feat: kubesphere 4.0 (#6115)

* feat: kubesphere 4.0

Signed-off-by: ci-bot <ci-bot@kubesphere.io>

* feat: kubesphere 4.0

Signed-off-by: ci-bot <ci-bot@kubesphere.io>

---------

Signed-off-by: ci-bot <ci-bot@kubesphere.io>
Co-authored-by: ks-ci-bot <ks-ci-bot@example.com>
Co-authored-by: joyceliu <joyceliu@yunify.com>

config/ks-core/templates/NOTES.txt

@@ -1,17 +1,39 @@
-Please wait for several seconds for KubeSphere deployment to complete.
+Thank you for choosing KubeSphere Helm Chart.
 
-1. Make sure KubeSphere components are running:
+Please be patient and wait for several seconds for the KubeSphere deployment to complete.
 
-     kubectl get pods -n {{ .Release.Namespace }}
+1. Wait for Deployment Completion
 
-2. Then you should be able to visit the console NodePort:
+    Confirm that all KubeSphere components are running by executing the following command:
 
-     Console: http://{{ include "getNodeAddress" . }}:{{ .Values.console.nodePort }}
+    kubectl get pods -n {{ .Release.Namespace }}
 
-3. To login to your KubeSphere console:
+{{- if or (eq .Values.role "") (eq .Values.role "host") }}
+2. Access the KubeSphere Console
 
-     Account: admin
-     Password: {{ include "printOrDefaultPass" . | quote }}
-     NOTE: Please change the default password after login.
+    Once the deployment is complete, you can access the KubeSphere console using the following URL:  {{"\n"}}
+    {{- if not .Values.internalTLS }}
+    http://{{ include "getNodeAddress" . }}:{{ .Values.console.nodePort }}
+    {{- else }}
+    https://{{ include "getNodeAddress" . }}:{{ .Values.console.nodePort }}
+    {{- end }}
 
-For more details, please visit https://kubesphere.io.
+3. Login to KubeSphere Console
+
+    Use the following credentials to log in:
+
+    Account: admin
+    Password: {{ include "printOrDefaultPass" . }}
+
+NOTE: It is highly recommended to change the default password immediately after the first login.
+{{- else }}
+
+Cluster Member Installed Successfully!
+
+Congratulations! The cluster member has been successfully installed.
+
+You can view the information of the member cluster by accessing the ks-console of the host cluster.
+
+Happy deploying!
+{{- end }}
+For additional information and details, please visit https://kubesphere.io.

config/ks-core/templates/_helpers.tpl

@@ -55,21 +55,116 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 Create the name of the service account to use
 */}}
 {{- define "ks-core.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "ks-core.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
+{{- default "kubesphere" (.Values.serviceAccount).name }}
 {{- end }}
+
+{{/*
+Create the name of the secret of sa token.
+*/}}
+{{- define "ks-core.serviceAccountTokenName" -}}
+{{-  printf "%s-%s" ( include "ks-core.serviceAccountName" . )   "sa-token" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "portal.url" -}}
+{{- if and .Values.portal.https (.Values.portal.https).port }}
+{{- if eq (int .Values.portal.https.port) 443 }}
+{{- printf "https://%s" .Values.portal.hostname }}
+{{- else }}
+{{- printf "https://%s:%d" .Values.portal.hostname (int .Values.portal.https.port) }}
+{{- end }}
+{{- else }}
+{{- if eq (int .Values.portal.http.port) 80 }}
+{{- printf "http://%s" .Values.portal.hostname }}
+{{- else }}
+{{- printf "http://%s:%d" .Values.portal.hostname (int .Values.portal.http.port) }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "jwtSecret" -}}
+{{- if eq .Values.authentication.issuer.jwtSecret "" }}
+{{- with lookup "v1" "ConfigMap" (printf "%s" .Release.Namespace) "kubesphere-config" }}
+{{- with (fromYaml (index .data "kubesphere.yaml")) }}
+{{- if and .authentication (.authentication).jwtSecret }}
+{{- .authentication.jwtSecret }}
+{{- else if and .authentication (.authentication).issuer ((.authentication).issuer).jwtSecret }}
+{{- .authentication.issuer.jwtSecret }}
+{{- else }}
+{{- $.Values.authentication.issuer.jwtSecret | default (randAlphaNum 32 ) }}
+{{- end }}
+{{- else }}
+{{- $.Values.authentication.issuer.jwtSecret | default (randAlphaNum 32 ) }}
+{{- end }}
+{{- else }}
+{{- $.Values.authentication.issuer.jwtSecret | default (randAlphaNum 32 ) }}
+{{- end }}
+{{- else }}
+{{- .Values.authentication.issuer.jwtSecret }}
+{{- end }}
+{{- end }}
+
+{{- define "role" -}}
+{{- if eq .Values.role "" }}
+{{- with lookup "v1" "ConfigMap" (printf "%s" .Release.Namespace) "kubesphere-config" }}
+{{- with (fromYaml (index .data "kubesphere.yaml")) }}
+{{- if and .multicluster (.multicluster).clusterRole }}
+{{- if eq .multicluster.clusterRole "none" }}
+{{- "host" }}
+{{- else }}
+{{- .multicluster.clusterRole }}
+{{- end }}
+{{- else }}
+{{- $.Values.role | default "host" }}
+{{- end }}
+{{- else }}
+{{- $.Values.role | default "host" }}
+{{- end }}
+{{- else }}
+{{- $.Values.role | default "host" }}
+{{- end }}
+{{- else }}
+{{- .Values.role }}
+{{- end }}
+{{- end }}
+
+{{- define "hostClusterName" -}}
+{{- if eq .Values.hostClusterName "" }}
+{{- with lookup "v1" "ConfigMap" (printf "%s" .Release.Namespace) "kubesphere-config" }}
+{{- with (fromYaml (index .data "kubesphere.yaml")) }}
+{{- if and .multicluster (.multicluster).hostClusterName }}
+{{- .multicluster.hostClusterName }}
+{{- else }}
+{{- $.Values.hostClusterName | default "host" }}
+{{- end }}
+{{- else }}
+{{- $.Values.hostClusterName | default "host" }}
+{{- end }}
+{{- else }}
+{{- $.Values.hostClusterName | default "host" }}
+{{- end }}
+{{- else }}
+{{- .Values.hostClusterName }}
+{{- end }}
+{{- end }}
+
+{{- define "validateHostClusterName" -}}
+{{- $name := . -}}
+{{- $pattern := "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" -}}
+{{- if not (regexMatch $pattern $name) -}}
+{{- fail (printf "Invalid hostClusterName '%s': a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." $name) -}}
+{{- else -}}
+{{- $name -}}
+{{- end -}}
 {{- end }}
 
 {{/*
 Returns user's password or use default
 */}}
 {{- define "getOrDefaultPass" }}
-{{- if not .Values.adminPassword -}}
+{{- if not .Values.authentication.adminPassword -}}
 {{- printf "$2a$10$zcHepmzfKPoxCVCYZr5K7ORPZZ/ySe9p/7IUb/8u./xHrnSX2LOCO" -}}
 {{- else -}}
-{{- printf "%s" .Values.adminPassword -}}
+{{- printf "%s" .Values.authentication.adminPassword -}}
 {{- end -}}
 {{- end }}
 
@@ -77,25 +172,28 @@ Returns user's password or use default
 Returns user's password or use default. Used by NOTES.txt
 */}}
 {{- define "printOrDefaultPass" }}
-{{- if not .Values.adminPassword -}}
+{{- if not .Values.authentication.adminPassword -}}
 {{- printf "P@88w0rd" -}}
 {{- else -}}
-{{- printf "%s" .Values.adminPassword -}}
+{{- printf "%s" .Values.authentication.adminPassword -}}
 {{- end -}}
 {{- end }}
 
