From 2a258c453055347c181ce4b442531a7d67ca61c4 Mon Sep 17 00:00:00 2001 From: "Roland.Ma" Date: Wed, 19 May 2021 07:10:04 +0000 Subject: [PATCH 1/6] create helm chart for ks-core Signed-off-by: Roland.Ma --- Makefile | 7 + config/ks-core/.helmignore | 23 ++ config/ks-core/Chart.yaml | 15 + config/ks-core/crds/.gitkeep | 0 config/ks-core/templates/NOTES.txt | 0 config/ks-core/templates/_helpers.tpl | 63 +++ config/ks-core/templates/ks-apiserver.yml | 129 ++++++ .../ks-core/templates/ks-console-config.yml | 28 ++ config/ks-core/templates/ks-console.yml | 118 ++++++ .../templates/ks-controller-manager.yaml | 129 ++++++ config/ks-core/templates/ks-router-cm.yaml | 10 + config/ks-core/templates/ks-router-config.tpl | 96 +++++ .../ks-core/templates/kubesphere-config.yaml | 34 ++ .../templates/kubesphere-controls-system.yaml | 238 +++++++++++ .../templates/sample-bookinfo-configmap.yaml | 378 ++++++++++++++++++ config/ks-core/templates/serviceaccount.yaml | 26 ++ config/ks-core/templates/webhook.yaml | 123 ++++++ config/ks-core/values.yaml | 118 ++++++ 18 files changed, 1535 insertions(+) create mode 100644 config/ks-core/.helmignore create mode 100644 config/ks-core/Chart.yaml create mode 100644 config/ks-core/crds/.gitkeep create mode 100644 config/ks-core/templates/NOTES.txt create mode 100644 config/ks-core/templates/_helpers.tpl create mode 100644 config/ks-core/templates/ks-apiserver.yml create mode 100644 config/ks-core/templates/ks-console-config.yml create mode 100644 config/ks-core/templates/ks-console.yml create mode 100644 config/ks-core/templates/ks-controller-manager.yaml create mode 100644 config/ks-core/templates/ks-router-cm.yaml create mode 100644 config/ks-core/templates/ks-router-config.tpl create mode 100644 config/ks-core/templates/kubesphere-config.yaml create mode 100644 config/ks-core/templates/kubesphere-controls-system.yaml create mode 100644 config/ks-core/templates/sample-bookinfo-configmap.yaml create mode 100644 config/ks-core/templates/serviceaccount.yaml create mode 100644 config/ks-core/templates/webhook.yaml create mode 100644 config/ks-core/values.yaml diff --git a/Makefile b/Makefile index 1eee027f3..f85298d15 100644 --- a/Makefile +++ b/Makefile @@ -90,6 +90,13 @@ docker-build: all docker-build-no-test: ks-apiserver ks-controller-manager hack/docker_build.sh +helm-package: + ls config/crds/ | grep -v types.kubefed.io | xargs -i cp -r config/crds/{} config/ks-core/crds/ + helm package config/ks-core --app-version=v3.1.0 --version=0.1.0 -d ./bin + +helm-deploy: + helm upgrade --install ks-core ./config/ks-core -n kubesphere-system --create-namespace + # Run tests test: fmt vet export KUBEBUILDER_CONTROLPLANE_START_TIMEOUT=2m; go test ./pkg/... ./cmd/... -covermode=atomic -coverprofile=coverage.txt diff --git a/config/ks-core/.helmignore b/config/ks-core/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/config/ks-core/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/config/ks-core/Chart.yaml b/config/ks-core/Chart.yaml new file mode 100644 index 000000000..5912b54c3 --- /dev/null +++ b/config/ks-core/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v2 +name: ks-core +description: A Helm chart for KubeSphere Core components + +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: "v3.1.0" diff --git a/config/ks-core/crds/.gitkeep b/config/ks-core/crds/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/config/ks-core/templates/NOTES.txt b/config/ks-core/templates/NOTES.txt new file mode 100644 index 000000000..e69de29bb diff --git a/config/ks-core/templates/_helpers.tpl b/config/ks-core/templates/_helpers.tpl new file mode 100644 index 000000000..66b9a2d0a --- /dev/null +++ b/config/ks-core/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "ks-core.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "ks-core.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "ks-core.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "ks-core.labels" -}} +helm.sh/chart: {{ include "ks-core.chart" . }} +{{ include "ks-core.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "ks-core.selectorLabels" -}} +app.kubernetes.io/name: {{ include "ks-core.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "ks-core.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "ks-core.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/config/ks-core/templates/ks-apiserver.yml b/config/ks-core/templates/ks-apiserver.yml new file mode 100644 index 000000000..9e1d589b8 --- /dev/null +++ b/config/ks-core/templates/ks-apiserver.yml @@ -0,0 +1,129 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: ks-apiserver + tier: backend + version: {{ .Chart.AppVersion }} + name: ks-apiserver + namespace: kubesphere-system +spec: + strategy: + rollingUpdate: + maxSurge: 0 + type: RollingUpdate + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: ks-apiserver + tier: backend + # version: {{ .Chart.AppVersion }} + template: + metadata: + labels: + app: ks-apiserver + tier: backend + # version: {{ .Chart.AppVersion }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - command: + - ks-apiserver + - --logtostderr=true + image: {{ .Values.image.ks_apiserver_repo }}:{{ .Values.image.ks_apiserver_tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: ks-apiserver + ports: + - containerPort: 9090 + protocol: TCP + resources: + {{- toYaml .Values.apiserverResources | nindent 12 }} + volumeMounts: + - mountPath: /var/run/docker.sock + name: docker-sock + - mountPath: /etc/kubesphere/ingress-controller + name: ks-router-config + - mountPath: /etc/kubesphere/ + name: kubesphere-config + - mountPath: /etc/localtime + name: host-time + livenessProbe: + failureThreshold: 8 + httpGet: + path: /kapis/version + port: 9090 + scheme: HTTP + initialDelaySeconds: 15 + timeoutSeconds: 15 + serviceAccountName: {{ include "ks-core.serviceAccountName" . }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: In + values: + - "" +{{- if gt .Values.replicaCount 1.0 }} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - ks-apiserver + namespaces: + - kubesphere-system +{{- end }} + volumes: + - hostPath: + path: /var/run/docker.sock + type: "" + name: docker-sock + - configMap: + defaultMode: 420 + name: ks-router-config + name: ks-router-config + - configMap: + defaultMode: 420 + name: kubesphere-config + name: kubesphere-config + - hostPath: + path: /etc/localtime + type: "" + name: host-time + +--- + +apiVersion: v1 +kind: Service +metadata: + annotations: + kubernetes.io/created-by: kubesphere.io/ks-apiserver + labels: + app: ks-apiserver + tier: backend + version: {{ .Chart.AppVersion }} + name: ks-apiserver + namespace: kubesphere-system +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9090 + selector: + app: ks-apiserver + tier: backend + # version: {{ .Chart.AppVersion }} + type: ClusterIP diff --git a/config/ks-core/templates/ks-console-config.yml b/config/ks-core/templates/ks-console-config.yml new file mode 100644 index 000000000..2c3ea8736 --- /dev/null +++ b/config/ks-core/templates/ks-console-config.yml @@ -0,0 +1,28 @@ + +apiVersion: v1 +data: + local_config.yaml: | + server: + http: + hostname: localhost + port: 8000 + static: + production: + /public: server/public + /assets: dist/assets + /dist: dist + redis: + port: 6379 + host: redis.kubesphere-system.svc + redisTimeout: 5000 + sessionTimeout: 7200000 + client: + version: + kubesphere: {{ .Chart.AppVersion }} + kubernetes: {{ .Values.kube_version }} + openpitrix: {{ .Chart.AppVersion }} + enableKubeConfig: true +kind: ConfigMap +metadata: + name: ks-console-config + namespace: kubesphere-system diff --git a/config/ks-core/templates/ks-console.yml b/config/ks-core/templates/ks-console.yml new file mode 100644 index 000000000..e5fd2b4d1 --- /dev/null +++ b/config/ks-core/templates/ks-console.yml @@ -0,0 +1,118 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: ks-console + tier: frontend + version: {{ .Chart.AppVersion }} + name: ks-console + namespace: kubesphere-system +spec: + strategy: + rollingUpdate: + maxSurge: 0 + type: RollingUpdate + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: ks-console + tier: frontend + template: + metadata: + labels: + app: ks-console + tier: frontend + spec: + containers: + - image: {{ .Values.image.ks_console_repo }}:{{ .Values.image.ks_console_tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: ks-console + resources: + {{- toYaml .Values.consoleResources | nindent 12 }} + volumeMounts: + - mountPath: /opt/kubesphere/console/server/local_config.yaml + name: ks-console-config + subPath: local_config.yaml + - mountPath: /opt/kubesphere/console/server/sample + name: sample-bookinfo + - mountPath: /etc/localtime + name: host-time + livenessProbe: + tcpSocket: + port: 8000 + initialDelaySeconds: 15 + timeoutSeconds: 15 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 8 + serviceAccount: kubesphere + serviceAccountName: kubesphere + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: In + values: + - "" +{{- if gt .Values.replicaCount 1.0 }} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - ks-console + namespaces: + - kubesphere-system +{{- end }} + volumes: + - configMap: + defaultMode: 420 + name: ks-console-config + items: + - key: local_config.yaml + path: local_config.yaml + name: ks-console-config + - configMap: + defaultMode: 420 + name: sample-bookinfo + name: sample-bookinfo + - hostPath: + path: /etc/localtime + type: "" + name: host-time + +--- + +apiVersion: v1 +kind: Service +metadata: + labels: + app: ks-console + tier: frontend + version: {{ .Chart.AppVersion }} + name: ks-console + namespace: kubesphere-system +spec: + ports: + - name: nginx + port: 80 + protocol: TCP + targetPort: 8000 + {{- with .Values.console.port }} + nodePort: + {{- toYaml . | nindent 6 }} + {{- end }} + selector: + app: ks-console + tier: frontend + type: {{ .Values.console.type }} \ No newline at end of file diff --git a/config/ks-core/templates/ks-controller-manager.yaml b/config/ks-core/templates/ks-controller-manager.yaml new file mode 100644 index 000000000..e9234f91d --- /dev/null +++ b/config/ks-core/templates/ks-controller-manager.yaml @@ -0,0 +1,129 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: ks-controller-manager + tier: backend + version: {{ .Chart.AppVersion }} + name: ks-controller-manager + namespace: kubesphere-system +spec: + strategy: + rollingUpdate: + maxSurge: 0 + type: RollingUpdate + progressDeadlineSeconds: 600 + replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: 10 + selector: + matchLabels: + app: ks-controller-manager + tier: backend + # version: {{ .Chart.AppVersion }} + template: + metadata: + labels: + app: ks-controller-manager + tier: backend + # version: {{ .Chart.AppVersion }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - command: + - controller-manager + - --logtostderr=true + - --leader-elect=true + image: {{ .Values.image.ks_controller_manager_repo }}:{{ .Values.image.ks_controller_manager_tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: ks-controller-manager + ports: + - containerPort: 8080 + protocol: TCP + - containerPort: 8443 + protocol: TCP + resources: + {{- toYaml .Values.controllerManagerResources | nindent 12 }} + volumeMounts: + - mountPath: /etc/kubesphere/ + name: kubesphere-config + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: webhook-secret + - mountPath: /var/lib/kubelet/plugins/ + name: kubelet-plugin + - mountPath: /etc/localtime + name: host-time + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + serviceAccountName: {{ include "ks-core.serviceAccountName" . }} + terminationGracePeriodSeconds: 30 + volumes: + - name: kubesphere-config + configMap: + name: kubesphere-config + defaultMode: 420 + - name: webhook-secret + secret: + defaultMode: 420 + secretName: ks-controller-manager-webhook-cert + - name: kubelet-plugin + hostPath: + path: /var/lib/kubelet/plugins/ + type: DirectoryOrCreate + - hostPath: + path: /etc/localtime + type: "" + name: host-time + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: In + values: + - "" +{{- if gt .Values.replicaCount 1.0 }} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - ks-controller-manager + namespaces: + - kubesphere-system +{{- end }} + +--- + +apiVersion: v1 +kind: Service +metadata: + labels: + app: ks-controller-manager + tier: backend + version: {{ .Chart.AppVersion }} + name: ks-controller-manager + namespace: kubesphere-system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 8443 + selector: + app: ks-controller-manager + tier: backend + # version: {{ .Chart.AppVersion }} + sessionAffinity: None + type: ClusterIP diff --git a/config/ks-core/templates/ks-router-cm.yaml b/config/ks-core/templates/ks-router-cm.yaml new file mode 100644 index 000000000..c61622ce5 --- /dev/null +++ b/config/ks-core/templates/ks-router-cm.