
         allowedScopes[_] == input.ResourceScope
       }
-  labels:
     iam.kubesphere.io/auto-aggregate: "true"
   name: platform-admin
 aggregationRoleTemplates:

src/test/ks-core/templates/ks-agent.yml

@@ -1,4 +1,4 @@
-{{ if eq .Values.role "member" }}
+{{ if eq (include "role" .) "member" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:

src/test/ks-core/templates/ks-apiserver.yml

@@ -1,4 +1,4 @@
-{{ if eq .Values.role "host" }}
+{{ if eq (include "role" .) "host" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:

src/test/ks-core/templates/ks-console.yml

@@ -1,4 +1,4 @@
-{{ if eq .Values.role "host" }}
+{{ if eq (include "role" .) "host" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:

src/test/ks-core/templates/ks-controller-manager.yaml

@@ -1,4 +1,4 @@
-{{ if eq .Values.role "host" }}
+{{ if eq (include "role" .) "host" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:

src/test/ks-core/templates/kubesphere-config.yaml

@@ -13,14 +13,14 @@ data:
         host: {{ include "portal.host" . | quote }}
         jwtSecret: {{ include "jwtSecret" . | quote }}
         maximumClockSkew: {{ .Values.authentication.issuer.maximumClockSkew | default "10s" }}
-        {{- if eq .Values.role "member" }}
+        {{- if eq (include "role" .) "member" }}
         accessTokenMaxAge: 0s
         {{- else }}
         accessTokenMaxAge: {{ .Values.authentication.issuer.accessTokenMaxAge }}
         {{- end }}
         accessTokenInactivityTimeout: {{ .Values.authentication.issuer.accessTokenInactivityTimeout }}
     multicluster:
-      clusterRole: {{ .Values.role }}
+      clusterRole: {{ include "role" . | quote }}
     terminal:
       kubectl:
         image: {{ template "kubectl.image" . }}

src/test/ks-core/templates/marketplace-config.yaml

@@ -1,4 +1,4 @@
-{{- if eq .Values.role "host" }}
+{{- if eq (include "role" .) "host" }}
 {{- if .Values.cloud.enabled }}
 apiVersion: v1
 stringData:

src/test/ks-core/templates/oauthclient-config.yaml

@@ -1,4 +1,4 @@
-{{ if eq .Values.role "host" }}
+{{ if eq (include "role" .) "host" }}
 apiVersion: v1
 stringData:
   configuration.yaml: |

src/test/ks-core/templates/services.yml

@@ -23,7 +23,7 @@ spec:
       {{- toYaml . | nindent 8 }}
     {{- end }}
   selector:
-    {{- if eq .Values.role "host" }}
+    {{- if eq (include "role" .) "host" }}
     app: ks-apiserver
     {{- else }}
     app: ks-agent
@@ -52,7 +52,7 @@ spec:
       protocol: TCP
       targetPort: 8443
   selector:
-    {{- if eq .Values.role "host" }}
+    {{- if eq (include "role" .) "host" }}
     app: ks-controller-manager
     {{- else }}
     app: ks-agent

src/test/ks-core/templates/webhook.yaml

@@ -14,7 +14,7 @@ metadata:
   name: ks-controller-manager-webhook-cert
 type: Opaque
 
-{{ if eq .Values.role "host" }}
+{{ if eq (include "role" .) "host" }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
@@ -284,41 +284,6 @@ webhooks:
 
 ---
 apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: license.kubesphere.io
-webhooks:
-  - admissionReviewVersions:
-      - v1
-    clientConfig:
-      caBundle: {{ b64enc $ca.Cert | quote }}
-      service:
-        name: ks-controller-manager
-        namespace: kubesphere-system
-        path: /license-cluster-checker
-        port: 443
-    name: license-cluster-checker.kubesphere.io
-    failurePolicy: Ignore
-    matchPolicy: Exact
-    namespaceSelector: {}
-    objectSelector:
-      matchExpressions:
-        - key: cluster-role.kubesphere.io/host
-          operator: DoesNotExist
-    rules:
-      - apiGroups:
-          - cluster.kubesphere.io
-        apiVersions:
-          - v1alpha1
-        operations:
-          - CREATE
-        resources:
-          - clusters
-        scope: '*'
-    sideEffects: None
-    timeoutSeconds: 30
----
-apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
   name: defaulter.config.kubesphere.io

src/test/ks-core/templates/workspace.yaml

@@ -1,4 +1,4 @@
-{{ if eq .Values.role "host" }}
+{{ if eq (include "role" .) "host" }}
 apiVersion: tenant.kubesphere.io/v1beta1
 kind: WorkspaceTemplate
 metadata:

src/test/ks-core/values.yaml

@@ -20,7 +20,8 @@ commonAnnotations: {}
 
 ## Role represents the role of the current cluster,
 ## and it can have one of two values: "host" or "member".
-role: host
+## Priority: specified in values > get from kubesphere-config > default role (host)
+role: ""
 
 portal:
   ## The IP address or hostname to access ks-console service.
@@ -40,6 +41,7 @@ authentication:
   issuer:
     maximumClockSkew: 10s
     # Jwt Secret is required by ks-apiserver, a random string would be generated if it's empty
+    # Priority: specified in values > get from kubesphere-config > default jwtSecret (a random string)
     jwtSecret: ""
     accessTokenMaxAge: 2h
     accessTokenInactivityTimeout: 30m
@@ -445,7 +447,7 @@ upgrade:
       extensionRef:
         name: "kubefed"
         version: "1.0.0"
-        namespace: "extension-kubefed"
+        namespace: "kube-federation-system"
         configMap: "extension-kubefed-1.0.0-chart"
         configMapKey: "chart.tgz"
         configMapNamespace: "kubesphere-system"