 {{- define "getNodeAddress" -}}
 {{- $address := "127.0.0.1"}}
-{{- range $index, $node := (lookup "v1" "Node" "" "").items -}}
-  {{- range $k, $v := $node.status.addresses }}
-    {{- if (eq $v.type "InternalIP") }}
-      {{- $address = $v.address }}
-      {{- break }}
-    {{- end }}
-  {{- end }}
-  {{- if (ne $address "127.0.0.1") }}
-    {{- break }}
-  {{- end }}
+{{- $found := false }}
+{{- with $nodes := lookup "v1" "Node" "" "" }}
+{{- range $nodeKey, $node := $nodes.items }}
+{{- if (hasKey $node.metadata.labels "node-role.kubernetes.io/control-plane") }}
+{{- range $k, $v := $node.status.addresses }}
+{{- if and (eq $v.type "InternalIP") (not $found) }}
+{{- $address = $v.address }}
+{{- $found = true }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- else }}
 {{- end }}
 {{- printf "%s" $address }}
-{{- end }}
+{{- end }}

config/ks-core/templates/_images.tpl

@@ -0,0 +1,94 @@
+{{/*
+Return the proper image name
+*/}}
+{{- define "ks-apiserver.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.apiserver.image "global" .Values.global) }}
+{{- end -}}
+
+{{- define "ks-console.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.console.image "global" .Values.global) }}
+{{- end -}}
+
+{{- define "ks-controller-manager.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.controller.image "global" .Values.global) }}
+{{- end -}}
+
+{{- define "kubectl.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.kubectl.image "global" .Values.global) }}
+{{- end -}}
+
+{{- define "nodeShell.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.nodeShell.image "global" .Values.global) }}
+{{- end -}}
+
+{{- define "helm.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.helmExecutor.image "global" .Values.global) }}
+{{- end -}}
+
+{{- define "upgrade.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.upgrade.image "global" .Values.global) }}
+{{- end -}}
+
+{{- define "redis.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.redis.image "global" .Values.global) }}
+{{- end -}}
+
+{{- define "preUpgrade.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.preUpgrade.image "global" .Values.global) }}
+{{- end -}}
+
+{{- define "common.images.image" -}}
+{{- $registryName := .global.imageRegistry -}}
+{{- $repositoryName := .imageRoot.repository -}}
+{{- $separator := ":" -}}
+{{- $termination := .global.tag | toString -}}
+{{- if .imageRoot.registry }}
+    {{- $registryName = .imageRoot.registry -}}
+{{- end -}}
+{{- if .imageRoot.tag }}
+    {{- $termination = .imageRoot.tag | toString -}}
+{{- end -}}
+{{- if .imageRoot.digest }}
+    {{- $separator = "@" -}}
+    {{- $termination = .imageRoot.digest | toString -}}
+{{- end -}}
+{{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}}
+{{- end -}}
+
+{{/*
+Return the proper Docker Image Registry Secret Names
+*/}}
+{{- define "apiserver.imagePullSecrets" -}}
+{{- include "common.images.pullSecrets" (dict "images" (list .Values.apiserver.image) "global" .Values.global) -}}
+{{- end -}}
+
+{{- define "console.imagePullSecrets" -}}
+{{- include "common.images.pullSecrets" (dict "images" (list .Values.console.image) "global" .Values.global) -}}
+{{- end -}}
+
+{{- define "controller.imagePullSecrets" -}}
+{{- include "common.images.pullSecrets" (dict "images" (list .Values.controller.image) "global" .Values.global) -}}
+{{- end -}}
+
+{{- define "common.images.pullSecrets" -}}
+  {{- $pullSecrets := list }}
+
+  {{- if .global }}
+    {{- range .global.imagePullSecrets -}}
+      {{- $pullSecrets = append $pullSecrets . -}}
+    {{- end -}}
+  {{- end -}}
+
+  {{- range .images -}}
+    {{- range .pullSecrets -}}
+      {{- $pullSecrets = append $pullSecrets . -}}
+    {{- end -}}
+  {{- end -}}
+
+  {{- if (not (empty $pullSecrets)) }}
+imagePullSecrets:
+    {{- range $pullSecrets }}
+  - name: {{ . }}
+    {{- end }}
+  {{- end }}
+{{- end -}}

config/ks-core/templates/_tplvalues.tpl

@@ -0,0 +1,13 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Renders a value that contains template.
+Usage:
+{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }}
+*/}}
+{{- define "common.tplvalues.render" -}}
+    {{- if typeIs "string" .value }}
+        {{- tpl .value .context }}
+    {{- else }}
+        {{- tpl (.value | toYaml) .context }}
+    {{- end }}
+{{- end -}}

config/ks-core/templates/builtinroles.yaml

@@ -0,0 +1,256 @@
+apiVersion: iam.kubesphere.io/v1beta1
+kind: BuiltinRole
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "namespace"
+  name: project-admin
+targetSelector:
+  matchLabels:
+    kubesphere.io/managed: "true"
+role:
+  aggregationRoleTemplates:
+    roleSelector:
+      matchLabels:
+        iam.kubesphere.io/scope: "namespace"
+        kubesphere.io/managed: "true"
+  apiVersion: iam.kubesphere.io/v1beta1
+  kind: Role
+  metadata:
+    annotations:
+      kubesphere.io/creator: system
+      kubesphere.io/description: '{"zh": "管理项目中的所有资源。", "en": "Manage all resources in the project."}'
+      iam.kubesphere.io/auto-aggregate: "true"
+    name: admin
+  rules:
+    - apiGroups:
+        - '*'
+      resources:
+        - '*'
+      verbs:
+        - '*'
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: BuiltinRole
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "namespace"
+  name: project-operator
+targetSelector:
+  matchLabels:
+    kubesphere.io/managed: "true"
+role:
+  aggregationRoleTemplates:
+    roleSelector:
+      matchLabels:
+        iam.kubesphere.io/aggregate-to-operator: ""
+        kubesphere.io/managed: "true"
+        iam.kubesphere.io/scope: "namespace"
+  apiVersion: iam.kubesphere.io/v1beta1
+  kind: Role
+  metadata:
+    annotations:
+      kubesphere.io/creator: system
+      kubesphere.io/description: '{"zh": "管理项目中除用户和角色之外的资源。", "en": "Manage resources other than users and roles in the project."}'
+      iam.kubesphere.io/auto-aggregate: "true"
+    name: operator
+  rules:
+    - apiGroups:
+        - '*'
+      resources:
+        - '*'
+      verbs:
+        - get
+        - list
+        - watch
+    - apiGroups:
+        - ""
+        - apps
+        - extensions
+        - batch
+        - autoscaling
+        - app.k8s.io
+        - operations.kubesphere.io
+        - resources.kubesphere.io
+        - config.istio.io
+        - events.k8s.io
+        - events.kubesphere.io
+        - snapshot.storage.k8s.io
+        - networking.k8s.io
+      resources:
+        - '*'
+      verbs:
+        - '*'
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: BuiltinRole
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "namespace"
+  name: project-viewer
+targetSelector:
+  matchLabels:
+    kubesphere.io/managed: "true"
+role:
+  aggregationRoleTemplates:
+    roleSelector:
+      matchLabels:
+        iam.kubesphere.io/aggregate-to-viewer: ""
+        kubesphere.io/managed: "true"
+        iam.kubesphere.io/scope: "namespace"
+  apiVersion: iam.kubesphere.io/v1beta1
+  kind: Role
+  metadata:
+    annotations:
+      kubesphere.io/creator: system
+      kubesphere.io/description: '{"zh": "查看项目中的所有资源。", "en": "View all resources in the project."}'
+      iam.kubesphere.io/auto-aggregate: "true"
+    name: viewer
+  rules:
+    - apiGroups:
+        - '*'
+      resources:
+        - '*'
+      verbs:
+        - get
+        - list
+        - watch
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: BuiltinRole
+metadata:
+  name: workspace-admin
+  labels:
+    iam.kubesphere.io/scope: "workspace"
+role:
+  aggregationRoleTemplates:
+    roleSelector:
+      matchLabels:
+        iam.kubesphere.io/scope: 'workspace'
+    templateNames:
+      - workspace-manage-workspace-settings
+      - workspace-view-workspace-settings
+      - workspace-manage-projects
+      - workspace-view-projects
+      - workspace-create-projects
+      - workspace-view-members
+      - workspace-manage-members
+      - workspace-manage-roles
+      - workspace-view-roles
+      - workspace-manage-groups
+      - workspace-view-groups
+  apiVersion: iam.kubesphere.io/v1beta1
+  kind: WorkspaceRole
+  metadata:
+    annotations:
+      kubesphere.io/creator: system
+      kubesphere.io/description: '{"zh": "管理企业空间中的所有资源。", "en": "Manage all resources in the workspace."}'
+      iam.kubesphere.io/auto-aggregate: "true"
+    name: admin
+  rules:
+    - apiGroups:
+        - '*'
+      resources:
+        - '*'
+      verbs:
+        - '*'
+
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: BuiltinRole
+metadata:
+  name: workspace-regular
+  labels:
+    iam.kubesphere.io/scope: "workspace"
+role:
+  aggregationRoleTemplates:
+    roleSelector:
+      matchLabels:
+        iam.kubesphere.io/aggregate-to-regular: ""
+        iam.kubesphere.io/scope: "workspace"
+    templateNames:
+      - workspace-view-workspace-settings
+  apiVersion: iam.kubesphere.io/v1beta1
+  kind: WorkspaceRole
+  metadata:
+    annotations:
+      kubesphere.io/creator: system
+      kubesphere.io/description: '{"zh": "查看企业空间设置。", "en": "View workspace settings."}'
+      iam.kubesphere.io/auto-aggregate: "true"
+    name: regular
+  rules:
+    - apiGroups:
+        - '*'
+      resources:
+        - workspaces
+        - workspacemembers
+      verbs:
+        - get
+        - list
+        - watch
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: BuiltinRole
+metadata:
+  name: workspace-self-provisioner
+  labels:
+    iam.kubesphere.io/scope: "workspace"
+role:
+  aggregationRoleTemplates:
+    roleSelector:
+      matchLabels:
+        iam.kubesphere.io/aggregate-to-self-provisioner: ""
+        iam.kubesphere.io/scope: "workspace"
+    templateNames:
+      - workspace-create-projects
+      - workspace-view-workspace-settings
+  apiVersion: iam.kubesphere.io/v1beta1
+  kind: WorkspaceRole
+  metadata:
+    annotations:
+      kubesphere.io/creator: system
+      kubesphere.io/description: '{"zh": "查看企业设置、创建项目。", "en": "View workspace settings, create projects."}'
+      iam.kubesphere.io/auto-aggregate: "true"
+    name: self-provisioner
+  rules: []
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: BuiltinRole
+metadata:
+  name: workspace-viewer
+  labels:
+    iam.kubesphere.io/scope: "workspace"
+role:
+  aggregationRoleTemplates:
+    roleSelector:
+      matchLabels:
+        iam.kubesphere.io/scope: "workspace"
+        iam.kubesphere.io/aggregate-to-viewer: ""
+    templateNames:
+      - workspace-view-projects
+      - workspace-view-members
+      - workspace-view-roles
+      - workspace-view-groups
+      - workspace-view-workspace-settings
+  apiVersion: iam.kubesphere.io/v1beta1
+  kind: WorkspaceRole
+  metadata:
+    annotations:
+      kubesphere.io/creator: system
+      kubesphere.io/description: '{"zh": "查看企业空间中的所有资源。", "en": "View all resources in the workspace."}'
+      iam.kubesphere.io/auto-aggregate: "true"
+    name: viewer
+  rules:
+    - apiGroups:
+        - '*'
+      resources:
+        - '*'
+      verbs:
+        - get
+        - list
+        - watch

