From 0afa5f11cda30681fb07f56a845e07152a36736d Mon Sep 17 00:00:00 2001 From: ci-bot Date: Tue, 5 Mar 2024 17:13:01 +0000 Subject: [PATCH] update ks-core helm chart --- src/test/ks-core/Chart.yaml | 2 +- ...pplication.kubesphere.io_applications.yaml | 13 ++++++ .../crds/application.kubesphere.io_repos.yaml | 7 +-- .../crds/cluster.kubesphere.io_clusters.yaml | 5 +++ .../templates/customresourcefilters.yaml | 45 +++++++++++++++++++ src/test/ks-core/templates/globalroles.yaml | 13 ++++++ .../ks-core/templates/marketplace-config.yaml | 12 +++-- src/test/ks-core/templates/roletemplates.yaml | 16 +++++++ src/test/ks-core/templates/user.yaml | 1 + src/test/ks-core/values.yaml | 14 +++++- 10 files changed, 117 insertions(+), 11 deletions(-) create mode 100644 src/test/ks-core/templates/customresourcefilters.yaml diff --git a/src/test/ks-core/Chart.yaml b/src/test/ks-core/Chart.yaml index b46e0e8ea..ca18c2e6a 100644 --- a/src/test/ks-core/Chart.yaml +++ b/src/test/ks-core/Chart.yaml @@ -7,7 +7,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.6.6 +version: 0.6.7 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/src/test/ks-core/crds/application.kubesphere.io_applications.yaml b/src/test/ks-core/crds/application.kubesphere.io_applications.yaml index 75fdafda2..1cd425082 100644 --- a/src/test/ks-core/crds/application.kubesphere.io_applications.yaml +++ b/src/test/ks-core/crds/application.kubesphere.io_applications.yaml @@ -63,6 +63,19 @@ spec: type: array icon: type: string + resources: + items: + properties: + Group: + type: string + Kind: + type: string + Resource: + type: string + Version: + type: string + type: object + type: array type: object status: description: ApplicationStatus defines the observed state of Application diff --git a/src/test/ks-core/crds/application.kubesphere.io_repos.yaml b/src/test/ks-core/crds/application.kubesphere.io_repos.yaml index 36e39144a..cf1e6e252 100644 --- a/src/test/ks-core/crds/application.kubesphere.io_repos.yaml +++ b/src/test/ks-core/crds/application.kubesphere.io_repos.yaml @@ -55,7 +55,6 @@ spec: description: RepoSpec defines the desired state of Repo properties: credential: - description: ' repo credential' properties: caFile: description: verify certificates of HTTPS-enabled servers using @@ -80,14 +79,12 @@ spec: type: string type: object description: - description: chart repo description from frontend type: string + global: + type: boolean syncPeriod: - description: sync period in seconds, no sync when SyncPeriod=0, the - minimum SyncPeriod is 180s type: integer url: - description: ' repo url' type: string required: - url diff --git a/src/test/ks-core/crds/cluster.kubesphere.io_clusters.yaml b/src/test/ks-core/crds/cluster.kubesphere.io_clusters.yaml index 9181979f6..65f608e5a 100644 --- a/src/test/ks-core/crds/cluster.kubesphere.io_clusters.yaml +++ b/src/test/ks-core/crds/cluster.kubesphere.io_clusters.yaml @@ -45,6 +45,11 @@ spec: type: object spec: properties: + config: + description: Config represents the custom helm chart values used when + installing the cluster + format: byte + type: string connection: description: Connection holds info to connect to the member cluster properties: diff --git a/src/test/ks-core/templates/customresourcefilters.yaml b/src/test/ks-core/templates/customresourcefilters.yaml new file mode 100644 index 000000000..12f73cfc1 --- /dev/null +++ b/src/test/ks-core/templates/customresourcefilters.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +stringData: + configuration.yaml: | + resource: + group: "kubesphere.io" + version: "v1alpha1" + kind: "Extension" + regoPolicy: | + package filter + + import rego.v1 + + default match := false + + match if { + not listAvailableExtension + } + + match if { + listAvailableExtension + isSubscribed + } + + match if { + listAvailableExtension + isInstalled + } + + match if { + listAvailableExtension + not hasExtensionID + } + + listAvailableExtension if ["available"][_] == input.filter.field + + isSubscribed if input.object.metadata.labels["marketplace.kubesphere.io/subscribed"] == "true" + + isInstalled if input.object.status.state != "" + + hasExtensionID if input.object.metadata.labels["marketplace.kubesphere.io/extension-id"] != "" +kind: Secret +metadata: + name: extensions.customresourcefilters.kubesphere + namespace: kubesphere-system +type: config.kubesphere.io/custom-resource-filter \ No newline at end of file diff --git a/src/test/ks-core/templates/globalroles.yaml b/src/test/ks-core/templates/globalroles.yaml index aca0109cc..dff003ae8 100644 --- a/src/test/ks-core/templates/globalroles.yaml +++ b/src/test/ks-core/templates/globalroles.yaml @@ -155,6 +155,19 @@ metadata: annotations: kubesphere.io/creator: admin kubesphere.io/description: '{"zh": "管理 KubeSphere 平台上的所有资源。", "en": "Manage all resources on the KubeSphere platform."