From 9b08c5f9277f506ee917e297de471bebd9f331f1 Mon Sep 17 00:00:00 2001 From: ci-bot Date: Fri, 15 Mar 2024 07:35:26 +0000 Subject: [PATCH] update ks-core helm chart --- src/test/ks-core/templates/_helpers.tpl | 20 ++++++++++ src/test/ks-core/templates/builtinroles.yaml | 7 ---- src/test/ks-core/templates/clusterroles.yaml | 6 +-- .../templates/extension-categories.yaml | 2 +- src/test/ks-core/templates/globalroles.yaml | 11 +----- src/test/ks-core/templates/ks-agent.yml | 2 +- src/test/ks-core/templates/ks-apiserver.yml | 2 +- src/test/ks-core/templates/ks-console.yml | 2 +- .../templates/ks-controller-manager.yaml | 2 +- .../ks-core/templates/kubesphere-config.yaml | 4 +- .../ks-core/templates/marketplace-config.yaml | 2 +- .../ks-core/templates/oauthclient-config.yaml | 2 +- src/test/ks-core/templates/services.yml | 4 +- src/test/ks-core/templates/webhook.yaml | 37 +------------------ src/test/ks-core/templates/workspace.yaml | 2 +- src/test/ks-core/values.yaml | 6 ++- 16 files changed, 40 insertions(+), 71 deletions(-) diff --git a/src/test/ks-core/templates/_helpers.tpl b/src/test/ks-core/templates/_helpers.tpl index 66a8cf117..a012260b7 100644 --- a/src/test/ks-core/templates/_helpers.tpl +++ b/src/test/ks-core/templates/_helpers.tpl @@ -96,6 +96,26 @@ Create the name of the service account to use {{- end }} {{- end }} +{{- define "role" -}} +{{- if eq .Values.role "" }} +{{- with lookup "v1" "ConfigMap" (printf "%s" .Release.Namespace) "kubesphere-config" }} +{{- with (fromYaml (index .data "kubesphere.yaml")) }} +{{- if and .multicluster (.multicluster).clusterRole }} +{{- .multicluster.clusterRole }} +{{- else }} +{{- $.Values.role | default "host" }} +{{- end }} +{{- else }} +{{- $.Values.role | default "host" }} +{{- end }} +{{- else }} +{{- $.Values.role | default "host" }} +{{- end }} +{{- else }} +{{- .Values.role }} +{{- end }} +{{- end }} + {{/* Returns user's password or use default */}} diff --git a/src/test/ks-core/templates/builtinroles.yaml b/src/test/ks-core/templates/builtinroles.yaml index 2bb48b65b..e14db6a72 100644 --- a/src/test/ks-core/templates/builtinroles.yaml +++ b/src/test/ks-core/templates/builtinroles.yaml @@ -19,7 +19,6 @@ role: annotations: kubesphere.io/creator: system kubesphere.io/description: '{"zh": "管理项目中的所有资源。", "en": "Manage all resources in the project."}' - labels: iam.kubesphere.io/auto-aggregate: "true" name: admin rules: @@ -53,7 +52,6 @@ role: annotations: kubesphere.io/creator: system kubesphere.io/description: '{"zh": "管理项目中除用户和角色之外的资源。", "en": "Manage resources other than users and roles in the project."}' - labels: iam.kubesphere.io/auto-aggregate: "true" name: operator rules: @@ -107,7 +105,6 @@ role: annotations: kubesphere.io/creator: system kubesphere.io/description: '{"zh": "查看项目中的所有资源。", "en": "View all resources in the project."}' - labels: iam.kubesphere.io/auto-aggregate: "true" name: viewer rules: @@ -150,7 +147,6 @@ role: annotations: kubesphere.io/creator: system kubesphere.io/description: '{"zh": "管理企业空间中的所有资源。", "en": "Manage all resources in the workspace."}' - labels: iam.kubesphere.io/auto-aggregate: "true" name: admin rules: @@ -183,7 +179,6 @@ role: annotations: kubesphere.io/creator: system kubesphere.io/description: '{"zh": "查看企业空间设置。", "en": "View workspace settings."}' - labels: iam.kubesphere.io/auto-aggregate: "true" name: regular rules: @@ -219,7 +214,6 @@ role: annotations: kubesphere.io/creator: system kubesphere.io/description: '{"zh": "查看企业设置、创建项目。", "en": "View workspace settings, create projects."}' - labels: iam.kubesphere.io/auto-aggregate: "true" name: self-provisioner rules: [] @@ -249,7 +243,6 @@ role: annotations: kubesphere.io/creator: system kubesphere.io/description: '{"zh": "查看企业空间中的所有资源。", "en": "View all resources in the workspace."}' - labels: iam.kubesphere.io/auto-aggregate: "true" name: viewer rules: diff --git a/src/test/ks-core/templates/clusterroles.yaml b/src/test/ks-core/templates/clusterroles.yaml index 109ddb048..5aa0a707f 100644 --- a/src/test/ks-core/templates/clusterroles.yaml +++ b/src/test/ks-core/templates/clusterroles.yaml @@ -4,9 +4,8 @@ metadata: annotations: kubesphere.io/creator: system kubesphere.io/description: '{"zh": "管理集群中的所有资源。", "en": "Manage all resources in the cluster."