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: ks-router-config + namespace: kubesphere-system +data: + ingress-controller-svc.yaml: |+ +{{- include "ingress-controller-svc.yaml" . }} + ingress-controller.yaml: | +{{- include "ingress-controller.yaml" . }} \ No newline at end of file diff --git a/config/ks-core/templates/ks-router-config.tpl b/config/ks-core/templates/ks-router-config.tpl new file mode 100644 index 000000000..68b5c059a --- /dev/null +++ b/config/ks-core/templates/ks-router-config.tpl @@ -0,0 +1,96 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "ingress-controller.yaml" }} + apiVersion: apps/v1 + kind: Deployment + metadata: + name: ks-router + spec: + replicas: 1 + selector: + matchLabels: + app: kubesphere + component: ks-router + tier: backend + template: + metadata: + labels: + app: kubesphere + component: ks-router + tier: backend + annotations: + prometheus.io/port: '10254' + prometheus.io/scrape: 'true' + spec: + serviceAccountName: kubesphere-router-serviceaccount + containers: + - name: nginx-ingress-controller + image: {{ .Values.image.nginx_ingress_controller_repo }}:{{ .Values.image.nginx_ingress_controller_tag | default .Chart.AppVersion}} + args: + - /nginx-ingress-controller + - --default-backend-service=$(POD_NAMESPACE)/default-http-backend + - --annotations-prefix=nginx.ingress.kubernetes.io + - --update-status + - --update-status-on-shutdown + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + ports: + - name: http + containerPort: 80 + - name: https + containerPort: 443 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + runAsNonRoot: false +{{- end }} + +{{- define "ingress-controller-svc.yaml" }} + apiVersion: v1 + kind: Service + metadata: + name: kubesphere-router-gateway + labels: + app: kubesphere + component: ks-router + tier: backend + spec: + selector: + app: kubesphere + component: ks-router + tier: backend + type: LoadBalancer + ports: + - name: http + protocol: TCP + port: 80 + targetPort: 80 + - name: https + protocol: TCP + port: 443 + targetPort: 443 +{{- end }} \ No newline at end of file diff --git a/config/ks-core/templates/kubesphere-config.yaml b/config/ks-core/templates/kubesphere-config.yaml new file mode 100644 index 000000000..f8468869b --- /dev/null +++ b/config/ks-core/templates/kubesphere-config.yaml @@ -0,0 +1,34 @@ +{{- if .Values.config.create -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: kubesphere-config + namespace: kubesphere-system +data: + kubesphere.yaml: | + authentication: + authenticateRateLimiterMaxTries: {{ .Values.config.authentication.authenticateRateLimiterMaxTries | default 10 }} + authenticateRateLimiterDuration: {{ .Values.config.authentication.authenticationRateLimiterDuration | default "10m0s" }} + loginHistoryRetentionPeriod: {{ .Values.config.authentication.loginHistoryRetentionPeriod | default "168h" }} + maximumClockSkew: {{ .Values.config.authentication.maximumClockSkew | default "10s" }} + multipleLogin: {{ .Values.console.enableMultiLogin | default true }} + kubectlImage: {{ .Values.image.ks_kubectl_repo }}:{{ .Values.image.ks_kubectl_tag | default "latest" }} + jwtSecret: "{{ .Values.jwtSecret }}" +{{- if .Values.config.authentication.oauthOptions }} + {{- with .Values.config.authentication.oauthOptions }} + oauthOptions: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- else if eq (default .Values.config.multicluster.clusterRole "none") "member" }} + oauthOptions: + accessTokenMaxAge: 0 +{{- end }} + monitoring: + endpoint: {{ .Values.config.monitoring.endpoint | default "http://prometheus-operated.kubesphere-monitoring-system.svc:9090" }} + + {{- with .Values.config.servicemesh }} + servicemesh: + {{- toYaml . | nindent 6 }} + {{- end }} + +{{- end }} diff --git a/config/ks-core/templates/kubesphere-controls-system.yaml b/config/ks-core/templates/kubesphere-controls-system.yaml new file mode 100644 index 000000000..aaf34b017 --- /dev/null +++ b/config/ks-core/templates/kubesphere-controls-system.yaml @@ -0,0 +1,238 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:kubesphere-router-clusterrole + annotations: + kubernetes.io/created-by: kubesphere.io/ks-router +rules: + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + - namespaces + verbs: + - list + - watch + - get + - update + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "networking.k8s.io" + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "extensions" + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: system:kubesphere-router-role + annotations: + kubernetes.io/created-by: kubesphere.io/ks-router +rules: + - apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + # Defaults to "-" + # Here: "-" + # This has to be adapted if you change either parameter + # when launching the nginx-ingress-controller. + - "ingress-controller-leader-nginx" + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubesphere-router-serviceaccount + annotations: + kubernetes.io/created-by: kubesphere.io/ks-router +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:nginx-ingress-clusterrole-nisa-binding + annotations: + kubernetes.io/created-by: kubesphere.io/ks-router +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:kubesphere-router-clusterrole +subjects: + - kind: ServiceAccount + name: kubesphere-router-serviceaccount + namespace: kubesphere-controls-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: nginx-ingress-role-nisa-binding + annotations: + kubernetes.io/created-by: kubesphere.io/ks-router +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: system:kubesphere-router-role +subjects: + - kind: ServiceAccount + name: kubesphere-router-serviceaccount + namespace: kubesphere-controls-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: default-http-backend + labels: + app: kubesphere + component: kubesphere-router + version: express-1.0.alpha + annotations: + kubernetes.io/created-by: kubesphere.io/ks-router +spec: + replicas: 1 + selector: + matchLabels: + app: kubesphere + component: kubesphere-router + template: + metadata: + labels: + app: kubesphere + component: kubesphere-router + spec: + terminationGracePeriodSeconds: 60 + containers: + - name: default-http-backend + # Any image is permissible as long as: + # 1. It serves a 404 page at / + # 2. It serves 200 on a /healthz endpoint + image: {{ .Values.image.defaultbackend_repo }}:{{ .Values.image.defaultbackend_tag | default "latest" }} + livenessProbe: + httpGet: + path: /healthz + port: 8080 + scheme: HTTP + initialDelaySeconds: 30 + timeoutSeconds: 5 + ports: + - containerPort: 8080 + resources: + limits: + cpu: 10m + memory: 20Mi + requests: + cpu: 10m + memory: 20Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: default-http-backend + labels: + app: kubesphere + component: kubesphere-router + annotations: + kubernetes.io/created-by: kubesphere.io/ks-router +spec: + ports: + - port: 80 + targetPort: 8080 + selector: + app: kubesphere + component: kubesphere-router + +--- +# create a seviceaccount for kubectl pod +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubesphere-cluster-admin + namespace: kubesphere-controls-system + annotations: + kubernetes.io/created-by: kubesphere.io/kubectl +--- +# bind kubesphere-cluster-admin sa to clusterrole cluster-admin +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:kubesphere-cluster-admin + annotations: + kubernetes.io/created-by: kubesphere.io/kubectl +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: kubesphere-cluster-admin + namespace: kubesphere-controls-system diff --git a/config/ks-core/templates/sample-bookinfo-configmap.yaml b/config/ks-core/templates/sample-bookinfo-configmap.yaml new file mode 100644 index 000000000..bbfc3c1ab --- /dev/null +++ b/config/ks-core/templates/sample-bookinfo-configmap.yaml @@ -0,0 +1,378 @@ +apiVersion: v1 +data: + bookinfo.yaml: | + apiVersion: app.k8s.io/v1beta1 + kind: Application + metadata: + name: bookinfo + namespace: servicemesh + labels: + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + annotations: + servicemesh.kubesphere.io/enabled: 'true' + spec: + selector: + matchLabels: + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + addOwnerRef: true + descriptor: + icons: + - src: '/assets/bookinfo.svg' + componentKinds: + - group: '' + kind: Service + - group: apps + kind: Deployment + - group: apps + kind: StatefulSet + - group: extensions + kind: Ingress + - group: servicemesh.kubesphere.io + kind: Strategy + - group: servicemesh.kubesphere.io + kind: ServicePolicy + + --- + apiVersion: apps/v1 + kind: Deployment + metadata: + namespace: servicemesh + annotations: + kubesphere.io/isElasticReplicas: 'false' + servicemesh.kubesphere.io/enabled: 'true' + labels: + app: productpage + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + name: productpage-v1 + spec: + replicas: 1 + selector: + matchLabels: + app: productpage + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + template: + metadata: + labels: + app: productpage + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + annotations: + sidecar.istio.io/inject: 'true' + spec: + containers: + - name: productpage + resources: + requests: + cpu: 10m + memory: 10Mi + limits: + cpu: '1' + memory: 1000Mi + imagePullPolicy: IfNotPresent + image: {{- .Values.image.bookinfo_productpage_v1_repo }}:{{- .Values.image.bookinfo_productpage_v1_tag }} + ports: + - name: http-web + protocol: TCP + containerPort: 9080 + servicePort: 9080 + serviceAccount: default + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 25% + maxSurge: 25% + --- + apiVersion: v1 + kind: Service + metadata: + namespace: servicemesh + labels: + app: productpage + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + annotations: + kubesphere.io/workloadType: Deployment + servicemesh.kubesphere.io/enabled: 'true' + name: productpage + spec: + type: ClusterIP + sessionAffinity: None + selector: + app: productpage + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + ports: + - name: http-web + protocol: TCP + port: 9080 + targetPort: 9080 + + --- + apiVersion: apps/v1 + kind: Deployment + metadata: + namespace: servicemesh + annotations: + kubesphere.io/isElasticReplicas: 'false' + servicemesh.kubesphere.io/enabled: 'true' + labels: + app: reviews + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + name: reviews-v1 + spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + template: + metadata: + labels: + app: reviews + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + annotations: + sidecar.istio.io/inject: 'true' + spec: + containers: + - name: reviews + resources: + requests: + cpu: 10m + memory: 10Mi + limits: + cpu: '1' + memory: 1000Mi + imagePullPolicy: IfNotPresent + image: {{- .Values.image.bookinfo_reviews_v1_repo }}:{{- .Values.image.bookinfo_reviews_v1_tag }} + ports: + - name: http-web + protocol: TCP + containerPort: 9080 + servicePort: 9080 + serviceAccount: default + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 25% + maxSurge: 25% + --- + apiVersion: v1 + kind: Service + metadata: + namespace: servicemesh + labels: + app: reviews + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + annotations: + kubesphere.io/workloadType: Deployment + servicemesh.kubesphere.io/enabled: 'true' + name: reviews + spec: + type: ClusterIP + sessionAffinity: None + selector: + app: reviews + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + ports: + - name: http-web + protocol: TCP + port: 9080 + targetPort: 9080 + + --- + apiVersion: apps/v1 + kind: Deployment + metadata: + namespace: servicemesh + annotations: + kubesphere.io/isElasticReplicas: 'false' + servicemesh.kubesphere.io/enabled: 'true' + labels: + app: details + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + name: details-v1 + spec: + replicas: 1 + selector: + matchLabels: + app: details + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + template: + metadata: + labels: + app: details + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + annotations: + sidecar.istio.io/inject: 'true' + spec: + containers: + - name: details + resources: + requests: + cpu: 10m + memory: 10Mi + limits: + cpu: '1' + memory: 1000Mi + imagePullPolicy: IfNotPresent + image: {{- .Values.image.bookinfo_details_v1_repo }}:{{- .Values.image.bookinfo_details_v1_tag }} + ports: + - name: http-web + protocol: TCP + containerPort: 9080 + servicePort: 9080 + serviceAccount: default + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 25% + maxSurge: 25% + --- + apiVersion: v1 + kind: Service + metadata: + namespace: servicemesh + labels: + app: details + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + annotations: + kubesphere.io/workloadType: Deployment + servicemesh.kubesphere.io/enabled: 'true' + name: details + spec: + type: ClusterIP + sessionAffinity: None + selector: + app: details + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + ports: + - name: http-web + protocol: TCP + port: 9080 + targetPort: 9080 + + --- + apiVersion: apps/v1 + kind: Deployment + metadata: + namespace: servicemesh + annotations: + kubesphere.io/isElasticReplicas: 'false' + servicemesh.kubesphere.io/enabled: 'true' + labels: + app: ratings + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + name: ratings-v1 + spec: + replicas: 1 + selector: + matchLabels: + app: ratings + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + template: + metadata: + labels: + app: ratings + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + annotations: + sidecar.istio.io/inject: 'true' + spec: + containers: + - name: ratings + resources: + requests: + cpu: 10m + memory: 10Mi + limits: + cpu: '1' + memory: 1000Mi + imagePullPolicy: IfNotPresent + image: {{- .Values.image.bookinfo_ratings_v1_repo }}:{{- .Values.image.bookinfo_ratings_v1_tag }} + ports: + - name: http-web + protocol: TCP + containerPort: 9080 + servicePort: 9080 + serviceAccount: default + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 25% + maxSurge: 25% + --- + apiVersion: v1 + kind: Service + metadata: + namespace: servicemesh + labels: + app: ratings + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + annotations: + kubesphere.io/workloadType: Deployment + servicemesh.kubesphere.io/enabled: 'true' + name: ratings + spec: + type: ClusterIP + sessionAffinity: None + selector: + app: ratings + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + ports: + - name: http-web + protocol: TCP + port: 9080 + targetPort: 9080 + + --- + apiVersion: extensions/v1beta1 + kind: Ingress + metadata: + namespace: servicemesh + labels: + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + name: bookinfo-ingress + spec: + rules: + - http: + paths: + - path: / + backend: + serviceName: productpage + servicePort: 9080 + host: productpage.servicemesh.139.198.121.92.nip.io +kind: ConfigMap +metadata: + name: sample-bookinfo + namespace: kubesphere-system diff --git a/config/ks-core/templates/serviceaccount.yaml b/config/ks-core/templates/serviceaccount.yaml new file mode 100644 index 000000000..4627bf3a3 --- /dev/null +++ b/config/ks-core/templates/serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "ks-core.serviceAccountName" . }} + labels: + {{- include "ks-core.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubesphere +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: kubesphere + namespace: kubesphere-system diff --git a/config/ks-core/templates/webhook.yaml b/config/ks-core/templates/webhook.yaml new file mode 100644 index 000000000..f98c513dc --- /dev/null +++ b/config/ks-core/templates/webhook.yaml @@ -0,0 +1,123 @@ +{{- $ca := genCA "ks-controller-manager-ca" 3650 }} +{{- $cn := printf "%s-admission-webhook" .Release.Name }} +{{- $altName1 := printf "ks-controller-manager.kubesphere-system" }} +{{- $altName2 := printf "ks-controller-manager.kubesphere-system.svc" }} +{{- $cert := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }} + +apiVersion: v1 +data: + ca.crt: {{ b64enc $ca.Cert | quote }} + tls.crt: {{ b64enc $cert.Cert | quote }} + tls.key: {{ b64enc $cert.Key | quote }} +kind: Secret +metadata: + name: ks-controller-manager-webhook-cert + namespace: kubesphere-system +type: Opaque +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: users.iam.kubesphere.io +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: {{ b64enc $ca.Cert | quote }} + service: + name: ks-controller-manager + namespace: kubesphere-system + path: /validate-email-iam-kubesphere-io-v1alpha2 + port: 443 + failurePolicy: Fail + matchPolicy: Exact + name: users.iam.kubesphere.io + namespaceSelector: + matchExpressions: + - key: control-plane + operator: DoesNotExist + objectSelector: {} + rules: + - apiGroups: + - iam.kubesphere.io + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - users + scope: '*' + sideEffects: None + timeoutSeconds: 30 + +--- + +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: network.kubesphere.io +webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: {{ b64enc $ca.Cert | quote }} + service: + name: ks-controller-manager + namespace: kubesphere-system + path: /validate-network-kubesphere-io-v1alpha1 + port: 443 + failurePolicy: Fail + matchPolicy: Exact + name: validating-network.kubesphere.io + namespaceSelector: + matchExpressions: + - key: control-plane + operator: DoesNotExist + objectSelector: {} + rules: + - apiGroups: + - network.kubesphere.