}' + iam.kubesphere.io/rego-override: >- + package authz + default allow = false + allow = true { + allowedScopes := ["Workspace","Namespace","Cluster"] + allowedScopes[_] == input.ResourceScope + allowedVerbs := ["get","list","watch"] + allowedVerbs[_] == input.Verb + } + allow = true { + allowedScopes := ["Workspace","Namespace","Cluster"] + allowedScopes[_] == input.ResourceScope + } labels: iam.kubesphere.io/auto-aggregate: "true" name: platform-admin diff --git a/src/test/ks-core/templates/marketplace-config.yaml b/src/test/ks-core/templates/marketplace-config.yaml index e23f487ac..5eefed86e 100644 --- a/src/test/ks-core/templates/marketplace-config.yaml +++ b/src/test/ks-core/templates/marketplace-config.yaml @@ -1,8 +1,9 @@ -{{ if eq .Values.role "host" }} +{{- if eq .Values.role "host" }} +{{- if .Values.cloud.enabled }} apiVersion: v1 stringData: configuration.yaml: | -{{- if .Values.devMode }} +{{- if eq .Values.cloud.env "clouddev.kubesphere.io" }} url: https://clouddev.kubesphere.io oauth: clientID: "client-a5cdf64c-7f84-415e-a6b1-8dfbfad493c3" @@ -13,7 +14,7 @@ stringData: url: https://app.clouddev.kubesphere.io repoName: marketplace syncPeriod: 60m -{{- else }} +{{- else if eq .Values.cloud.env "kubesphere.cloud" }} url: https://kubesphere.cloud oauth: clientID: "client-a5cdf64c-7f84-415e-a6b1-8dfbfad493c3" @@ -24,6 +25,8 @@ stringData: url: https://app.kubesphere.cloud repoName: marketplace syncPeriod: 60m +{{- else if .Values.cloud.customEnv }} + {{- toYaml .Values.cloud.customEnv | nindent 4 }} {{- end }} kind: Secret metadata: @@ -32,4 +35,5 @@ metadata: labels: config.kubesphere.io/type: marketplace type: config.kubesphere.io/marketplace -{{ end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/src/test/ks-core/templates/roletemplates.yaml b/src/test/ks-core/templates/roletemplates.yaml index 87b7dcac2..7571232e6 100644 --- a/src/test/ks-core/templates/roletemplates.yaml +++ b/src/test/ks-core/templates/roletemplates.yaml @@ -195,6 +195,15 @@ kind: RoleTemplate metadata: annotations: iam.kubesphere.io/role-template-rules: '{"clusters": "view"}' + iam.kubesphere.io/rego-override: |- + package authz + default allow = false + allow = true { + allowedScopes := ["Workspace","Namespace","Cluster"] + allowedScopes[_] == input.ResourceScope + allowedVerbs := ["get","list","watch"] + allowedVerbs[_] == input.Verb + } labels: iam.kubesphere.io/category: global-cluster-management iam.kubesphere.io/scope: "global" @@ -266,6 +275,13 @@ metadata: iam.kubesphere.io/dependencies: '["global-view-clusters"]' iam.kubesphere.io/role-template-rules: '{"clusters": "manage"}' kubesphere.io/description: '{"zh":"创建集群、删除集群和管理集群中的所有资源。"}' + iam.kubesphere.io/rego-override: |- + package authz + default allow = false + allow = true { + allowedScopes := ["Workspace","Namespace","Cluster"] + allowedScopes[_] == input.ResourceScope + } labels: iam.kubesphere.io/category: global-cluster-management iam.kubesphere.io/scope: "global" diff --git a/src/test/ks-core/templates/user.yaml b/src/test/ks-core/templates/user.yaml index d19386b0e..10fabef94 100644 --- a/src/test/ks-core/templates/user.yaml +++ b/src/test/ks-core/templates/user.yaml @@ -5,6 +5,7 @@ metadata: annotations: iam.kubesphere.io/uninitialized: "true" iam.kubesphere.io/globalrole: "platform-admin" + kubesphere.io/creator: "system" spec: email: admin@kubesphere.io password: {{ include "getOrDefaultPass" . | quote }} diff --git a/src/test/ks-core/values.yaml b/src/test/ks-core/values.yaml index acec123ca..e25a66dd1 100644 --- a/src/test/ks-core/values.yaml +++ b/src/test/ks-core/values.yaml @@ -287,6 +287,18 @@ nodeShell: tag: "3.18.4" pullPolicy: IfNotPresent +cloud: + enabled: true + ## kubesphere.cloud or clouddev.kubesphere.io + env: "kubesphere.cloud" + customEnv: +# url: https://kubesphere.cloud +# subscription: +# syncPeriod: 60m +# repository: +# url: https://app.kubesphere.cloud +# repoName: marketplace +# syncPeriod: 60m extension: imageRegistry: "" @@ -363,7 +375,7 @@ upgrade: - amd64 overrides: k: v - dynamicOptions: { } + dynamicOptions: {} devops: disabled: false priority: 100