Update ks-core helm chart

src/test/ks-core/Chart.yaml

@@ -7,7 +7,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.12
+version: 0.6.13
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

src/test/ks-core/crds/kubesphere.io_extensions.yaml

@@ -156,6 +156,8 @@ spec:
                         - type
                         type: object
                       type: array
+                    configHash:
+                      type: string
                     jobName:
                       type: string
                     releaseName:

src/test/ks-core/crds/kubesphere.io_installplans.yaml

@@ -204,6 +204,8 @@ spec:
                         - type
                         type: object
                       type: array
+                    configHash:
+                      type: string
                     jobName:
                       type: string
                     releaseName:
@@ -300,6 +302,8 @@ spec:
                   - type
                   type: object
                 type: array
+              configHash:
+                type: string
               enabled:
                 type: boolean
               jobName:

src/test/ks-core/templates/_helpers.tpl

@@ -96,6 +96,30 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
+{{- define "role" -}}
+{{- if eq .Values.role "" }}
+{{- with lookup "v1" "ConfigMap" (printf "%s" .Release.Namespace) "kubesphere-config" }}
+{{- with (fromYaml (index .data "kubesphere.yaml")) }}
+{{- if and .multicluster (.multicluster).clusterRole }}
+{{- if eq .multicluster.clusterRole "none" }}
+{{- "host" }}
+{{- else }}
+{{- .multicluster.clusterRole }}
+{{- end }}
+{{- else }}
+{{- $.Values.role | default "host" }}
+{{- end }}
+{{- else }}
+{{- $.Values.role | default "host" }}
+{{- end }}
+{{- else }}
+{{- $.Values.role | default "host" }}
+{{- end }}
+{{- else }}
+{{- .Values.role }}
+{{- end }}
+{{- end }}
+
 {{/*
 Returns user's password or use default
 */}}

src/test/ks-core/templates/builtinroles.yaml

@@ -19,7 +19,6 @@ role:
     annotations:
       kubesphere.io/creator: system
       kubesphere.io/description: '{"zh": "管理项目中的所有资源。", "en": "Manage all resources in the project."}'
-    labels:
       iam.kubesphere.io/auto-aggregate: "true"
     name: admin
   rules:
@@ -53,7 +52,6 @@ role:
     annotations:
       kubesphere.io/creator: system
       kubesphere.io/description: '{"zh": "管理项目中除用户和角色之外的资源。", "en": "Manage resources other than users and roles in the project."}'
-    labels:
       iam.kubesphere.io/auto-aggregate: "true"
     name: operator
   rules:
@@ -107,7 +105,6 @@ role:
     annotations:
       kubesphere.io/creator: system
       kubesphere.io/description: '{"zh": "查看项目中的所有资源。", "en": "View all resources in the project."}'
-    labels:
       iam.kubesphere.io/auto-aggregate: "true"
     name: viewer
   rules:
@@ -150,7 +147,6 @@ role:
     annotations:
       kubesphere.io/creator: system
       kubesphere.io/description: '{"zh": "管理企业空间中的所有资源。", "en": "Manage all resources in the workspace."}'
-    labels:
       iam.kubesphere.io/auto-aggregate: "true"
     name: admin
   rules:
@@ -183,7 +179,6 @@ role:
     annotations:
       kubesphere.io/creator: system
       kubesphere.io/description: '{"zh": "查看企业空间设置。", "en": "View workspace settings."}'
-    labels:
       iam.kubesphere.io/auto-aggregate: "true"
     name: regular
   rules:
@@ -219,7 +214,6 @@ role:
     annotations:
       kubesphere.io/creator: system
       kubesphere.io/description: '{"zh": "查看企业设置、创建项目。", "en": "View workspace settings, create projects."}'
-    labels:
       iam.kubesphere.io/auto-aggregate: "true"
     name: self-provisioner
   rules: []
@@ -249,7 +243,6 @@ role:
     annotations:
       kubesphere.io/creator: system
       kubesphere.io/description: '{"zh": "查看企业空间中的所有资源。", "en": "View all resources in the workspace."}'
-    labels:
       iam.kubesphere.io/auto-aggregate: "true"
     name: viewer
   rules:

src/test/ks-core/templates/clusterroles.yaml

@@ -4,9 +4,8 @@ metadata:
   annotations:
     kubesphere.io/creator: system
     kubesphere.io/description: '{"zh": "管理集群中的所有资源。", "en": "Manage all resources in the cluster."}'
-  name: cluster-admin
-  labels:
     iam.kubesphere.io/auto-aggregate: "true"
+  name: cluster-admin
 aggregationRoleTemplates:
   roleSelector:
     matchLabels:
@@ -31,9 +30,8 @@ metadata:
   annotations:
     kubesphere.io/creator: system
     kubesphere.io/description: '{"zh": "查看集群中的所有资源。", "en": "View all resources in the cluster."}'
-  name: cluster-viewer
-  labels:
     iam.kubesphere.io/auto-aggregate: "true"
+  name: cluster-viewer
 aggregationRoleTemplates:
   roleSelector:
     matchLabels:

src/test/ks-core/templates/extension-categories.yaml

@@ -1,4 +1,4 @@
-{{ if eq .Values.role "host" }}
+{{ if eq (include "role" .) "host" }}
 ---
 apiVersion: kubesphere.io/v1alpha1
 kind: Category

src/test/ks-core/templates/globalroles.yaml

@@ -19,9 +19,8 @@ rules:
 apiVersion: iam.kubesphere.io/v1beta1
 kind: GlobalRole
 metadata:
-  labels:
-    iam.kubesphere.io/auto-aggregate: "true"
   annotations:
+    iam.kubesphere.io/auto-aggregate: "true"
     iam.kubesphere.io/rego-override: |-
       package authz
       default allow = false
@@ -168,7 +167,6 @@ metadata:
         allowedScopes := ["Workspace","Namespace","Cluster"]
         allowedScopes[_] == input.ResourceScope
       }
-  labels:
     iam.kubesphere.io/auto-aggregate: "true"
   name: platform-admin
 aggregationRoleTemplates:

src/test/ks-core/templates/ks-agent.yml

@@ -1,4 +1,4 @@
-{{ if eq .Values.role "member" }}
+{{ if eq (include "role" .) "member" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:

src/test/ks-core/templates/ks-apiserver.yml

@@ -1,4 +1,4 @@
-{{ if eq .Values.role "host" }}
+{{ if eq (include "role" .) "host" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:

src/test/ks-core/templates/ks-console.yml

@@ -1,4 +1,4 @@
-{{ if eq .Values.role "host" }}
+{{ if eq (include "role" .) "host" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:

src/test/ks-core/templates/ks-controller-manager.yaml

@@ -1,4 +1,4 @@
-{{ if eq .Values.role "host" }}
+{{ if eq (include "role" .) "host" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:

src/test/ks-core/templates/kubesphere-config.yaml

@@ -13,14 +13,25 @@ data:
         host: {{ include "portal.host" . | quote }}
         jwtSecret: {{ include "jwtSecret" . | quote }}
         maximumClockSkew: {{ .Values.authentication.issuer.maximumClockSkew | default "10s" }}
-        {{- if eq .Values.role "member" }}
+        {{- if eq (include "role" .) "member" }}
         accessTokenMaxAge: 0s
         {{- else }}
         accessTokenMaxAge: {{ .Values.authentication.issuer.accessTokenMaxAge }}
         {{- end }}
         accessTokenInactivityTimeout: {{ .Values.authentication.issuer.accessTokenInactivityTimeout }}
+    {{- if .Values.s3 }}
+    s3:
+      endpoint: {{ .Values.s3.endpoint | default ""  }}
+      region: {{ .Values.s3.region | default "us-east-1"  }}
+      disableSSL: {{ .Values.s3.disableSSL | default true  }}
+      forcePathStyle: {{ .Values.s3.forcePathStyle | default true  }}
+      accessKeyID: {{ .Values.s3.accessKeyID | default "admin"  }}
+      secretAccessKey: {{ .Values.s3.secretAccessKey | default "admin"  }}
+      bucket: {{ .Values.s3.bucket | default "uploads"  }}
+      {{- end }}
+
     multicluster:
-      clusterRole: {{ .Values.role }}
+      clusterRole: {{ include "role" . | quote }}
     terminal:
       kubectl:
         image: {{ template "kubectl.image" . }}

src/test/ks-core/templates/marketplace-config.yaml

@@ -1,4 +1,4 @@
-{{- if eq .Values.role "host" }}
+{{- if eq (include "role" .) "host" }}
 {{- if .Values.cloud.enabled }}
 apiVersion: v1
 stringData:

src/test/ks-core/templates/oauthclient-config.yaml

@@ -1,4 +1,4 @@
-{{ if eq .Values.role "host" }}
+{{ if eq (include "role" .) "host" }}
 apiVersion: v1
 stringData:
   configuration.yaml: |

src/test/ks-core/templates/prepare-upgrade-job.yaml

@@ -0,0 +1,46 @@
+{{- if .Values.upgrade.prepare }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ks-upgrade-prepare-config
+  namespace: {{ .Release.Namespace }}
+data:
+  ks-upgrade.yaml: |
+    storage:
+      {{- if .Values.upgrade.storage.s3.endpoint  }}
+      s3: {{- toYaml .Values.upgrade.storage.s3 | nindent 8 }}
+      {{- else }}
+      local:
+        path: {{ .Values.upgrade.storage.local.path }}
+      {{- end }}
+    jobs: {{- toYaml .Values.upgrade.jobs | nindent 6 }}
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: prepare-upgrade
+  namespace: {{ .Release.Namespace }}
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      serviceAccountName: {{ include "ks-core.serviceAccountName" . }}
+      containers:
+        - name: prepare-upgrade-job
+          image: {{ template "upgrade.image" . }}
+          imagePullPolicy: {{ .Values.upgrade.image.pullPolicy }}
+          command:
+            - ks-upgrade
+            - prepare-upgrade
+            - --logtostderr=true
+            - --config=/etc/kubesphere/ks-upgrade.yaml
+          volumeMounts:
+            - mountPath: /etc/kubesphere/
+              name: config
+      volumes:
+        - name: config
+          configMap:
+            name: ks-upgrade-prepare-config
+            defaultMode: 420
+{{- end }}

src/test/ks-core/templates/services.yml

@@ -23,7 +23,7 @@ spec:
       {{- toYaml . | nindent 8 }}
     {{- end }}
   selector:
-    {{- if eq .Values.role "host" }}
+    {{- if eq (include "role" .) "host" }}
     app: ks-apiserver
     {{- else }}
     app: ks-agent
@@ -52,7 +52,7 @@ spec:
       protocol: TCP
       targetPort: 8443
   selector:
-    {{- if eq .Values.role "host" }}
+    {{- if eq (include "role" .) "host" }}
     app: ks-controller-manager
     {{- else }}
     app: ks-agent

src/test/ks-core/templates/webhook.yaml

@@ -14,7 +14,7 @@ metadata:
   name: ks-controller-manager-webhook-cert
 type: Opaque
 
-{{ if eq .Values.role "host" }}
+{{ if eq (include "role" .) "host" }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration

src/test/ks-core/templates/workspace.yaml

@@ -1,4 +1,4 @@
-{{ if eq .Values.role "host" }}
+{{ if eq (include "role" .) "host" }}
 apiVersion: tenant.kubesphere.io/v1beta1
 kind: WorkspaceTemplate
 metadata:

src/test/ks-core/values.yaml

@@ -20,7 +20,8 @@ commonAnnotations: {}
 
 ## Role represents the role of the current cluster,
 ## and it can have one of two values: "host" or "member".
-role: host
+## Priority: specified in values > get from kubesphere-config > default role (host)
+role: ""
 
 portal:
   ## The IP address or hostname to access ks-console service.
@@ -31,6 +32,16 @@ portal:
 #  https:
 #    port: 30443
 
+s3:
+#  If endpoint is empty, disable s3 storage
+  endpoint: ""
+  region: "us-east-1"
+  disableSSL: true
+  forcePathStyle: true
+  accessKeyID: "admin"
+  secretAccessKey: "admin"
+  bucket: "uploads"
+
 authentication:
   authenticateRateLimiterMaxTries: 10
   authenticationRateLimiterDuration: 10m0s
@@ -40,6 +51,7 @@ authentication:
   issuer:
     maximumClockSkew: 10s
     # Jwt Secret is required by ks-apiserver, a random string would be generated if it's empty
+    # Priority: specified in values > get from kubesphere-config > default jwtSecret (a random string)
     jwtSecret: ""
     accessTokenMaxAge: 2h
     accessTokenInactivityTimeout: 30m
@@ -445,7 +457,7 @@ upgrade:
       extensionRef:
         name: "kubefed"
         version: "1.0.0"
-        namespace: "extension-kubefed"
+        namespace: "kube-federation-system"
         configMap: "extension-kubefed-1.0.0-chart"
         configMapKey: "chart.tgz"
         configMapNamespace: "kubesphere-system"