config/ks-core/templates/cert-manager.yaml

@@ -0,0 +1,152 @@
+{{- if or (.Values.internalTLS) (.Values.ingress.tls.enabled) -}}
+  {{- if eq .Values.ingress.tls.source "letsEncrypt" -}}
+    {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (.Capabilities.APIVersions.Has "cert-manager.io/v1") }}
+    {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") }}
+apiVersion: cert-manager.io/v1
+    {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") }}
+apiVersion: cert-manager.io/v1beta1
+    {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") }}
+apiVersion: cert-manager.io/v1alpha2
+    {{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") }}
+apiVersion: certmanager.k8s.io/v1alpha1
+    {{- else }}
+apiVersion: cert-manager.io/v1
+    {{- end }}
+kind: Issuer
+metadata:
+  name: letsencrypt
+  namespace: {{ .Release.Namespace }}
+spec:
+  acme:
+    email: {{ .Values.letsEncrypt.email }}
+    {{- if eq .Values.letsEncrypt.environment "production" }}
+    server: https://acme-v02.api.letsencrypt.org/directory
+    {{- else }}
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    {{- end }}
+    privateKeySecretRef:
+      name: letsencrypt-{{ .Values.letsEncrypt.environment }}
+    {{- if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") }}
+    http01: { }
+    {{- else }}
+    solvers:
+      - http01:
+          ingress:
+            class: {{ .Values.ingress.ingressClassName }}
+    {{- end }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+---
+{{- if or (.Values.internalTLS) (.Values.ingress.tls.enabled) -}}
+{{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (.Capabilities.APIVersions.Has "cert-manager.io/v1") }}
+    {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") }}
+apiVersion: cert-manager.io/v1
+    {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") }}
+apiVersion: cert-manager.io/v1beta1
+    {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") }}
+apiVersion: cert-manager.io/v1alpha2
+    {{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") }}
+apiVersion: certmanager.k8s.io/v1alpha1
+    {{- else }}
+apiVersion: cert-manager.io/v1
+    {{- end }}
+kind: Issuer
+metadata:
+  name: self-signed
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
+{{- end }}
+{{- end }}
+
+---
+{{- if .Values.internalTLS -}}
+  {{- if or (eq .Values.ingress.tls.source "letsEncrypt") (eq .Values.ingress.tls.source "generation") (eq .Values.ingress.tls.source "importation") -}}
+    {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (.Capabilities.APIVersions.Has "cert-manager.io/v1") }}
+    {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") }}
+apiVersion: cert-manager.io/v1
+    {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") }}
+apiVersion: cert-manager.io/v1beta1
+    {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") }}
+apiVersion: cert-manager.io/v1alpha2
+    {{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") }}
+apiVersion: certmanager.k8s.io/v1alpha1
+    {{- else }}
+apiVersion: cert-manager.io/v1
+    {{- end }}
+kind: Certificate
+metadata:
+  name: ks-apiserver-certificate
+  namespace: {{ .Release.Namespace }}
+spec:
+  # Secret names are always required.
+  secretName: ks-apiserver-tls-certs
+  duration: {{ .Values.certmanager.duration }}
+  renewBefore: {{ .Values.certmanager.renewBefore }}
+  subject:
+    organizations:
+      - ks-apiserver
+  commonName: ks-apiserver
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+  dnsNames:
+    - ks-apiserver
+    - {{ printf "%s.%s" "ks-apiserver" .Release.Namespace }}
+    - {{ printf "%s.%s.%s" "ks-apiserver" .Release.Namespace "svc" }}
+    - {{ printf "%s.%s.%s" "ks-apiserver" .Release.Namespace "svc.cluster.local" }}
+  issuerRef:
+    name: self-signed
+    kind: Issuer
+    group: cert-manager.io
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+---
+{{- if .Values.internalTLS -}}
+  {{- if or (eq .Values.ingress.tls.source "letsEncrypt") (eq .Values.ingress.tls.source "generation") (eq .Values.ingress.tls.source "importation") -}}
+    {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (.Capabilities.APIVersions.Has "cert-manager.io/v1") }}
+    {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") }}
+apiVersion: cert-manager.io/v1
+    {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") }}
+apiVersion: cert-manager.io/v1beta1
+    {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") }}
+apiVersion: cert-manager.io/v1alpha2
+    {{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") }}
+apiVersion: certmanager.k8s.io/v1alpha1
+    {{- else }}
+apiVersion: cert-manager.io/v1
+    {{- end }}
+kind: Certificate
+metadata:
+  name: ks-console-certificate
+  namespace: {{ .Release.Namespace }}
+spec:
+  # Secret names are always required.
+  secretName: ks-console-tls-certs
+  duration: {{ .Values.certmanager.duration }}
+  renewBefore: {{ .Values.certmanager.renewBefore }}
+  subject:
+    organizations:
+      - ks-console
+  commonName: ks-console
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+  dnsNames:
+    - ks-console
+    - {{ printf "%s.%s" "ks-console" .Release.Namespace }}
+    - {{ printf "%s.%s.%s" "ks-console" .Release.Namespace "svc" }}
+    - {{ printf "%s.%s.%s" "ks-console" .Release.Namespace "svc.cluster.local" }}
+  issuerRef:
+    name: self-signed
+    kind: Issuer
+    group: cert-manager.io
+    {{- end }}
+  {{- end }}
+{{- end }}

config/ks-core/templates/clusterroles.yaml

@@ -0,0 +1,56 @@
+apiVersion: iam.kubesphere.io/v1beta1
+kind: ClusterRole
+metadata:
+  annotations:
+    kubesphere.io/creator: system
+    kubesphere.io/description: '{"zh": "管理集群中的所有资源。", "en": "Manage all resources in the cluster."}'
+    iam.kubesphere.io/auto-aggregate: "true"
+  name: cluster-admin
+aggregationRoleTemplates:
+  roleSelector:
+    matchLabels:
+      iam.kubesphere.io/scope: "cluster"
+  templateNames: []
+rules:
+  - apiGroups:
+      - '*'
+    resources:
+      - '*'
+    verbs:
+      - '*'
+  - nonResourceURLs:
+      - '*'
+    verbs:
+      - '*'
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: ClusterRole
+metadata:
+  annotations:
+    kubesphere.io/creator: system
+    kubesphere.io/description: '{"zh": "查看集群中的所有资源。", "en": "View all resources in the cluster."}'
+    iam.kubesphere.io/auto-aggregate: "true"
+  name: cluster-viewer
+aggregationRoleTemplates:
+  roleSelector:
+    matchLabels:
+      iam.kubesphere.io/aggregate-to-cluster-viewer: ""
+  templateNames:
+    - cluster-view-components
+    - cluster-view-volume-snapshot-classes
+    - cluster-view-volumes
+    - cluster-view-roles
+rules:
+  - apiGroups:
+      - '*'
+    resources:
+      - '*'
+    verbs:
+      - get
+      - list
+      - watch
+  - nonResourceURLs:
+      - '*'
+    verbs:
+      - GET

