diff --git a/Makefile b/Makefile index 1eee027f3..f85298d15 100644 --- a/Makefile +++ b/Makefile @@ -90,6 +90,13 @@ docker-build: all docker-build-no-test: ks-apiserver ks-controller-manager hack/docker_build.sh +helm-package: + ls config/crds/ | grep -v types.kubefed.io | xargs -i cp -r config/crds/{} config/ks-core/crds/ + helm package config/ks-core --app-version=v3.1.0 --version=0.1.0 -d ./bin + +helm-deploy: + helm upgrade --install ks-core ./config/ks-core -n kubesphere-system --create-namespace + # Run tests test: fmt vet export KUBEBUILDER_CONTROLPLANE_START_TIMEOUT=2m; go test ./pkg/... ./cmd/... -covermode=atomic -coverprofile=coverage.txt diff --git a/config/ks-core/.helmignore b/config/ks-core/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/config/ks-core/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/config/ks-core/Chart.yaml b/config/ks-core/Chart.yaml new file mode 100644 index 000000000..5912b54c3 --- /dev/null +++ b/config/ks-core/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v2 +name: ks-core +description: A Helm chart for KubeSphere Core components + +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: "v3.1.0" diff --git a/config/ks-core/crds/.gitkeep b/config/ks-core/crds/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/config/ks-core/templates/NOTES.txt b/config/ks-core/templates/NOTES.txt new file mode 100644 index 000000000..e69de29bb diff --git a/config/ks-core/templates/_helpers.tpl b/config/ks-core/templates/_helpers.tpl new file mode 100644 index 000000000..66b9a2d0a --- /dev/null +++ b/config/ks-core/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "ks-core.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "ks-core.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "ks-core.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "ks-core.labels" -}} +helm.sh/chart: {{ include "ks-core.chart" . }} +{{ include "ks-core.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "ks-core.selectorLabels" -}} +app.kubernetes.io/name: {{ include "ks-core.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "ks-core.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "ks-core.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/config/ks-core/templates/ks-apiserver.yml b/config/ks-core/templates/ks-apiserver.yml new file mode 100644 index 000000000..9e1d589b8 --- /dev/null +++ b/config/ks-core/templates/ks-apiserver.yml @@ -0,0 +1,129 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: ks-apiserver + tier: backend + version: {{ .Chart.AppVersion }} + name: ks-apiserver + namespace: kubesphere-system +spec: + strategy: + rollingUpdate: + maxSurge: 0 + type: RollingUpdate + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: ks-apiserver + tier: backend + # version: {{ .Chart.AppVersion }} + template: + metadata: + labels: + app: ks-apiserver + tier: backend + # version: {{ .Chart.AppVersion }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - command: + - ks-apiserver + - --logtostderr=true + image: {{ .Values.image.ks_apiserver_repo }}:{{ .Values.image.ks_apiserver_tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: ks-apiserver + ports: + - containerPort: 9090 + protocol: TCP + resources: + {{- toYaml .Values.apiserverResources | nindent 12 }} + volumeMounts: + - mountPath: /var/run/docker.sock + name: docker-sock + - mountPath: /etc/kubesphere/ingress-controller + name: ks-router-config + - mountPath: /etc/kubesphere/ + name: kubesphere-config + - mountPath: /etc/localtime + name: host-time + livenessProbe: + failureThreshold: 8 + httpGet: + path: /kapis/version + port: 9090 + scheme: HTTP + initialDelaySeconds: 15 + timeoutSeconds: 15 + serviceAccountName: {{ include "ks-core.serviceAccountName" . }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: In + values: + - "" +{{- if gt .Values.replicaCount 1.0 }} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - ks-apiserver + namespaces: + - kubesphere-system +{{- end }} + volumes: + - hostPath: + path: /var/run/docker.sock + type: "" + name: docker-sock + - configMap: + defaultMode: 420 + name: ks-router-config + name: ks-router-config + - configMap: + defaultMode: 420 + name: kubesphere-config + name: kubesphere-config + - hostPath: + path: /etc/localtime + type: "" + name: host-time + +--- + +apiVersion: v1 +kind: Service +metadata: + annotations: + kubernetes.io/created-by: kubesphere.io/ks-apiserver + labels: + app: ks-apiserver + tier: backend + version: {{ .Chart.AppVersion }} + name: ks-apiserver + namespace: kubesphere-system +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9090 + selector: + app: ks-apiserver + tier: backend + # version: {{ .Chart.AppVersion }} + type: ClusterIP diff --git a/config/ks-core/templates/ks-console-config.yml b/config/ks-core/templates/ks-console-config.yml new file mode 100644 index 000000000..2c3ea8736 --- /dev/null +++ b/config/ks-core/templates/ks-console-config.yml @@ -0,0 +1,28 @@ + +apiVersion: v1 +data: + local_config.yaml: | + server: + http: + hostname: localhost + port: 8000 + static: + production: + /public: server/public + /assets: dist/assets + /dist: dist + redis: + port: 6379 + host: redis.kubesphere-system.svc + redisTimeout: 5000 + sessionTimeout: 7200000 + client: + version: + kubesphere: {{ .Chart.AppVersion }} + kubernetes: {{ .Values.kube_version }} + openpitrix: {{ .Chart.AppVersion }} + enableKubeConfig: true +kind: ConfigMap +metadata: + name: ks-console-config + namespace: kubesphere-system diff --git a/config/ks-core/templates/ks-console.yml b/config/ks-core/templates/ks-console.yml new file mode 100644 index 000000000..e5fd2b4d1 --- /dev/null +++ b/config/ks-core/templates/ks-console.yml @@ -0,0 +1,118 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: ks-console + tier: frontend + version: {{ .Chart.AppVersion }} + name: ks-console + namespace: kubesphere-system +spec: + strategy: + rollingUpdate: + maxSurge: 0 + type: RollingUpdate + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: ks-console + tier: frontend + template: + metadata: + labels: + app: ks-console + tier: frontend + spec: + containers: + - image: {{ .Values.image.ks_console_repo }}:{{ .Values.image.ks_console_tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: ks-console + resources: + {{- toYaml .Values.consoleResources | nindent 12 }} + volumeMounts: + - mountPath: /opt/kubesphere/console/server/local_config.yaml + name: ks-console-config + subPath: local_config.yaml + - mountPath: /opt/kubesphere/console/server/sample + name: sample-bookinfo + - mountPath: /etc/localtime + name: host-time + livenessProbe: + tcpSocket: + port: 8000 + initialDelaySeconds: 15 + timeoutSeconds: 15 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 8 + serviceAccount: kubesphere + serviceAccountName: kubesphere + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: In + values: + - "" +{{- if gt .Values.replicaCount 1.0 }} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - ks-console + namespaces: + - kubesphere-system +{{- end }} + volumes: + - configMap: + defaultMode: 420 + name: ks-console-config + items: + - key: local_config.yaml + path: local_config.yaml + name: ks-console-config + - configMap: + defaultMode: 420 + name: sample-bookinfo + name: sample-bookinfo + - hostPath: + path: /etc/localtime + type: "" + name: host-time + +--- + +apiVersion: v1 +kind: Service +metadata: + labels: + app: ks-console + tier: frontend + version: {{ .Chart.AppVersion }} + name: ks-console + namespace: kubesphere-system +spec: + ports: + - name: nginx + port: 80 + protocol: TCP + targetPort: 8000 + {{- with .Values.console.port }} + nodePort: + {{- toYaml . | nindent 6 }} + {{- end }} + selector: + app: ks-console + tier: frontend + type: {{ .Values.console.type }} \ No newline at end of file diff --git a/config/ks-core/templates/ks-controller-manager.yaml b/config/ks-core/templates/ks-controller-manager.yaml new file mode 100644 index 000000000..e9234f91d --- /dev/null +++ b/config/ks-core/templates/ks-controller-manager.yaml @@ -0,0 +1,129 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: ks-controller-manager + tier: backend + version: {{ .Chart.AppVersion }} + name: ks-controller-manager + namespace: kubesphere-system +spec: + strategy: + rollingUpdate: + maxSurge: 0 + type: RollingUpdate + progressDeadlineSeconds: 600 + replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: 10 + selector: + matchLabels: + app: ks-controller-manager + tier: backend + # version: {{ .Chart.AppVersion }} + template: + metadata: + labels: + app: ks-controller-manager + tier: backend + # version: {{ .Chart.AppVersion }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - command: + - controller-manager + - --logtostderr=true + - --leader-elect=true + image: {{ .Values.image.ks_controller_manager_repo }}:{{ .Values.image.ks_controller_manager_tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: ks-controller-manager + ports: + - containerPort: 8080 + protocol: TCP + - containerPort: 8443 + protocol: TCP + resources: + {{- toYaml .Values.controllerManagerResources | nindent 12 }} + volumeMounts: + - mountPath: /etc/kubesphere/ + name: kubesphere-config + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: webhook-secret + - mountPath: /var/lib/kubelet/plugins/ + name: kubelet-plugin + - mountPath: /etc/localtime + name: host-time + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + serviceAccountName: {{ include "ks-core.serviceAccountName" . }} + terminationGracePeriodSeconds: 30 + volumes: + - name: kubesphere-config + configMap: + name: kubesphere-config + defaultMode: 420 + - name: webhook-secret + secret: + defaultMode: 420 + secretName: ks-controller-manager-webhook-cert + - name: kubelet-plugin + hostPath: + path: /var/lib/kubelet/plugins/ + type: DirectoryOrCreate + - hostPath: + path: /etc/localtime + type: "" + name: host-time + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: In + values: + - "" +{{- if gt .Values.replicaCount 1.0 }} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - ks-controller-manager + namespaces: + - kubesphere-system +{{- end }} + +--- + +apiVersion: v1 +kind: Service +metadata: + labels: + app: ks-controller-manager + tier: backend + version: {{ .Chart.AppVersion }} + name: ks-controller-manager + namespace: kubesphere-system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 8443 + selector: + app: ks-controller-manager + tier: backend + # version: {{ .Chart.AppVersion }} + sessionAffinity: None + type: ClusterIP diff --git a/config/ks-core/templates/ks-router-cm.yaml b/config/ks-core/templates/ks-router-cm.yaml new file mode 100644 index 000000000..c61622ce5 --- /dev/null +++ b/config/ks-core/templates/ks-router-cm.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: ks-router-config + namespace: kubesphere-system +data: + ingress-controller-svc.yaml: |+ +{{- include "ingress-controller-svc.yaml" . }} + ingress-controller.yaml: | +{{- include "ingress-controller.yaml" . }} \ No newline at end of file diff --git a/config/ks-core/templates/ks-router-config.tpl b/config/ks-core/templates/ks-router-config.tpl new file mode 100644 index 000000000..68b5c059a --- /dev/null +++ b/config/ks-core/templates/ks-router-config.tpl @@ -0,0 +1,96 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "ingress-controller.yaml" }} + apiVersion: apps/v1 + kind: Deployment + metadata: + name: ks-router + spec: + replicas: 1 + selector: + matchLabels: + app: kubesphere + component: ks-router + tier: backend + template: + metadata: + labels: + app: kubesphere + component: ks-router + tier: backend + annotations: + prometheus.io/port: '10254' + prometheus.io/scrape: 'true' + spec: + serviceAccountName: kubesphere-router-serviceaccount + containers: + - name: nginx-ingress-controller + image: {{ .Values.image.nginx_ingress_controller_repo }}:{{ .Values.image.nginx_ingress_controller_tag | default .Chart.AppVersion}} + args: + - /nginx-ingress-controller + - --default-backend-service=$(POD_NAMESPACE)/default-http-backend + - --annotations-prefix=nginx.ingress.kubernetes.io + - --update-status + - --update-status-on-shutdown + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + ports: + - name: http + containerPort: 80 + - name: https + containerPort: 443 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + runAsNonRoot: false +{{- end }} + +{{- define "ingress-controller-svc.yaml" }} + apiVersion: v1 + kind: Service + metadata: + name: kubesphere-router-gateway + labels: + app: kubesphere + component: ks-router + tier: backend + spec: + selector: + app: kubesphere + component: ks-router + tier: backend + type: LoadBalancer + ports: + - name: http + protocol: TCP + port: 80 + targetPort: 80 + - name: https + protocol: TCP + port: 443 + targetPort: 443 +{{- end }} \ No newline at end of file diff --git a/config/ks-core/templates/kubesphere-config.yaml b/config/ks-core/templates/kubesphere-config.yaml new file mode 100644 index 000000000..f8468869b --- /dev/null +++ b/config/ks-core/templates/kubesphere-config.yaml @@ -0,0 +1,34 @@ +{{- if .Values.config.create -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: kubesphere-config + namespace: kubesphere-system +data: + kubesphere.yaml: | + authentication: + authenticateRateLimiterMaxTries: {{ .Values.config.authentication.authenticateRateLimiterMaxTries | default 10 }} + authenticateRateLimiterDuration: {{ .Values.config.authentication.authenticationRateLimiterDuration | default "10m0s" }} + loginHistoryRetentionPeriod: {{ .Values.config.authentication.loginHistoryRetentionPeriod | default "168h" }} + maximumClockSkew: {{ .Values.config.authentication.maximumClockSkew | default "10s" }} + multipleLogin: {{ .Values.console.enableMultiLogin | default true }} + kubectlImage: {{ .Values.image.ks_kubectl_repo }}:{{ .Values.image.ks_kubectl_tag | default "latest" }} + jwtSecret: "{{ .Values.jwtSecret }}" +{{- if .Values.config.authentication.oauthOptions }} + {{- with .Values.config.authentication.oauthOptions }} + oauthOptions: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- else if eq (default .Values.config.multicluster.clusterRole "none") "member" }} + oauthOptions: + accessTokenMaxAge: 0 +{{- end }} + monitoring: + endpoint: {{ .Values.config.monitoring.endpoint | default "http://prometheus-operated.kubesphere-monitoring-system.svc:9090" }} + + {{- with .Values.config.servicemesh }} + servicemesh: + {{- toYaml . | nindent 6 }} + {{- end }} + +{{- end }} diff --git a/config/ks-core/templates/kubesphere-controls-system.yaml b/config/ks-core/templates/kubesphere-controls-system.yaml new file mode 100644 index 000000000..aaf34b017 --- /dev/null +++ b/config/ks-core/templates/kubesphere-controls-system.yaml @@ -0,0 +1,238 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:kubesphere-router-clusterrole + annotations: + kubernetes.io/created-by: kubesphere.io/ks-router +rules: + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + - namespaces + verbs: + - list + - watch + - get + - update + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "networking.k8s.io" + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "extensions" + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: system:kubesphere-router-role + annotations: + kubernetes.io/created-by: kubesphere.io/ks-router +rules: + - apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + # Defaults to "-" + # Here: "-" + # This has to be adapted if you change either parameter + # when launching the nginx-ingress-controller. + - "ingress-controller-leader-nginx" + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubesphere-router-serviceaccount + annotations: + kubernetes.io/created-by: kubesphere.io/ks-router +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:nginx-ingress-clusterrole-nisa-binding + annotations: + kubernetes.io/created-by: kubesphere.io/ks-router +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:kubesphere-router-clusterrole +subjects: + - kind: ServiceAccount + name: kubesphere-router-serviceaccount + namespace: kubesphere-controls-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: nginx-ingress-role-nisa-binding + annotations: + kubernetes.io/created-by: kubesphere.io/ks-router +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: system:kubesphere-router-role +subjects: + - kind: ServiceAccount + name: kubesphere-router-serviceaccount + namespace: kubesphere-controls-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: default-http-backend + labels: + app: kubesphere + component: kubesphere-router + version: express-1.0.alpha + annotations: + kubernetes.io/created-by: kubesphere.io/ks-router +spec: + replicas: 1 + selector: + matchLabels: + app: kubesphere + component: kubesphere-router + template: + metadata: + labels: + app: kubesphere + component: kubesphere-router + spec: + terminationGracePeriodSeconds: 60 + containers: + - name: default-http-backend + # Any image is permissible as long as: + # 1. It serves a 404 page at / + # 2. It serves 200 on a /healthz endpoint + image: {{ .Values.image.defaultbackend_repo }}:{{ .Values.image.defaultbackend_tag | default "latest" }} + livenessProbe: + httpGet: + path: /healthz + port: 8080 + scheme: HTTP + initialDelaySeconds: 30 + timeoutSeconds: 5 + ports: + - containerPort: 8080 + resources: + limits: + cpu: 10m + memory: 20Mi + requests: + cpu: 10m + memory: 20Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: default-http-backend + labels: + app: kubesphere + component: kubesphere-router + annotations: + kubernetes.io/created-by: kubesphere.io/ks-router +spec: + ports: + - port: 80 + targetPort: 8080 + selector: + app: kubesphere + component: kubesphere-router + +--- +# create a seviceaccount for kubectl pod +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubesphere-cluster-admin + namespace: kubesphere-controls-system + annotations: + kubernetes.io/created-by: kubesphere.io/kubectl +--- +# bind kubesphere-cluster-admin sa to clusterrole cluster-admin +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:kubesphere-cluster-admin + annotations: + kubernetes.io/created-by: kubesphere.io/kubectl +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: kubesphere-cluster-admin + namespace: kubesphere-controls-system diff --git a/config/ks-core/templates/sample-bookinfo-configmap.yaml b/config/ks-core/templates/sample-bookinfo-configmap.yaml new file mode 100644 index 000000000..bbfc3c1ab --- /dev/null +++ b/config/ks-core/templates/sample-bookinfo-configmap.yaml @@ -0,0 +1,378 @@ +apiVersion: v1 +data: + bookinfo.yaml: | + apiVersion: app.k8s.io/v1beta1 + kind: Application + metadata: + name: bookinfo + namespace: servicemesh + labels: + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + annotations: + servicemesh.kubesphere.io/enabled: 'true' + spec: + selector: + matchLabels: + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + addOwnerRef: true + descriptor: + icons: + - src: '/assets/bookinfo.svg' + componentKinds: + - group: '' + kind: Service + - group: apps + kind: Deployment + - group: apps + kind: StatefulSet + - group: extensions + kind: Ingress + - group: servicemesh.kubesphere.io + kind: Strategy + - group: servicemesh.kubesphere.io + kind: ServicePolicy + + --- + apiVersion: apps/v1 + kind: Deployment + metadata: + namespace: servicemesh + annotations: + kubesphere.io/isElasticReplicas: 'false' + servicemesh.kubesphere.io/enabled: 'true' + labels: + app: productpage + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + name: productpage-v1 + spec: + replicas: 1 + selector: + matchLabels: + app: productpage + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + template: + metadata: + labels: + app: productpage + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + annotations: + sidecar.istio.io/inject: 'true' + spec: + containers: + - name: productpage + resources: + requests: + cpu: 10m + memory: 10Mi + limits: + cpu: '1' + memory: 1000Mi + imagePullPolicy: IfNotPresent + image: {{- .Values.image.bookinfo_productpage_v1_repo }}:{{- .Values.image.bookinfo_productpage_v1_tag }} + ports: + - name: http-web + protocol: TCP + containerPort: 9080 + servicePort: 9080 + serviceAccount: default + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 25% + maxSurge: 25% + --- + apiVersion: v1 + kind: Service + metadata: + namespace: servicemesh + labels: + app: productpage + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + annotations: + kubesphere.io/workloadType: Deployment + servicemesh.kubesphere.io/enabled: 'true' + name: productpage + spec: + type: ClusterIP + sessionAffinity: None + selector: + app: productpage + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + ports: + - name: http-web + protocol: TCP + port: 9080 + targetPort: 9080 + + --- + apiVersion: apps/v1 + kind: Deployment + metadata: + namespace: servicemesh + annotations: + kubesphere.io/isElasticReplicas: 'false' + servicemesh.kubesphere.io/enabled: 'true' + labels: + app: reviews + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + name: reviews-v1 + spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + template: + metadata: + labels: + app: reviews + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + annotations: + sidecar.istio.io/inject: 'true' + spec: + containers: + - name: reviews + resources: + requests: + cpu: 10m + memory: 10Mi + limits: + cpu: '1' + memory: 1000Mi + imagePullPolicy: IfNotPresent + image: {{- .Values.image.bookinfo_reviews_v1_repo }}:{{- .Values.image.bookinfo_reviews_v1_tag }} + ports: + - name: http-web + protocol: TCP + containerPort: 9080 + servicePort: 9080 + serviceAccount: default + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 25% + maxSurge: 25% + --- + apiVersion: v1 + kind: Service + metadata: + namespace: servicemesh + labels: + app: reviews + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + annotations: + kubesphere.io/workloadType: Deployment + servicemesh.kubesphere.io/enabled: 'true' + name: reviews + spec: + type: ClusterIP + sessionAffinity: None + selector: + app: reviews + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + ports: + - name: http-web + protocol: TCP + port: 9080 + targetPort: 9080 + + --- + apiVersion: apps/v1 + kind: Deployment + metadata: + namespace: servicemesh + annotations: + kubesphere.io/isElasticReplicas: 'false' + servicemesh.kubesphere.io/enabled: 'true' + labels: + app: details + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + name: details-v1 + spec: + replicas: 1 + selector: + matchLabels: + app: details + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + template: + metadata: + labels: + app: details + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + annotations: + sidecar.istio.io/inject: 'true' + spec: + containers: + - name: details + resources: + requests: + cpu: 10m + memory: 10Mi + limits: + cpu: '1' + memory: 1000Mi + imagePullPolicy: IfNotPresent + image: {{- .Values.image.bookinfo_details_v1_repo }}:{{- .Values.image.bookinfo_details_v1_tag }} + ports: + - name: http-web + protocol: TCP + containerPort: 9080 + servicePort: 9080 + serviceAccount: default + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 25% + maxSurge: 25% + --- + apiVersion: v1 + kind: Service + metadata: + namespace: servicemesh + labels: + app: details + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + annotations: + kubesphere.io/workloadType: Deployment + servicemesh.kubesphere.io/enabled: 'true' + name: details + spec: + type: ClusterIP + sessionAffinity: None + selector: + app: details + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + ports: + - name: http-web + protocol: TCP + port: 9080 + targetPort: 9080 + + --- + apiVersion: apps/v1 + kind: Deployment + metadata: + namespace: servicemesh + annotations: + kubesphere.io/isElasticReplicas: 'false' + servicemesh.kubesphere.io/enabled: 'true' + labels: + app: ratings + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + name: ratings-v1 + spec: + replicas: 1 + selector: + matchLabels: + app: ratings + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + template: + metadata: + labels: + app: ratings + version: v1 + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + annotations: + sidecar.istio.io/inject: 'true' + spec: + containers: + - name: ratings + resources: + requests: + cpu: 10m + memory: 10Mi + limits: + cpu: '1' + memory: 1000Mi + imagePullPolicy: IfNotPresent + image: {{- .Values.image.bookinfo_ratings_v1_repo }}:{{- .Values.image.bookinfo_ratings_v1_tag }} + ports: + - name: http-web + protocol: TCP + containerPort: 9080 + servicePort: 9080 + serviceAccount: default + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 25% + maxSurge: 25% + --- + apiVersion: v1 + kind: Service + metadata: + namespace: servicemesh + labels: + app: ratings + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + annotations: + kubesphere.io/workloadType: Deployment + servicemesh.kubesphere.io/enabled: 'true' + name: ratings + spec: + type: ClusterIP + sessionAffinity: None + selector: + app: ratings + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + ports: + - name: http-web + protocol: TCP + port: 9080 + targetPort: 9080 + + --- + apiVersion: extensions/v1beta1 + kind: Ingress + metadata: + namespace: servicemesh + labels: + app.kubernetes.io/version: v1 + app.kubernetes.io/name: bookinfo + name: bookinfo-ingress + spec: + rules: + - http: + paths: + - path: / + backend: + serviceName: productpage + servicePort: 9080 + host: productpage.servicemesh.139.198.121.92.nip.io +kind: ConfigMap +metadata: + name: sample-bookinfo + namespace: kubesphere-system diff --git a/config/ks-core/templates/serviceaccount.yaml b/config/ks-core/templates/serviceaccount.yaml new file mode 100644 index 000000000..4627bf3a3 --- /dev/null +++ b/config/ks-core/templates/serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "ks-core.serviceAccountName" . }} + labels: + {{- include "ks-core.