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - ippools + scope: '*' + sideEffects: None + timeoutSeconds: 30 + +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: resourcesquotas.quota.kubesphere.io +webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: {{ b64enc $ca.Cert | quote }} + service: + name: ks-controller-manager + namespace: kubesphere-system + path: /validate-quota-kubesphere-io-v1alpha2 + port: 443 + failurePolicy: Ignore + matchPolicy: Exact + name: resourcesquotas.quota.kubesphere.io + namespaceSelector: {} + objectSelector: {} + rules: + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CREATE + resources: + - pods + scope: '*' + sideEffects: None diff --git a/config/ks-core/values.yaml b/config/ks-core/values.yaml new file mode 100644 index 000000000..b66fa517d --- /dev/null +++ b/config/ks-core/values.yaml @@ -0,0 +1,118 @@ +# Default values for ks-core. + +replicaCount: 1 + +image: + # Overrides the image tag whose default is the chart appVersion. + ks_controller_manager_repo: kubesphere/ks-controller-manager + ks_controller_manager_tag: "" + + ks_apiserver_repo: kubesphere/ks-apiserver + ks_apiserver_tag: "" + ks_console_repo: "kubesphere/ks-console" + ks_console_tag: "" + + ks_kubectl_repo: kubesphere/kubectl + ks_kubectl_tag: "" + + nginx_ingress_controller_repo: kubesphere/nginx-ingress-controller + nginx_ingress_controller_tag: "v0.35.0" + defaultbackend_repo: "mirrorgooglecontainers/defaultbackend-amd64" + defaultbackend_tag: "1.4" + + bookinfo_productpage_v1_repo: kubesphere/examples-bookinfo-productpage-v1 + bookinfo_productpage_v1_tag: "1.16.2" + + bookinfo_reviews_v1_repo: kubesphere/examples-bookinfo-reviews-v1 + bookinfo_reviews_v1_tag: "1.16.2" + + bookinfo_details_v1_repo: kubesphere/examples-bookinfo-details-v1 + bookinfo_details_v1_tag: "1.16.2" + + bookinfo_ratings_v1_repo: kubesphere/examples-bookinfo-ratings-v1 + bookinfo_ratings_v1_tag: "1.16.3" + + pullPolicy: IfNotPresent + + +config: + # Specifies whether the kubesphere-config configmap should be created + create: true + authentication: {} + # Jwt Secret is required + jwtSecret: "" + multicluster: {} + monitoring: {} + +console: + port: 30880 + type: NodePort + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "kubesphere" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +apiserverResources: + limits: + cpu: 1 + memory: 1024Mi + requests: + cpu: 20m + memory: 100Mi + +consoleResources: + limits: + cpu: 1 + memory: 1024Mi + requests: + cpu: 20m + memory: 100Mi + +controllerManagerResources: + limits: + cpu: 1 + memory: 1000Mi + requests: + cpu: 30m + memory: 50Mi + +# Kubernetes Version shows in KubeSphere console +kube_version: "v1.19.4" + +tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 60 + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 60 + +affinity: {} From 7b565e241274620c94c82172589aebc56cb32863 Mon Sep 17 00:00:00 2001 From: "Roland.Ma" Date: Thu, 20 May 2021 02:42:15 +0000 Subject: [PATCH 2/6] generate random jwtSecret Signed-off-by: Roland.Ma --- config/ks-core/templates/kubesphere-config.yaml | 2 +- config/ks-core/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/ks-core/templates/kubesphere-config.yaml b/config/ks-core/templates/kubesphere-config.yaml index f8468869b..96fb32049 100644 --- a/config/ks-core/templates/kubesphere-config.yaml +++ b/config/ks-core/templates/kubesphere-config.yaml @@ -13,7 +13,7 @@ data: maximumClockSkew: {{ .Values.config.authentication.maximumClockSkew | default "10s" }} multipleLogin: {{ .Values.console.enableMultiLogin | default true }} kubectlImage: {{ .Values.image.ks_kubectl_repo }}:{{ .Values.image.ks_kubectl_tag | default "latest" }} - jwtSecret: "{{ .Values.jwtSecret }}" + jwtSecret: "{{ .Values.config.jwtSecret | default (randAlphaNum 32 ) }}" {{- if .Values.config.authentication.oauthOptions }} {{- with .Values.config.authentication.oauthOptions }} oauthOptions: diff --git a/config/ks-core/values.yaml b/config/ks-core/values.yaml index b66fa517d..bf29c87eb 100644 --- a/config/ks-core/values.yaml +++ b/config/ks-core/values.yaml @@ -39,7 +39,7 @@ config: # Specifies whether the kubesphere-config configmap should be created create: true authentication: {} - # Jwt Secret is required + # Jwt Secret is required by ks-apiserver, a random string would be generated if it's empty jwtSecret: "" multicluster: {} monitoring: {} From f7d7ed55ffbaf6e125a47bae698d222ba0386d1b Mon Sep 17 00:00:00 2001 From: "Roland.Ma" Date: Fri, 21 May 2021 09:10:13 +0000 Subject: [PATCH 3/6] inital admin account Signed-off-by: Roland.Ma --- config/ks-core/templates/_helpers.tpl | 12 ++++++++++++ config/ks-core/templates/account.yaml | 13 +++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 config/ks-core/templates/account.yaml diff --git a/config/ks-core/templates/_helpers.tpl b/config/ks-core/templates/_helpers.tpl index 66b9a2d0a..695c969c4 100644 --- a/config/ks-core/templates/_helpers.tpl +++ b/config/ks-core/templates/_helpers.tpl @@ -61,3 +61,15 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} + +{{/* +Returns user's password or use default +*/}} +{{- define "getOrDefaultPass" }} +{{- $pws := (lookup "iam.kubesphere.io/v1alpha2" "User" "" .Name) -}} +{{- if $pws }} +{{- $pws.spec.password -}} +{{- else -}} +{{- .Default -}} +{{- end -}} +{{- end }} diff --git a/config/ks-core/templates/account.yaml b/config/ks-core/templates/account.yaml new file mode 100644 index 000000000..c6b2d4064 --- /dev/null +++ b/config/ks-core/templates/account.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: iam.kubesphere.io/v1alpha2 +kind: User +metadata: + name: admin + annotations: + iam.kubesphere.io/uninitialized: "true" + helm.sh/resource-policy: keep +spec: + email: admin@kubesphere.io + password: "{{ include "getOrDefaultPass" (dict "Name" "admin" "Default" "$2a$10$zcHepmzfKPoxCVCYZr5K7ORPZZ/ySe9p/7IUb/8u./xHrnSX2LOCO") }}" +status: + state: Active \ No newline at end of file From dc3d5bf08ce940992d4d66830d4fec3ddaa38fdd Mon Sep 17 00:00:00 2001 From: "Roland.Ma" Date: Wed, 26 May 2021 09:09:49 +0000 Subject: [PATCH 4/6] user helm release namespace Signed-off-by: Roland.Ma --- config/ks-core/templates/ks-apiserver.yml | 2 - .../ks-core/templates/ks-console-config.yml | 1 - config/ks-core/templates/ks-console.yml | 2 - .../templates/ks-controller-manager.yaml | 2 - config/ks-core/templates/ks-router-cm.yaml | 1 - config/ks-core/templates/ks-router-config.tpl | 82 +++++++++---------- .../ks-core/templates/kubesphere-config.yaml | 1 - .../templates/kubesphere-controls-system.yaml | 5 ++ .../templates/sample-bookinfo-configmap.yaml | 1 - config/ks-core/templates/serviceaccount.yaml | 2 +- config/ks-core/templates/webhook.yaml | 7 +- 11 files changed, 50 insertions(+), 56 deletions(-) diff --git a/config/ks-core/templates/ks-apiserver.yml b/config/ks-core/templates/ks-apiserver.yml index 9e1d589b8..79ad22125 100644 --- a/config/ks-core/templates/ks-apiserver.yml +++ b/config/ks-core/templates/ks-apiserver.yml @@ -6,7 +6,6 @@ metadata: tier: backend version: {{ .Chart.AppVersion }} name: ks-apiserver - namespace: kubesphere-system spec: strategy: rollingUpdate: @@ -116,7 +115,6 @@ metadata: tier: backend version: {{ .Chart.AppVersion }} name: ks-apiserver - namespace: kubesphere-system spec: ports: - port: 80 diff --git a/config/ks-core/templates/ks-console-config.yml b/config/ks-core/templates/ks-console-config.yml index 2c3ea8736..14b8f78b4 100644 --- a/config/ks-core/templates/ks-console-config.yml +++ b/config/ks-core/templates/ks-console-config.yml @@ -25,4 +25,3 @@ data: kind: ConfigMap metadata: name: ks-console-config - namespace: kubesphere-system diff --git a/config/ks-core/templates/ks-console.yml b/config/ks-core/templates/ks-console.yml index e5fd2b4d1..de7d0e428 100644 --- a/config/ks-core/templates/ks-console.yml +++ b/config/ks-core/templates/ks-console.yml @@ -6,7 +6,6 @@ metadata: tier: frontend version: {{ .Chart.AppVersion }} name: ks-console - namespace: kubesphere-system spec: strategy: rollingUpdate: @@ -101,7 +100,6 @@ metadata: tier: frontend version: {{ .Chart.AppVersion }} name: ks-console - namespace: kubesphere-system spec: ports: - name: nginx diff --git a/config/ks-core/templates/ks-controller-manager.yaml b/config/ks-core/templates/ks-controller-manager.yaml index e9234f91d..bb3d13ef8 100644 --- a/config/ks-core/templates/ks-controller-manager.yaml +++ b/config/ks-core/templates/ks-controller-manager.yaml @@ -6,7 +6,6 @@ metadata: tier: backend version: {{ .Chart.AppVersion }} name: ks-controller-manager - namespace: kubesphere-system spec: strategy: rollingUpdate: @@ -115,7 +114,6 @@ metadata: tier: backend version: {{ .Chart.AppVersion }} name: ks-controller-manager - namespace: kubesphere-system spec: ports: - port: 443 diff --git a/config/ks-core/templates/ks-router-cm.yaml b/config/ks-core/templates/ks-router-cm.yaml index c61622ce5..045019143 100644 --- a/config/ks-core/templates/ks-router-cm.yaml +++ b/config/ks-core/templates/ks-router-cm.yaml @@ -2,7 +2,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: ks-router-config - namespace: kubesphere-system data: ingress-controller-svc.yaml: |+ {{- include "ingress-controller-svc.yaml" . }} diff --git a/config/ks-core/templates/ks-router-config.tpl b/config/ks-core/templates/ks-router-config.tpl index 68b5c059a..69b001fdb 100644 --- a/config/ks-core/templates/ks-router-config.tpl +++ b/config/ks-core/templates/ks-router-config.tpl @@ -4,68 +4,68 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: ks-router + name: ks-router spec: - replicas: 1 - selector: + replicas: 1 + selector: matchLabels: - app: kubesphere - component: ks-router - tier: backend - template: + app: kubesphere + component: ks-router + tier: backend + template: metadata: - labels: + labels: app: kubesphere component: ks-router tier: backend - annotations: + annotations: prometheus.io/port: '10254' prometheus.io/scrape: 'true' spec: - serviceAccountName: kubesphere-router-serviceaccount - containers: + serviceAccountName: kubesphere-router-serviceaccount + containers: - name: nginx-ingress-controller - image: {{ .Values.image.nginx_ingress_controller_repo }}:{{ .Values.image.nginx_ingress_controller_tag | default .Chart.AppVersion}} - args: + image: image: {{ .Values.image.nginx_ingress_controller_repo }}:{{ .Values.image.nginx_ingress_controller_tag | default .Chart.AppVersion}} + args: - /nginx-ingress-controller - --default-backend-service=$(POD_NAMESPACE)/default-http-backend - --annotations-prefix=nginx.ingress.kubernetes.io - --update-status - --update-status-on-shutdown - env: + env: - name: POD_NAME - valueFrom: + valueFrom: fieldRef: - fieldPath: metadata.name + fieldPath: metadata.name - name: POD_NAMESPACE - valueFrom: + valueFrom: fieldRef: - fieldPath: metadata.namespace - ports: - - name: http + fieldPath: metadata.namespace + ports: + - name: http containerPort: 80 - - name: https + - name: https containerPort: 443 - livenessProbe: + livenessProbe: failureThreshold: 3 httpGet: - path: /healthz - port: 10254 - scheme: HTTP + path: /healthz + port: 10254 + scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 - readinessProbe: + readinessProbe: failureThreshold: 3 httpGet: - path: /healthz - port: 10254 - scheme: HTTP + path: /healthz + port: 10254 + scheme: HTTP periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 - securityContext: + securityContext: runAsNonRoot: false {{- end }} @@ -73,24 +73,24 @@ apiVersion: v1 kind: Service metadata: - name: kubesphere-router-gateway - labels: + name: kubesphere-router-gateway + labels: app: kubesphere component: ks-router tier: backend spec: - selector: + selector: app: kubesphere component: ks-router tier: backend - type: LoadBalancer - ports: + type: LoadBalancer + ports: - name: http - protocol: TCP - port: 80 - targetPort: 80 + protocol: TCP + port: 80 + targetPort: 80 - name: https - protocol: TCP - port: 443 - targetPort: 443 + protocol: TCP + port: 443 + targetPort: 443 {{- end }} \ No newline at end of file diff --git a/config/ks-core/templates/kubesphere-config.yaml b/config/ks-core/templates/kubesphere-config.yaml index 96fb32049..85c84245d 100644 --- a/config/ks-core/templates/kubesphere-config.yaml +++ b/config/ks-core/templates/kubesphere-config.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: kubesphere-config - namespace: kubesphere-system data: kubesphere.yaml: | authentication: diff --git a/config/ks-core/templates/kubesphere-controls-system.yaml b/config/ks-core/templates/kubesphere-controls-system.yaml index aaf34b017..e5a17ac72 100644 --- a/config/ks-core/templates/kubesphere-controls-system.yaml +++ b/config/ks-core/templates/kubesphere-controls-system.yaml @@ -73,6 +73,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: system:kubesphere-router-role + namespace: kubesphere-controls-system annotations: kubernetes.io/created-by: kubesphere.io/ks-router rules: @@ -115,6 +116,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: kubesphere-router-serviceaccount + namespace: kubesphere-controls-system annotations: kubernetes.io/created-by: kubesphere.io/ks-router --- @@ -137,6 +139,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: nginx-ingress-role-nisa-binding + namespace: kubesphere-controls-system annotations: kubernetes.io/created-by: kubesphere.io/ks-router roleRef: @@ -152,6 +155,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: default-http-backend + namespace: kubesphere-controls-system labels: app: kubesphere component: kubesphere-router @@ -198,6 +202,7 @@ apiVersion: v1 kind: Service metadata: name: default-http-backend + namespace: kubesphere-controls-system labels: app: kubesphere component: kubesphere-router diff --git a/config/ks-core/templates/sample-bookinfo-configmap.yaml b/config/ks-core/templates/sample-bookinfo-configmap.yaml index bbfc3c1ab..0855e7f12 100644 --- a/config/ks-core/templates/sample-bookinfo-configmap.yaml +++ b/config/ks-core/templates/sample-bookinfo-configmap.yaml @@ -375,4 +375,3 @@ data: kind: ConfigMap metadata: name: sample-bookinfo - namespace: kubesphere-system diff --git a/config/ks-core/templates/serviceaccount.yaml b/config/ks-core/templates/serviceaccount.yaml index 4627bf3a3..0fa0ba760 100644 --- a/config/ks-core/templates/serviceaccount.yaml +++ b/config/ks-core/templates/serviceaccount.yaml @@ -23,4 +23,4 @@ roleRef: subjects: - kind: ServiceAccount name: kubesphere - namespace: kubesphere-system + namespace: {{ .Release.Namespace }} diff --git a/config/ks-core/templates/webhook.yaml b/config/ks-core/templates/webhook.yaml index f98c513dc..4276ba507 100644 --- a/config/ks-core/templates/webhook.yaml +++ b/config/ks-core/templates/webhook.yaml @@ -12,7 +12,6 @@ data: kind: Secret metadata: name: ks-controller-manager-webhook-cert - namespace: kubesphere-system type: Opaque --- apiVersion: admissionregistration.k8s.io/v1beta1 @@ -26,7 +25,7 @@ webhooks: caBundle: {{ b64enc $ca.Cert | quote }} service: name: ks-controller-manager - namespace: kubesphere-system + namespace: {{ .Release.Namespace }} path: /validate-email-iam-kubesphere-io-v1alpha2 port: 443 failurePolicy: Fail @@ -64,7 +63,7 @@ webhooks: caBundle: {{ b64enc $ca.Cert | quote }} service: name: ks-controller-manager - namespace: kubesphere-system + namespace: {{ .Release.Namespace }} path: /validate-network-kubesphere-io-v1alpha1 port: 443 failurePolicy: Fail @@ -102,7 +101,7 @@ webhooks: caBundle: {{ b64enc $ca.Cert | quote }} service: name: ks-controller-manager - namespace: kubesphere-system + namespace: {{ .Release.Namespace }} path: /validate-quota-kubesphere-io-v1alpha2 port: 443 failurePolicy: Ignore From 999711f1cf369697f8f89470c4337f7187c6036d Mon Sep 17 00:00:00 2001 From: "Roland.Ma" Date: Wed, 26 May 2021 09:17:35 +0000 Subject: [PATCH 5/6] replace podAntiAffinity namespaces with helm release name Signed-off-by: Roland.Ma --- config/ks-core/templates/ks-apiserver.yml | 2 +- config/ks-core/templates/ks-console.yml | 2 +- config/ks-core/templates/ks-controller-manager.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/config/ks-core/templates/ks-apiserver.yml b/config/ks-core/templates/ks-apiserver.yml index 79ad22125..8d25da5bc 100644 --- a/config/ks-core/templates/ks-apiserver.yml +++ b/config/ks-core/templates/ks-apiserver.yml @@ -83,7 +83,7 @@ spec: values: - ks-apiserver namespaces: - - kubesphere-system + - {{ .Release.Namespace }} {{- end }} volumes: - hostPath: diff --git a/config/ks-core/templates/ks-console.yml b/config/ks-core/templates/ks-console.yml index de7d0e428..ef5620986 100644 --- a/config/ks-core/templates/ks-console.yml +++ b/config/ks-core/templates/ks-console.yml @@ -71,7 +71,7 @@ spec: values: - ks-console namespaces: - - kubesphere-system + - {{ .Release.Namespace }} {{- end }} volumes: - configMap: diff --git a/config/ks-core/templates/ks-controller-manager.yaml b/config/ks-core/templates/ks-controller-manager.yaml index bb3d13ef8..4d351873c 100644 --- a/config/ks-core/templates/ks-controller-manager.yaml +++ b/config/ks-core/templates/ks-controller-manager.yaml @@ -101,7 +101,7 @@ spec: values: - ks-controller-manager namespaces: - - kubesphere-system + - {{ .Release.Namespace }} {{- end }} --- From 91ebc2cd01764a2a0589be147c19e4b763e8066b Mon Sep 17 00:00:00 2001 From: "Roland.Ma" Date: Wed, 26 May 2021 09:55:04 +0000 Subject: [PATCH 6/6] use helm release variable for service account name and namespace Signed-off-by: Roland.Ma --- config/ks-core/templates/ks-console.yml | 4 ++-- config/ks-core/templates/serviceaccount.yaml | 4 ++-- config/ks-core/templates/webhook.yaml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/config/ks-core/templates/ks-console.yml b/config/ks-core/templates/ks-console.yml index ef5620986..3246dc9a5 100644 --- a/config/ks-core/templates/ks-console.yml +++ b/config/ks-core/templates/ks-console.yml @@ -44,8 +44,8 @@ spec: periodSeconds: 10 successThreshold: 1 failureThreshold: 8 - serviceAccount: kubesphere - serviceAccountName: kubesphere + serviceAccount: {{ include "ks-core.serviceAccountName" . }} + serviceAccountName: {{ include "ks-core.serviceAccountName" . }} {{- with .Values.tolerations }} tolerations: {{- toYaml . | nindent 8 }} diff --git a/config/ks-core/templates/serviceaccount.yaml b/config/ks-core/templates/serviceaccount.yaml index 0fa0ba760..412d3c2e3 100644 --- a/config/ks-core/templates/serviceaccount.yaml +++ b/config/ks-core/templates/serviceaccount.yaml @@ -15,12 +15,12 @@ metadata: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: kubesphere + name: {{ include "ks-core.serviceAccountName" . }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount - name: kubesphere + name: {{ include "ks-core.serviceAccountName" . }} namespace: {{ .Release.Namespace }} diff --git a/config/ks-core/templates/webhook.yaml b/config/ks-core/templates/webhook.yaml index 4276ba507..fee6671e3 100644 --- a/config/ks-core/templates/webhook.yaml +++ b/config/ks-core/templates/webhook.yaml @@ -1,7 +1,7 @@ {{- $ca := genCA "ks-controller-manager-ca" 3650 }} {{- $cn := printf "%s-admission-webhook" .Release.Name }} -{{- $altName1 := printf "ks-controller-manager.kubesphere-system" }} -{{- $altName2 := printf "ks-controller-manager.kubesphere-system.svc" }} +{{- $altName1 := printf "ks-controller-manager.%s" .Release.Namespace }} +{{- $altName2 := printf "ks-controller-manager.%s.svc" .Release.Namespace }} {{- $cert := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }} apiVersion: v1