config/ks-core/templates/customresourcefilters.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+stringData:
+  configuration.yaml: |
+    resource:
+      group: "kubesphere.io"
+      version: "v1alpha1"
+      kind: "Extension"
+    regoPolicy: |
+{{ .Files.Get "files/extensions.customresourcefilters.rego" | indent 6 }}
+kind: Secret
+metadata:
+  name: extensions.customresourcefilters
+  namespace: kubesphere-system
+type: config.kubesphere.io/custom-resource-filter

config/ks-core/templates/extension-categories.yaml

@@ -0,0 +1,101 @@
+{{ if eq (include "role" .) "host" }}
+---
+apiVersion: kubesphere.io/v1alpha1
+kind: Category
+metadata:
+  name: ai-machine-learning
+spec:
+  displayName:
+    en: AI / Machine learning
+    zh: AI / 机器学习
+
+---
+apiVersion: kubesphere.io/v1alpha1
+kind: Category
+metadata:
+  name: database
+spec:
+  displayName:
+    en: Database
+    zh: 数据库
+
+---
+apiVersion: kubesphere.io/v1alpha1
+kind: Category
+metadata:
+  name: integration-delivery
+spec:
+  displayName:
+    en: Integration and delivery
+    zh: 集成和交付
+
+---
+apiVersion: kubesphere.io/v1alpha1
+kind: Category
+metadata:
+  name: observability
+spec:
+  displayName:
+    en: Observability
+    zh: 可观测性
+
+---
+apiVersion: kubesphere.io/v1alpha1
+kind: Category
+metadata:
+  name: networking
+spec:
+  displayName:
+    en: Networking
+    zh: 网络
+
+---
+apiVersion: kubesphere.io/v1alpha1
+kind: Category
+metadata:
+  name: security
+spec:
+  displayName:
+    en: Security
+    zh: 安全
+
+---
+apiVersion: kubesphere.io/v1alpha1
+kind: Category
+metadata:
+  name: storage
+spec:
+  displayName:
+    en: Storage
+    zh: 存储
+
+---
+apiVersion: kubesphere.io/v1alpha1
+kind: Category
+metadata:
+  name: streaming-messaging
+spec:
+  displayName:
+    en: Streaming and messaging
+    zh: 流平台和消息中间件
+
+---
+apiVersion: kubesphere.io/v1alpha1
+kind: Category
+metadata:
+  name: dev-tools
+spec:
+  displayName:
+    en: Developer tools
+    zh: 开发者工具
+
+---
+apiVersion: kubesphere.io/v1alpha1
+kind: Category
+metadata:
+  name: computing
+spec:
+  displayName:
+    en: Computing
+    zh: 计算
+{{ end }}

config/ks-core/templates/globalrolebindings.yaml

@@ -0,0 +1,60 @@
+apiVersion: iam.kubesphere.io/v1beta1
+kind: GlobalRoleBinding
+metadata:
+  labels:
+    iam.kubesphere.io/role-ref: platform-admin
+    iam.kubesphere.io/user-ref: admin
+  name: admin
+roleRef:
+  apiGroup: iam.kubesphere.io
+  kind: GlobalRole
+  name: platform-admin
+subjects:
+  - apiGroup: iam.kubesphere.io
+    kind: User
+    name: admin
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: GlobalRoleBinding
+metadata:
+  name: anonymous
+roleRef:
+  apiGroup: iam.kubesphere.io
+  kind: GlobalRole
+  name: anonymous
+subjects:
+  - apiGroup: iam.kubesphere.io
+    kind: Group
+    name: system:unauthenticated
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: GlobalRoleBinding
+metadata:
+  name: authenticated
+roleRef:
+  apiGroup: iam.kubesphere.io
+  kind: GlobalRole
+  name: authenticated
+subjects:
+  - apiGroup: iam.kubesphere.io
+    kind: Group
+    name: system:authenticated
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: GlobalRoleBinding
+metadata:
+  name: pre-registration
+roleRef:
+  apiGroup: iam.kubesphere.io
+  kind: GlobalRole
+  name: pre-registration
+subjects:
+  - apiGroup: iam.kubesphere.io
+    kind: Group
+    name: pre-registration
+  - apiGroup: iam.kubesphere.io
+    kind: User
+    name: system:pre-registration

config/ks-core/templates/globalroles.yaml

@@ -0,0 +1,251 @@
+apiVersion: iam.kubesphere.io/v1beta1
+kind: GlobalRole
+metadata:
+  name: anonymous
+rules:
+  - apiGroups:
+      - config.kubesphere.io
+    resources:
+      - configs
+    verbs:
+      - get
+      - list
+  - nonResourceURLs:
+      - '/static/images/*'
+    verbs:
+      - GET
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: GlobalRole
+metadata:
+  annotations:
+    iam.kubesphere.io/auto-aggregate: "true"
+    iam.kubesphere.io/rego-override: |-
+      package authz
+      default allow = false
+      allow = true {
+        input.Resource == "users"
+        input.User.Name == input.Name
+      }
+      allow = true {
+        allowedResources := ["clustermembers","workspacemembers","namespacemembers"]
+        allowedResources[_] == input.Resource
+        input.User.Name == input.Name
+        allowedVerbs := ["get","list","watch"]
+        allowedVerbs[_] == input.Verb
+      }
+      allow = true {
+        allowedNoneResources := ["/api","/api/v1"]
+        allowedNoneResources[_] == input.Path
+        input.Verb == "GET"
+      }
+      allow = true {
+        input.APIGroup == "tenant.kubesphere.io"
+        input.KubernetesRequest == false
+        allowedVerbs := ["get","list","watch"]
+        allowedVerbs[_] == input.Verb
+      }
+      allow = true {
+        input.Resource == "pods"
+        input.Subresource == "exec"
+        allowedVerbs := ["get","create"]
+        allowedVerbs[_] == input.Verb
+        podName := input.Name
+        prefix := "ks-managed-kubectl-"
+        startswith(podName, prefix) == true
+        input.Namespace == "kubesphere-system"
+        input.User.Name == trim_prefix(podName, prefix)
+      }
+  name: authenticated
+aggregationRoleTemplates:
+  roleSelector:
+    matchLabels:
+      iam.kubesphere.io/aggregate-to-authenticated: ""
+      iam.kubesphere.io/scope: "global"
+rules:
+  - apiGroups:
+      - config.kubesphere.io
+    resources:
+      - configs
+    verbs:
+      - get
+      - list
+  - apiGroups:
+      - iam.kubesphere.io
+    resources:
+      - users
+      - roletemplates
+      - categories
+    verbs:
+      - list
+  - apiGroups:
+      - resources.kubesphere.io
+    resources:
+      - registry
+      - git
+    verbs:
+      - get
+      - create
+  - apiGroups:
+      - resources.kubesphere.io
+    resources:
+      - clusters
+    verbs:
+      - get
+      - list
+  - apiGroups:
+      - '*'
+    resources:
+      - storageclasses
+      - storageclasscapabilities
+      - nodes
+    verbs:
+      - get
+      - list
+  - apiGroups:
+      - resources.kubesphere.io
+    resources:
+      - namespaces
+      - services
+    verbs:
+      - list
+  - apiGroups:
+      - tenant.kubesphere.io
+    resources:
+      - workspacetemplates
+    verbs:
+      - patch
+  - apiGroups:
+      - extensions.kubesphere.io
+    resources:
+      - jsbundles
+      - extensionentries
+    verbs:
+      - get
+      - list
+  - apiGroups:
+      - kubesphere.io
+    resources:
+      - extensions
+    verbs:
+      - get
+      - list
+  - apiGroups:
+      - application.kubesphere.io
+    resources:
+      - 'apps'
+      - 'categories'
+      - 'apps/versions'
+      - 'applications'
+    verbs:
+      - get
+      - list
+  - apiGroups:
+      - cluster.kubesphere.io
+    resources:
+      - 'labels'
+    verbs:
+      - get
+      - list
+  - nonResourceURLs:
+      - '/static/images/*'
+    verbs:
+      - GET
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: GlobalRole
+metadata:
+  annotations:
+    kubesphere.io/creator: admin
+    kubesphere.io/description: '{"zh": "管理 KubeSphere 平台上的所有资源。", "en": "Manage all resources on the KubeSphere platform."}'
+    iam.kubesphere.io/rego-override: >-
+      package authz
+      default allow = false
+      allow = true {
+        allowedScopes := ["Workspace","Namespace","Cluster"]
+        allowedScopes[_] == input.ResourceScope
+        allowedVerbs := ["get","list","watch"]
+        allowedVerbs[_] == input.Verb
+      }
+      allow = true {
+        allowedScopes := ["Workspace","Namespace","Cluster"]
+        allowedScopes[_] == input.ResourceScope
+      }
+    iam.kubesphere.io/auto-aggregate: "true"
+  name: platform-admin
+aggregationRoleTemplates:
+  roleSelector:
+    matchLabels:
+      iam.kubesphere.io/scope: "global"
+  templateNames:
+    - global-manage-clusters
+    - global-view-clusters
+    - global-create-workspaces
+    - global-view-basic
+    - global-manage-app-templates
+    - global-manage-users
+    - global-view-roles
+    - global-manage-platform-settings
+    - global-manage-workspaces
+    - global-view-app-templates
+    - global-view-users
+    - global-manage-roles
+    - global-view-workspaces
+rules:
+  - apiGroups:
+      - '*'
+    resources:
+      - '*'
+    verbs:
+      - '*'
+  - nonResourceURLs:
+      - '*'
+    verbs:
+      - '*'
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: GlobalRole
+metadata:
+  annotations:
+    kubesphere.io/description: '{"zh": "被邀请加入企业空间之前无法访问任何资源。", "en": "Cannot access any resources before joining a workspace."}'
+    kubesphere.io/creator: admin
+  name: platform-regular
+rules: [ ]
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: GlobalRole
+metadata:
+  annotations:
+    kubesphere.io/creator: admin
+    kubesphere.io/description: '{"zh": "创建企业空间并成为所创建的企业空间的管理员。", "en": "Create workspaces and become an administrator of the created workspaces."}'
+  name: platform-self-provisioner
+aggregationRoleTemplates:
+  templateNames:
+    - global-create-workspaces
+rules:
+  - apiGroups:
+      - tenant.kubesphere.io
+    resources:
+      - workspaces
+      - workspacetemplates
+    verbs:
+      - create
+      - watch
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: GlobalRole
+metadata:
+  name: pre-registration
+rules:
+  - apiGroups:
+      - iam.kubesphere.io
+    resources:
+      - users
+    verbs:
+      - create
+      - list