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubesphere +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: kubesphere + namespace: kubesphere-system diff --git a/config/ks-core/templates/webhook.yaml b/config/ks-core/templates/webhook.yaml new file mode 100644 index 000000000..f98c513dc --- /dev/null +++ b/config/ks-core/templates/webhook.yaml @@ -0,0 +1,123 @@ +{{- $ca := genCA "ks-controller-manager-ca" 3650 }} +{{- $cn := printf "%s-admission-webhook" .Release.Name }} +{{- $altName1 := printf "ks-controller-manager.kubesphere-system" }} +{{- $altName2 := printf "ks-controller-manager.kubesphere-system.svc" }} +{{- $cert := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }} + +apiVersion: v1 +data: + ca.crt: {{ b64enc $ca.Cert | quote }} + tls.crt: {{ b64enc $cert.Cert | quote }} + tls.key: {{ b64enc $cert.Key | quote }} +kind: Secret +metadata: + name: ks-controller-manager-webhook-cert + namespace: kubesphere-system +type: Opaque +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: users.iam.kubesphere.io +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: {{ b64enc $ca.Cert | quote }} + service: + name: ks-controller-manager + namespace: kubesphere-system + path: /validate-email-iam-kubesphere-io-v1alpha2 + port: 443 + failurePolicy: Fail + matchPolicy: Exact + name: users.iam.kubesphere.io + namespaceSelector: + matchExpressions: + - key: control-plane + operator: DoesNotExist + objectSelector: {} + rules: + - apiGroups: + - iam.kubesphere.io + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - users + scope: '*' + sideEffects: None + timeoutSeconds: 30 + +--- + +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: network.kubesphere.io +webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: {{ b64enc $ca.Cert | quote }} + service: + name: ks-controller-manager + namespace: kubesphere-system + path: /validate-network-kubesphere-io-v1alpha1 + port: 443 + failurePolicy: Fail + matchPolicy: Exact + name: validating-network.kubesphere.io + namespaceSelector: + matchExpressions: + - key: control-plane + operator: DoesNotExist + objectSelector: {} + rules: + - apiGroups: + - network.kubesphere.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - ippools + scope: '*' + sideEffects: None + timeoutSeconds: 30 + +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: resourcesquotas.quota.kubesphere.io +webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: {{ b64enc $ca.Cert | quote }} + service: + name: ks-controller-manager + namespace: kubesphere-system + path: /validate-quota-kubesphere-io-v1alpha2 + port: 443 + failurePolicy: Ignore + matchPolicy: Exact + name: resourcesquotas.quota.kubesphere.io + namespaceSelector: {} + objectSelector: {} + rules: + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CREATE + resources: + - pods + scope: '*' + sideEffects: None diff --git a/config/ks-core/values.yaml b/config/ks-core/values.yaml new file mode 100644 index 000000000..b66fa517d --- /dev/null +++ b/config/ks-core/values.yaml @@ -0,0 +1,118 @@ +# Default values for ks-core. + +replicaCount: 1 + +image: + # Overrides the image tag whose default is the chart appVersion. + ks_controller_manager_repo: kubesphere/ks-controller-manager + ks_controller_manager_tag: "" + + ks_apiserver_repo: kubesphere/ks-apiserver + ks_apiserver_tag: "" + ks_console_repo: "kubesphere/ks-console" + ks_console_tag: "" + + ks_kubectl_repo: kubesphere/kubectl + ks_kubectl_tag: "" + + nginx_ingress_controller_repo: kubesphere/nginx-ingress-controller + nginx_ingress_controller_tag: "v0.35.0" + defaultbackend_repo: "mirrorgooglecontainers/defaultbackend-amd64" + defaultbackend_tag: "1.4" + + bookinfo_productpage_v1_repo: kubesphere/examples-bookinfo-productpage-v1 + bookinfo_productpage_v1_tag: "1.16.2" + + bookinfo_reviews_v1_repo: kubesphere/examples-bookinfo-reviews-v1 + bookinfo_reviews_v1_tag: "1.16.2" + + bookinfo_details_v1_repo: kubesphere/examples-bookinfo-details-v1 + bookinfo_details_v1_tag: "1.16.2" + + bookinfo_ratings_v1_repo: kubesphere/examples-bookinfo-ratings-v1 + bookinfo_ratings_v1_tag: "1.16.3" + + pullPolicy: IfNotPresent + + +config: + # Specifies whether the kubesphere-config configmap should be created + create: true + authentication: {} + # Jwt Secret is required + jwtSecret: "" + multicluster: {} + monitoring: {} + +console: + port: 30880 + type: NodePort + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "kubesphere" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +apiserverResources: + limits: + cpu: 1 + memory: 1024Mi + requests: + cpu: 20m + memory: 100Mi + +consoleResources: + limits: + cpu: 1 + memory: 1024Mi + requests: + cpu: 20m + memory: 100Mi + +controllerManagerResources: + limits: + cpu: 1 + memory: 1000Mi + requests: + cpu: 30m + memory: 50Mi + +# Kubernetes Version shows in KubeSphere console +kube_version: "v1.19.4" + +tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 60 + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 60 + +affinity: {}