}' - name: cluster-admin - labels: iam.kubesphere.io/auto-aggregate: "true" + name: cluster-admin aggregationRoleTemplates: roleSelector: matchLabels: @@ -31,9 +30,8 @@ metadata: annotations: kubesphere.io/creator: system kubesphere.io/description: '{"zh": "查看集群中的所有资源。", "en": "View all resources in the cluster."}' - name: cluster-viewer - labels: iam.kubesphere.io/auto-aggregate: "true" + name: cluster-viewer aggregationRoleTemplates: roleSelector: matchLabels: diff --git a/src/test/ks-core/templates/extension-categories.yaml b/src/test/ks-core/templates/extension-categories.yaml index 517e692c9..f08532039 100644 --- a/src/test/ks-core/templates/extension-categories.yaml +++ b/src/test/ks-core/templates/extension-categories.yaml @@ -1,4 +1,4 @@ -{{ if eq .Values.role "host" }} +{{ if eq (include "role" .) "host" }} --- apiVersion: kubesphere.io/v1alpha1 kind: Category diff --git a/src/test/ks-core/templates/globalroles.yaml b/src/test/ks-core/templates/globalroles.yaml index dff003ae8..2525d82e8 100644 --- a/src/test/ks-core/templates/globalroles.yaml +++ b/src/test/ks-core/templates/globalroles.yaml @@ -19,9 +19,8 @@ rules: apiVersion: iam.kubesphere.io/v1beta1 kind: GlobalRole metadata: - labels: - iam.kubesphere.io/auto-aggregate: "true" annotations: + iam.kubesphere.io/auto-aggregate: "true" iam.kubesphere.io/rego-override: |- package authz default allow = false @@ -129,13 +128,6 @@ rules: verbs: - get - list - - apiGroups: - - license.kubesphere.io - resources: - - licenses - verbs: - - get - - list - apiGroups: - cluster.kubesphere.io resources: @@ -168,7 +160,6 @@ metadata: allowedScopes := ["Workspace","Namespace","Cluster"] allowedScopes[_] == input.ResourceScope } - labels: iam.kubesphere.io/auto-aggregate: "true" name: platform-admin aggregationRoleTemplates: diff --git a/src/test/ks-core/templates/ks-agent.yml b/src/test/ks-core/templates/ks-agent.yml index 0bb0efe92..1b5a3fc54 100644 --- a/src/test/ks-core/templates/ks-agent.yml +++ b/src/test/ks-core/templates/ks-agent.yml @@ -1,4 +1,4 @@ -{{ if eq .Values.role "member" }} +{{ if eq (include "role" .) "member" }} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/src/test/ks-core/templates/ks-apiserver.yml b/src/test/ks-core/templates/ks-apiserver.yml index e2276f2b5..33a3d232d 100644 --- a/src/test/ks-core/templates/ks-apiserver.yml +++ b/src/test/ks-core/templates/ks-apiserver.yml @@ -1,4 +1,4 @@ -{{ if eq .Values.role "host" }} +{{ if eq (include "role" .) "host" }} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/src/test/ks-core/templates/ks-console.yml b/src/test/ks-core/templates/ks-console.yml index 252f08382..24b480490 100644 --- a/src/test/ks-core/templates/ks-console.yml +++ b/src/test/ks-core/templates/ks-console.yml @@ -1,4 +1,4 @@ -{{ if eq .Values.role "host" }} +{{ if eq (include "role" .) "host" }} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/src/test/ks-core/templates/ks-controller-manager.yaml b/src/test/ks-core/templates/ks-controller-manager.yaml index 3e22659e7..f47042205 100644 --- a/src/test/ks-core/templates/ks-controller-manager.yaml +++ b/src/test/ks-core/templates/ks-controller-manager.yaml @@ -1,4 +1,4 @@ -{{ if eq .Values.role "host" }} +{{ if eq (include "role" .) "host" }} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/src/test/ks-core/templates/kubesphere-config.yaml b/src/test/ks-core/templates/kubesphere-config.yaml index de02155ba..75206391f 100644 --- a/src/test/ks-core/templates/kubesphere-config.yaml +++ b/src/test/ks-core/templates/kubesphere-config.yaml @@ -13,14 +13,14 @@ data: host: {{ include "portal.host" . | quote }} jwtSecret: {{ include "jwtSecret" . | quote }} maximumClockSkew: {{ .Values.authentication.issuer.maximumClockSkew | default "10s" }} - {{- if eq .Values.role "member" }} + {{- if eq (include "role" .) "member" }} accessTokenMaxAge: 0s {{- else }} accessTokenMaxAge: {{ .Values.authentication.issuer.accessTokenMaxAge }} {{- end }} accessTokenInactivityTimeout: {{ .Values.authentication.issuer.accessTokenInactivityTimeout }} multicluster: - clusterRole: {{ .Values.role }} + clusterRole: {{ include "role" . | quote }} terminal: kubectl: image: {{ template "kubectl.image" . }} diff --git a/src/test/ks-core/templates/marketplace-config.yaml b/src/test/ks-core/templates/marketplace-config.yaml index 5eefed86e..751fc49a6 100644 --- a/src/test/ks-core/templates/marketplace-config.yaml +++ b/src/test/ks-core/templates/marketplace-config.yaml @@ -1,4 +1,4 @@ -{{- if eq .Values.role "host" }} +{{- if eq (include "role" .) "host" }} {{- if .Values.cloud.enabled }} apiVersion: v1 stringData: diff --git a/src/test/ks-core/templates/oauthclient-config.yaml b/src/test/ks-core/templates/oauthclient-config.yaml index 98bfebcba..a97f84779 100644 --- a/src/test/ks-core/templates/oauthclient-config.yaml +++ b/src/test/ks-core/templates/oauthclient-config.yaml @@ -1,4 +1,4 @@ -{{ if eq .Values.role "host" }} +{{ if eq (include "role" .) "host" }} apiVersion: v1 stringData: configuration.yaml: | diff --git a/src/test/ks-core/templates/services.yml b/src/test/ks-core/templates/services.yml index 1c19df1c5..94654c80b 100644 --- a/src/test/ks-core/templates/services.yml +++ b/src/test/ks-core/templates/services.yml @@ -23,7 +23,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} selector: - {{- if eq .Values.role "host" }} + {{- if eq (include "role" .) "host" }} app: ks-apiserver {{- else }} app: ks-agent @@ -52,7 +52,7 @@ spec: protocol: TCP targetPort: 8443 selector: - {{- if eq .Values.role "host" }} + {{- if eq (include "role" .) "host" }} app: ks-controller-manager {{- else }} app: ks-agent diff --git a/src/test/ks-core/templates/webhook.yaml b/src/test/ks-core/templates/webhook.yaml index 0c3d05113..c7a465654 100644 --- a/src/test/ks-core/templates/webhook.yaml +++ b/src/test/ks-core/templates/webhook.yaml @@ -14,7 +14,7 @@ metadata: name: ks-controller-manager-webhook-cert type: Opaque -{{ if eq .Values.role "host" }} +{{ if eq (include "role" .) "host" }} --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration @@ -284,41 +284,6 @@ webhooks: --- apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: license.kubesphere.io -webhooks: - - admissionReviewVersions: - - v1 - clientConfig: - caBundle: {{ b64enc $ca.Cert | quote }} - service: - name: ks-controller-manager - namespace: kubesphere-system - path: /license-cluster-checker - port: 443 - name: license-cluster-checker.kubesphere.io - failurePolicy: Ignore - matchPolicy: Exact - namespaceSelector: {} - objectSelector: - matchExpressions: - - key: cluster-role.kubesphere.io/host - operator: DoesNotExist - rules: - - apiGroups: - - cluster.kubesphere.io - apiVersions: - - v1alpha1 - operations: - - CREATE - resources: - - clusters - scope: '*' - sideEffects: None - timeoutSeconds: 30 ---- -apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: defaulter.config.kubesphere.io diff --git a/src/test/ks-core/templates/workspace.yaml b/src/test/ks-core/templates/workspace.yaml index 40ec9a335..521252180 100644 --- a/src/test/ks-core/templates/workspace.yaml +++ b/src/test/ks-core/templates/workspace.yaml @@ -1,4 +1,4 @@ -{{ if eq .Values.role "host" }} +{{ if eq (include "role" .) "host" }} apiVersion: tenant.kubesphere.io/v1beta1 kind: WorkspaceTemplate metadata: diff --git a/src/test/ks-core/values.yaml b/src/test/ks-core/values.yaml index d3dcee6c7..a755f507c 100644 --- a/src/test/ks-core/values.yaml +++ b/src/test/ks-core/values.yaml @@ -20,7 +20,8 @@ commonAnnotations: {} ## Role represents the role of the current cluster, ## and it can have one of two values: "host" or "member". -role: host +## Priority: specified in values > get from kubesphere-config > default role (host) +role: "" portal: ## The IP address or hostname to access ks-console service. @@ -40,6 +41,7 @@ authentication: issuer: maximumClockSkew: 10s # Jwt Secret is required by ks-apiserver, a random string would be generated if it's empty + # Priority: specified in values > get from kubesphere-config > default jwtSecret (a random string) jwtSecret: "" accessTokenMaxAge: 2h accessTokenInactivityTimeout: 30m @@ -445,7 +447,7 @@ upgrade: extensionRef: name: "kubefed" version: "1.0.0" - namespace: "extension-kubefed" + namespace: "kube-federation-system" configMap: "extension-kubefed-1.0.0-chart" configMapKey: "chart.tgz" configMapNamespace: "kubesphere-system"