config/ks-core/templates/ingress.yaml

@@ -0,0 +1,67 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ks-console
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- if .Values.internalTLS }}
+    {{- if eq .Values.ingress.ingressClassName "nginx" }}
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    {{- else if eq .Values.ingress.ingressClassName "traefik" }}
+    ingress.kubernetes.io/protocol: "https"
+    {{- end }}
+    {{- end }}
+  {{- if .Values.ingress.tls.enabled }}
+  {{- if eq .Values.ingress.tls.source "letsEncrypt" }}
+    {{- if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") }}
+    certmanager.k8s.io/issuer: letsencrypt
+    {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (.Capabilities.APIVersions.Has "cert-manager.io/v1") }}
+    cert-manager.io/issuer: letsencrypt
+    cert-manager.io/issuer-kind: Issuer
+    {{- end }}
+  {{- else if eq .Values.ingress.tls.source "generation" }}
+    {{- if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") }}
+    certmanager.k8s.io/issuer: self-signed
+    {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (.Capabilities.APIVersions.Has "cert-manager.io/v1") }}
+    cert-manager.io/issuer: self-signed
+    cert-manager.io/issuer-kind: Issuer
+    {{- end }}
+  {{- end }}
+  {{- end }}
+spec:
+  {{- if .Values.ingress.ingressClassName }}
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.portal.hostname }}
+      http:
+        paths:
+          - backend:
+              {{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
+              service:
+                name: ks-console
+                port:
+                  {{- if .Values.internalTLS }}
+                  number: 443
+                  {{- else }}
+                  number: 80
+                  {{- end }}
+              {{- else }}
+              serviceName: ks-console
+              {{- if .Values.internalTLS }}
+              servicePort: 443
+              {{- else }}
+              servicePort: 80
+              {{- end }}
+              {{- end }}
+            {{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
+            pathType: ImplementationSpecific
+            {{- end }}
+{{- if .Values.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - {{ .Values.portal.hostname }}
+      secretName: {{ .Values.ingress.tls.secretName }}
+{{- end }}
+{{- end }}

config/ks-core/templates/ks-agent.yaml

@@ -0,0 +1,129 @@
+{{ if eq (include "role" .) "member" }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: ks-agent
+    tier: backend
+    version: {{ .Chart.AppVersion }}
+  name: ks-agent
+  namespace: kubesphere-system
+spec:
+  strategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+    type: RollingUpdate
+  progressDeadlineSeconds: 600
+  replicas: {{ .Values.agent.replicaCount }}
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app: ks-agent
+      tier: backend
+  template:
+    metadata:
+      annotations:
+        # force restart ks-agent after the upgrade is complete if kubesphere-config changes
+        checksum/config: {{ include (print $.Template.BasePath "/kubesphere-config.yaml") . | sha256sum }}
+      labels:
+        app: ks-agent
+        tier: backend
+    spec:
+      serviceAccountName: {{ template "ks-core.serviceAccountName" . }}
+      {{- include "controller.imagePullSecrets" . | nindent 6 }}
+      {{- if .Values.nodeSelector }}
+      nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.tolerations }}
+      tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }}
+      {{- end }}
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      terminationGracePeriodSeconds: 30
+      containers:
+        - name: ks-apiserver
+          image: {{ template "ks-apiserver.image" . }}
+          imagePullPolicy: {{ .Values.apiserver.image.pullPolicy }}
+          {{- if .Values.apiserver.containerPorts }}
+          ports: {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.containerPorts "context" $) | nindent 12 }}
+          {{- end }}
+          {{- if .Values.apiserver.command }}
+          command: {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.command "context" $) | nindent 12 }}
+          {{- end }}
+          env:
+            {{- if .Values.apiserver.extraEnvVars }}
+            {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.extraEnvVars "context" $) | nindent 12 }}
+            {{- end }}
+          {{- if .Values.apiserver.resources }}
+          resources: {{- toYaml .Values.apiserver.resources | nindent 12 }}
+          {{- end }}
+          livenessProbe:
+            failureThreshold: 8
+            httpGet:
+              path: /version
+              port: 9090
+              scheme: HTTP
+            initialDelaySeconds: 15
+            timeoutSeconds: 15
+          volumeMounts:
+            - mountPath: /etc/kubesphere/
+              name: kubesphere-config
+            - mountPath: /etc/localtime
+              name: host-time
+              readOnly: true
+          {{- if .Values.apiserver.extraVolumeMounts }}
+          {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.extraVolumeMounts "context" $) | nindent 12 }}
+          {{- end }}
+        - name: ks-controller-manager
+          image: {{ template "ks-controller-manager.image" . }}
+          imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
+          {{- if .Values.controller.containerPorts }}
+          ports: {{- include "common.tplvalues.render" (dict "value" .Values.controller.containerPorts "context" $) | nindent 12 }}
+          {{- end }}
+          {{- if .Values.controller.command }}
+          command: {{- include "common.tplvalues.render" (dict "value" .Values.controller.command "context" $) | nindent 12 }}
+          {{- end }}
+          env:
+            {{- if .Values.controller.extraEnvVars }}
+            {{- include "common.tplvalues.render" (dict "value" .Values.controller.extraEnvVars "context" $) | nindent 12 }}
+            {{- end }}
+          {{- if .Values.controller.resources }}
+          resources: {{- toYaml .Values.controller.resources | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - mountPath: /etc/kubesphere/
+              name: kubesphere-config
+            - mountPath: /tmp/k8s-webhook-server/serving-certs
+              name: webhook-secret
+            - mountPath: /etc/localtime
+              name: host-time
+              readOnly: true
+          {{- if .Values.controller.extraVolumeMounts }}
+          {{- include "common.tplvalues.render" (dict "value" .Values.controller.extraVolumeMounts "context" $) | nindent 12 }}
+          {{- end }}
+      volumes:
+        - name: kubesphere-config
+          configMap:
+            name: kubesphere-config
+            defaultMode: 420
+        - name: webhook-secret
+          secret:
+            defaultMode: 420
+            secretName: ks-controller-manager-webhook-cert
+        - name: host-time
+          hostPath:
+            path: /etc/localtime
+            type: ""
+        {{- if .Values.controller.extraVolumes }}
+        {{- include "common.tplvalues.render" (dict "value" .Values.controller.extraVolumes "context" $) | nindent 8 }}
+        {{- end }}
+        {{- if .Values.apiserver.extraVolumes }}
+        {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.extraVolumes "context" $) | nindent 8 }}
+        {{- end }}
+{{ end }}

config/ks-core/templates/ks-apiserver.yaml

@@ -0,0 +1,136 @@
+{{ if eq (include "role" .) "host" }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: ks-apiserver
+    tier: backend
+    version: {{ .Chart.AppVersion }}
+  name: ks-apiserver
+  namespace: kubesphere-system
+spec:
+  strategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+    type: RollingUpdate
+  replicas: {{ if .Values.ha.enabled }} 3 {{ else }} 1 {{ end }}
+  selector:
+    matchLabels:
+      app: ks-apiserver
+      tier: backend
+  template:
+    metadata:
+      labels:
+        app: ks-apiserver
+        tier: backend
+      annotations:
+        # force restart ks-apiserver after the upgrade is complete if kubesphere-config changes
+        checksum/config: {{ include (print $.Template.BasePath "/kubesphere-config.yaml") . | sha256sum }}
+    spec:
+      serviceAccountName: {{ template "ks-core.serviceAccountName" . }}
+      {{- include "apiserver.imagePullSecrets" . | nindent 6 }}
+      affinity:
+      {{- with .Values.affinity }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+        podAntiAffinity:
+        {{- if .Values.apiserver.hardAntiAffinity }}
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchLabels:
+                  app: ks-apiserver
+              topologyKey: kubernetes.io/hostname
+              namespaces:
+                - {{ .Release.Namespace | quote }}
+        {{- else }}
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              podAffinityTerm:
+                labelSelector:
+                  matchLabels:
+                    app: ks-apiserver
+                topologyKey: kubernetes.io/hostname
+                namespaces:
+                  - {{ .Release.Namespace | quote }}
+        {{- end }}
+      {{- if .Values.nodeSelector }}
+      nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.tolerations }}
+      tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: ks-apiserver
+          image: {{ template "ks-apiserver.image" . }}
+          imagePullPolicy: {{ .Values.apiserver.image.pullPolicy }}
+          {{- if .Values.apiserver.containerPorts }}
+          ports: {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.containerPorts "context" $) | nindent 12 }}
+          {{- end }}
+          {{- if .Values.apiserver.command }}
+          command: {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.command "context" $) | nindent 12 }}
+            {{- if .Values.internalTLS }}
+            - --secure-port=9090
+            - --tls-private-key=/etc/kubesphere/pki/tls.key
+            - --tls-cert-file=/etc/kubesphere/pki/tls.crt
+            {{- end }}
+          {{- end }}
+          env:
+            {{- if .Values.apiserver.extraEnvVars }}
+            {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.extraEnvVars "context" $) | nindent 12 }}
+            {{- end }}
+          {{- if .Values.apiserver.resources }}
+          resources: {{- toYaml .Values.apiserver.resources | nindent 12 }}
+          {{- end }}
+          livenessProbe:
+            failureThreshold: 8
+            httpGet:
+              path: /version
+              port: 9090
+            {{- if .Values.internalTLS }}
+              scheme: HTTPS
+            {{- else }}
+              scheme: HTTP
+            {{- end }}
+            initialDelaySeconds: 15
+            timeoutSeconds: 15
+          volumeMounts:
+            - mountPath: /etc/kubesphere/
+              name: kubesphere-config
+            - mountPath: /etc/localtime
+              name: host-time
+              readOnly: true
+          {{- if .Values.apiserver.extraVolumeMounts }}
+          {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.extraVolumeMounts "context" $) | nindent 12 }}
+          {{- end }}
+          {{- if .Values.internalTLS }}
+            - name: tls-cert
+              mountPath: /etc/kubesphere/pki/
+          {{- end }}
+          {{ if .Values.ha.enabled }}
+          env:
+            - name: KUBESPHERE_CACHE_OPTIONS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: redis-secret
+                  key: auth
+          {{ end }}
+      volumes:
+        - configMap:
+            defaultMode: 420
+            name: kubesphere-config
+          name: kubesphere-config
+        - hostPath:
+            path: /etc/localtime
+            type: ""
+          name: host-time
+        {{- if .Values.apiserver.extraVolumes }}
+        {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.extraVolumes "context" $) | nindent 8 }}
+        {{- end }}
+        {{- if .Values.internalTLS }}
+        - name: tls-cert
+          secret:
+            secretName: ks-apiserver-tls-certs
+            defaultMode: 420
+        {{- end }}
+{{ end }}

config/ks-core/templates/ks-apiserver.yml

@@ -1,117 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app: ks-apiserver
-    tier: backend
-    version: {{ .Chart.AppVersion }}
-  name: ks-apiserver
-spec:
-  strategy:
-    rollingUpdate:
-      maxSurge: 0
-    type: RollingUpdate
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      app: ks-apiserver
-      tier: backend
-      # version: {{ .Chart.AppVersion }}
-  template:
-    metadata:
-      labels:
-        app: ks-apiserver
-        tier: backend
-        # version: {{ .Chart.AppVersion }}
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      containers:
-      - command:
-        - ks-apiserver
-        - --logtostderr=true
-        image: {{ .Values.image.ks_apiserver_repo }}:{{ .Values.image.ks_apiserver_tag | default .Chart.AppVersion }}
-        imagePullPolicy: {{ .Values.image.pullPolicy }}
-        name: ks-apiserver
-        ports:
-        - containerPort: 9090
-          protocol: TCP
-        resources:
-          {{- toYaml .Values.apiserver.resources | nindent 12 }}
-        volumeMounts:
-        - mountPath: /etc/kubesphere/
-          name: kubesphere-config
-        - mountPath: /etc/localtime
-          name: host-time
-          readOnly: true
-        {{- if .Values.apiserver.extraVolumeMounts }}
-          {{- toYaml .Values.apiserver.extraVolumeMounts | nindent 8 }}
-        {{- end }}
-        env:
-        {{- if .Values.env }}
-        {{- toYaml .Values.env | nindent 8 }}
-        {{- end }}
-        livenessProbe:
-          failureThreshold: 8
-          httpGet:
-            path: /kapis/version
-            port: 9090
-            scheme: HTTP
-          initialDelaySeconds: 15
-          timeoutSeconds: 15
-      serviceAccountName: {{ include "ks-core.serviceAccountName" . }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      volumes:
-      - configMap:
-          defaultMode: 420
-          name: kubesphere-config
-        name: kubesphere-config
-      - hostPath:
-          path: /etc/localtime
-          type: ""
-        name: host-time
-      {{- if .Values.apiserver.extraVolumes }}
-        {{ toYaml .Values.apiserver.extraVolumes | nindent 6 }}
-      {{- end }}
----
-
-apiVersion: v1
-kind: Service
-metadata:
-  annotations:
-    kubernetes.io/created-by: kubesphere.io/ks-apiserver
-  labels:
-    app: ks-apiserver
-    tier: backend
-    version: {{ .Chart.AppVersion }}
-  name: ks-apiserver
-spec:
-  ports:
-  - port: 80
-    protocol: TCP
-    targetPort: 9090
-    {{- with .Values.apiserver.nodePort }}
-    nodePort:
-      {{- toYaml . | nindent 6 }}
-    {{- end }}
-  selector:
-    app: ks-apiserver
-    tier: backend
-{{- if .Values.apiserver.nodePort }}
-  type: NodePort
-{{- else}}
-  type: ClusterIP
-{{- end}}

config/ks-core/templates/ks-console-config.yaml

@@ -1,4 +1,3 @@
-
 apiVersion: v1
 data:
   local_config.yaml: |
@@ -16,13 +15,21 @@ data:
         host: redis.kubesphere-system.svc
       redisTimeout: 5000
       sessionTimeout: 7200000
+      apiServer:
+    {{- if .Values.internalTLS }}
+        url: https://ks-apiserver
+        wsUrl: wss://ks-apiserver
+    {{- else }}
+        url: http://ks-apiserver
+        wsUrl: ws://ks-apiserver
+    {{ end }}
     client:
       version:
         kubesphere: {{ .Chart.AppVersion }}
-        kubernetes: {{ .Values.kube_version }}
-        openpitrix: {{ .Chart.AppVersion }}
+        kubernetes: {{ .Capabilities.KubeVersion.Version }}
       enableKubeConfig: true
-    defaultClusterName: {{ .Values.console.defaultClusterName }}
+      enableNodeListTerminal: {{ .Values.console.config.enableNodeListTerminal }}
 kind: ConfigMap
 metadata:
   name: ks-console-config
+  namespace: kubesphere-system

config/ks-core/templates/ks-console.yaml

@@ -0,0 +1,188 @@
+{{ if eq (include "role" .) "host" }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: ks-console
+    tier: frontend
+    version: {{ .Chart.AppVersion }}
+  name: ks-console
+  namespace: kubesphere-system
+spec:
+  strategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+    type: RollingUpdate
+  replicas: {{ if .Values.ha.enabled }} 3 {{ else }} 1 {{ end }}
+  selector:
+    matchLabels:
+      app: ks-console
+      tier: frontend
+  template:
+    metadata:
+      labels:
+        app: ks-console
+        tier: frontend
+      annotations:
+        # force restart ks-console after the upgrade is complete if ks-console-config changes
+        checksum/config: {{ include (print $.Template.BasePath "/ks-console-config.yaml") . | sha256sum }}
+    spec:
+      serviceAccount: {{ template "ks-core.serviceAccountName" . }}
+      serviceAccountName: {{ template "ks-core.serviceAccountName" . }}
+      {{- include "console.imagePullSecrets" . | nindent 6 }}
+      {{- if .Values.nodeSelector }}
+      nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
+      {{- end }}
+      affinity:
+      {{- with .Values.affinity }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+        podAntiAffinity:
+        {{- if .Values.console.hardAntiAffinity }}
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchLabels:
+                  app: ks-console
+              topologyKey: kubernetes.io/hostname
+              namespaces:
+                - {{ .Release.Namespace | quote }}
+        {{- else }}
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              podAffinityTerm:
+                labelSelector:
+                  matchLabels:
+                    app: ks-console
+                topologyKey: kubernetes.io/hostname
+                namespaces:
+                  - {{ .Release.Namespace | quote }}
+        {{- end }}
+        {{- if .Values.tolerations }}
+      tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.internalTLS }}
+      initContainers:
+        - name: init-ca
+          image: {{ template "kubectl.image" . }}
+          command: [ "/bin/sh", "-c" ]
+          args: [ "cp /tmp/ca.crt /usr/local/share/ca-certificates/ \
+                  && update-ca-certificates && cp /etc/ssl/certs/ca-certificates.crt /certs/"]
+          volumeMounts:
+          - name: tls-cert
+            mountPath: /tmp/ca.crt
+            subPath: ca.crt
+            readOnly: false
+          - name: sys-cert
+            mountPath: /certs
+            readOnly: false
+      {{- end }}
+      containers:
+        - name: ks-console
+          image: {{ template "ks-console.image" . }}
+          imagePullPolicy: {{ .Values.console.image.pullPolicy }}
+          {{- if .Values.console.containerPorts }}
+          ports: {{- include "common.tplvalues.render" (dict "value" .Values.console.containerPorts "context" $) | nindent 12 }}
+          {{- end }}
+          {{- if .Values.console.command }}
+          command: {{- include "common.tplvalues.render" (dict "value" .Values.console.command "context" $) | nindent 12 }}
+          {{- end }}
+          env:
+            {{- if .Values.console.extraEnvVars }}
+            {{- include "common.tplvalues.render" (dict "value" .Values.console.extraEnvVars "context" $) | nindent 12 }}
+            {{- end }}
+            {{- if .Values.internalTLS }}
+            - name: NODE_EXTRA_CA_CERTS
+              value: "/etc/ssl/certs/ca-certificates.crt"
+            {{- end }}
+          {{- if .Values.console.resources }}
+          resources: {{- toYaml .Values.console.resources | nindent 12 }}
+          {{- end }}
+          livenessProbe:
+            tcpSocket:
+              port: 8000
+            initialDelaySeconds: 15
+            timeoutSeconds: 15
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 8
+          volumeMounts:
+            - name: ks-console-config
+              mountPath: /opt/kubesphere/console/configs/local_config.yaml
+              subPath: local_config.yaml
+            - name: host-time
+              mountPath: /etc/localtime
+              readOnly: true
+          {{- if .Values.console.extraVolumeMounts }}
+          {{- include "common.tplvalues.render" (dict "value" .Values.console.extraVolumeMounts "context" $) | nindent 12 }}
+          {{- end }}
+          {{- if .Values.internalTLS }}
+            - name: tls-cert
+              mountPath: /etc/kubesphere/pki/
+            - name: sys-cert
+              mountPath: /etc/ssl/certs/ca-certificates.crt
+              subPath: ca-certificates.crt
+              readOnly: false
+          {{- end }}
+      volumes:
+        - configMap:
+            defaultMode: 420
+            name: ks-console-config
+            items:
+              - key: local_config.yaml
+                path: local_config.yaml
+          name: ks-console-config
+        - hostPath:
+            path: /etc/localtime
+            type: ""
+          name: host-time
+        {{- if .Values.console.extraVolumes }}
+        {{- include "common.tplvalues.render" (dict "value" .Values.console.extraVolumes "context" $) | nindent 8 }}
+        {{- end }}
+        {{- if .Values.internalTLS }}
+        - name: tls-cert
+          secret:
+            secretName: ks-console-tls-certs
+            defaultMode: 420
+        - name: sys-cert
+          emptyDir: {}
+        {{- end }}
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: ks-console
+    tier: frontend
+    version: {{ .Chart.AppVersion }}
+  annotations:
+    {{- if .Values.internalTLS }}
+    {{- if eq .Values.ingress.ingressClassName "traefik" }}
+    traefik.ingress.kubernetes.io/service.serverstransport: {{ printf "%s-%s@kubernetescrd" .Release.Namespace "ks-console-transport" }}
+    {{- end }}
+    {{- end }}
+  name: ks-console
+spec:
+  ports:
+  - name: nginx
+  {{- if .Values.internalTLS }}
+    port: 443
+  {{- else }}
+    port: 80
+  {{- end }}
+    protocol: TCP
+    targetPort: 8000
+    {{- with .Values.console.nodePort }}
+    nodePort:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+  selector:
+    app: ks-console
+    tier: frontend
+{{- if .Values.console.nodePort }}
+  type: NodePort
+{{- else}}
+  type: ClusterIP
+{{- end}}
+{{ end }}

config/ks-core/templates/ks-console.yml

@@ -1,106 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app: ks-console
-    tier: frontend
-    version: {{ .Chart.AppVersion }}
-  name: ks-console
-spec:
-  strategy:
-    rollingUpdate:
-      maxSurge: 0
-    type: RollingUpdate
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      app: ks-console
-      tier: frontend
-  template:
-    metadata:
-      labels:
-        app: ks-console
-        tier: frontend
-    spec:   
-      containers:
-      - image: {{ .Values.image.ks_console_repo }}:{{ .Values.image.ks_console_tag | default .Chart.AppVersion }}
-        imagePullPolicy: {{ .Values.image.pullPolicy }}
-        name: ks-console
-        resources:
-          {{- toYaml .Values.console.resources | nindent 12 }}
-        volumeMounts:
-        - mountPath: /opt/kubesphere/console/server/local_config.yaml
-          name: ks-console-config
-          subPath: local_config.yaml
-        - mountPath: /etc/localtime
-          name: host-time
-          readOnly: true
-        {{- if .Values.console.extraVolumeMounts }}
-          {{- toYaml .Values.console.extraVolumeMounts | nindent 8 }}
-        {{- end }}
-        livenessProbe:
-          tcpSocket:
-            port: 8000
-          initialDelaySeconds: 15
-          timeoutSeconds: 15
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 8
-      serviceAccount: {{ include "ks-core.serviceAccountName" . }}
-      serviceAccountName: {{ include "ks-core.serviceAccountName" . }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      volumes:
-      - configMap:
-          defaultMode: 420
-          name: ks-console-config
-          items:
-          - key: local_config.yaml
-            path: local_config.yaml
-        name: ks-console-config
-      - hostPath:
-          path: /etc/localtime
-          type: ""
-        name: host-time
-      {{- if .Values.console.extraVolumes }}
-        {{ toYaml .Values.console.extraVolumes | nindent 6 }}
-      {{- end }}
-
----
-
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: ks-console
-    tier: frontend
-    version: {{ .Chart.AppVersion }}
-  name: ks-console
-spec:
-  ports:
-  - name: nginx
-    port: 80
-    protocol: TCP
-    targetPort: 8000
-    {{- with .Values.console.nodePort }}
-    nodePort:
-      {{- toYaml . | nindent 6 }}
-    {{- end }}    
-  selector:
-    app: ks-console
-    tier: frontend
-{{- if .Values.console.nodePort }}
-  type: NodePort
-{{- else}}
-  type: ClusterIP
-{{- end}}

config/ks-core/templates/ks-controller-manager.yaml

@@ -1,3 +1,4 @@
+{{ if eq (include "role" .) "host" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -6,113 +7,107 @@ metadata:
     tier: backend
     version: {{ .Chart.AppVersion }}
   name: ks-controller-manager
+  namespace: kubesphere-system
 spec:
   strategy:
     rollingUpdate:
-      maxSurge: 0
+      maxSurge: 1
+      maxUnavailable: 0
     type: RollingUpdate
   progressDeadlineSeconds: 600
-  replicas: {{ .Values.replicaCount }}
+  replicas: {{ if .Values.ha.enabled }}3{{ else }}1{{ end }}
   revisionHistoryLimit: 10
   selector:
     matchLabels:
       app: ks-controller-manager
       tier: backend
-      # version: {{ .Chart.AppVersion }}
   template:
     metadata:
       labels:
         app: ks-controller-manager
         tier: backend
-        # version: {{ .Chart.AppVersion }}
+      annotations:
+        # force restart ks-controller-manager after the upgrade is complete if kubesphere-config changes
+        checksum/config: {{ include (print $.Template.BasePath "/kubesphere-config.yaml") . | sha256sum }}
     spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
+      serviceAccountName: {{ template "ks-core.serviceAccountName" . }}
+      {{- include "controller.imagePullSecrets" . | nindent 6 }}
+      {{- if .Values.nodeSelector }}
+      nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
+      {{- end }}
+      affinity:
+      {{- with .Values.affinity }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      containers:
-      - command:
-        - controller-manager
-        - --logtostderr=true
-        - --leader-elect=true
-        - --controllers=user,workspacetemplate,workspace,workspacerole,workspacerolebinding,namespace
-        image: {{ .Values.image.ks_controller_manager_repo }}:{{ .Values.image.ks_controller_manager_tag | default .Chart.AppVersion }}
-        imagePullPolicy: {{ .Values.image.pullPolicy }}
-        name: ks-controller-manager
-        ports:
-        - containerPort: 8080
-          protocol: TCP
-        - containerPort: 8443
-          protocol: TCP
-        resources:
-          {{- toYaml .Values.controller.resources | nindent 12 }}
-        volumeMounts:
-        - mountPath: /etc/kubesphere/
-          name: kubesphere-config
-        - mountPath: /tmp/k8s-webhook-server/serving-certs
-          name: webhook-secret
-        - mountPath: /etc/localtime
-          name: host-time
-          readOnly: true
-        {{- if .Values.controller.extraVolumeMounts }}
-          {{- toYaml .Values.controller.extraVolumeMounts | nindent 8 }}
-        {{- end }}
-        env:
-        {{- if .Values.env }}
-        {{- toYaml .Values.env | nindent 8 }}
+        podAntiAffinity:
+        {{- if .Values.controller.hardAntiAffinity }}
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchLabels:
+                  app: ks-controller-manager
+              topologyKey: kubernetes.io/hostname
+              namespaces:
+                - {{ .Release.Namespace | quote }}
+        {{- else }}
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              podAffinityTerm:
+                labelSelector:
+                  matchLabels:
+                    app: ks-controller-manager
+                topologyKey: kubernetes.io/hostname
+                namespaces:
+                  - {{ .Release.Namespace | quote }}
         {{- end }}
+      {{- if .Values.tolerations }}
+      tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }}
+      {{- end }}
       dnsPolicy: ClusterFirst
       restartPolicy: Always
       schedulerName: default-scheduler
-      serviceAccountName: {{ include "ks-core.serviceAccountName" . }}
       terminationGracePeriodSeconds: 30
+      containers:
+        - name: ks-controller-manager
+          image: {{ template "ks-controller-manager.image" . }}
+          imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
+          {{- if .Values.controller.containerPorts }}
+          ports: {{- include "common.tplvalues.render" (dict "value" .Values.controller.containerPorts "context" $) | nindent 12 }}
+          {{- end }}
+          {{- if .Values.controller.command }}
+          command: {{- include "common.tplvalues.render" (dict "value" .Values.controller.command "context" $) | nindent 12 }}
+          {{- end }}
+          env:
+            {{- if .Values.controller.extraEnvVars }}
+            {{- include "common.tplvalues.render" (dict "value" .Values.controller.extraEnvVars "context" $) | nindent 12 }}
+            {{- end }}
+          {{- if .Values.controller.resources }}
+          resources: {{- toYaml .Values.controller.resources | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - mountPath: /etc/kubesphere/
+              name: kubesphere-config
+            - mountPath: /tmp/k8s-webhook-server/serving-certs
+              name: webhook-secret
+            - mountPath: /etc/localtime
+              name: host-time
+              readOnly: true
+          {{- if .Values.controller.extraVolumeMounts }}
+          {{- include "common.tplvalues.render" (dict "value" .Values.controller.extraVolumeMounts "context" $) | nindent 12 }}
+          {{- end }}
       volumes:
-      - name: kubesphere-config
-        configMap:
-          name: kubesphere-config
-          defaultMode: 420
-      - name: webhook-secret
-        secret:
-          defaultMode: 420
-          secretName: ks-controller-manager-webhook-cert
-      - hostPath:
-          path: /etc/localtime
-          type: ""
-        name: host-time
-      {{- if .Values.controller.extraVolumes }}
-        {{ toYaml .Values.controller.extraVolumes | nindent 6 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-
----
-
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: ks-controller-manager
-    tier: backend
-    version: {{ .Chart.AppVersion }}
-  name: ks-controller-manager
-spec:
-  ports:
-  - port: 443
-    protocol: TCP
-    targetPort: 8443
-  selector:
-    app: ks-controller-manager
-    tier: backend
-    # version: {{ .Chart.AppVersion }}
-  sessionAffinity: None
-  type: ClusterIP
+        - name: kubesphere-config
+          configMap:
+            name: kubesphere-config
+            defaultMode: 420
+        - name: webhook-secret
+          secret:
+            defaultMode: 420
+            secretName: ks-controller-manager-webhook-cert
+        - hostPath:
+            path: /etc/localtime
+            type: ""
+          name: host-time
+        {{- if .Values.controller.extraVolumes }}
+        {{- include "common.tplvalues.render" (dict "value" .Values.controller.extraVolumes "context" $) | nindent 8 }}
+        {{- end }}
+{{ end }}

config/ks-core/templates/kubesphere-config.yaml

@@ -1,4 +1,3 @@
-{{- if .Values.config.create -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -6,29 +5,91 @@ metadata:
 data:
   kubesphere.yaml: |
     authentication:
-      authenticateRateLimiterMaxTries: {{ .Values.config.authentication.authenticateRateLimiterMaxTries | default 10 }}
-      authenticateRateLimiterDuration: {{ .Values.config.authentication.authenticationRateLimiterDuration | default "10m0s" }}
-      loginHistoryRetentionPeriod: {{ .Values.config.authentication.loginHistoryRetentionPeriod | default "168h"  }}
-      maximumClockSkew: {{ .Values.config.authentication.maximumClockSkew | default "10s" }}
-      multipleLogin: {{ .Values.console.enableMultiLogin | default true }}
-      kubectlImage: {{ .Values.image.ks_kubectl_repo }}:{{ .Values.image.ks_kubectl_tag | default "latest" }}
-      jwtSecret: "{{ .Values.config.jwtSecret | default (randAlphaNum 32 ) }}"
-{{- if .Values.config.authentication.oauthOptions }}
-      {{- with .Values.config.authentication.oauthOptions }}
-      oauthOptions:
-        {{- toYaml . | nindent 8 }}
+      authenticateRateLimiterMaxTries: {{ .Values.authentication.authenticateRateLimiterMaxTries | default 10 }}
+      authenticateRateLimiterDuration: {{ .Values.authentication.authenticationRateLimiterDuration | default "10m0s" }}
+      loginHistoryRetentionPeriod: {{ .Values.authentication.loginHistoryRetentionPeriod | default "168h"  }}
+      multipleLogin: {{ .Values.authentication.enableMultiLogin | default true }}
+      issuer:
+        url: {{ include "portal.url" . | quote }}
+        jwtSecret: {{ include "jwtSecret" . | quote }}
+        maximumClockSkew: {{ .Values.authentication.issuer.maximumClockSkew | default "10s" }}
+        {{- if eq (include "role" .) "member" }}
+        accessTokenMaxAge: 0s
+        {{- else }}
+        accessTokenMaxAge: {{ .Values.authentication.issuer.accessTokenMaxAge }}
+        {{- end }}
+        accessTokenInactivityTimeout: {{ .Values.authentication.issuer.accessTokenInactivityTimeout }}
+    {{- if .Values.s3 }}
+    s3:
+      endpoint: {{ .Values.s3.endpoint | quote  }}
+      region: {{ .Values.s3.region | default "us-east-1"  }}
+      disableSSL: {{ .Values.s3.disableSSL | default false  }}
+      forcePathStyle: {{ .Values.s3.forcePathStyle | default false  }}
+      accessKeyID: {{ .Values.s3.accessKeyID | default "admin"  }}
+      secretAccessKey: {{ .Values.s3.secretAccessKey | default "admin"  }}
+      bucket: {{ .Values.s3.bucket | default "uploads"  }}
+      {{- end }}
+    multicluster:
+      clusterRole: {{ include "role" . | quote }}
+      hostClusterName: {{ include "hostClusterName" . | include "validateHostClusterName" | quote }}
+    terminal:
+      kubectl:
+        image: {{ template "kubectl.image" . }}
+      node:
+        image:  {{ template "nodeShell.image" . }}
+      uploadFileLimit: 100Mi
+    helmExecutor:
+      image: {{ template "helm.image" . }}
+      timeout: {{ .Values.helmExecutor.timeout }}
+      historyMax: {{ .Values.helmExecutor.historyMax }}
+      jobTTLAfterFinished: {{ .Values.helmExecutor.jobTTLAfterFinished }}
+      {{- if .Values.helmExecutor.resources }}
+      resources: {{- toYaml .Values.helmExecutor.resources | nindent 8 }}
+      {{- end }}
+    extension:
+      imageRegistry: {{ default .Values.extension.imageRegistry "" | quote }}
+      {{- if .Values.extension.nodeSelector }}
+      nodeSelector: {{- toYaml .Values.extension.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if and .Values.extension.ingress .Values.extension.ingress.domainSuffix }}
+      ingress:
+        ingressClassName: {{ .Values.extension.ingress.ingressClassName }}
+        domainSuffix: {{ .Values.extension.ingress.domainSuffix }}
+        httpPort: {{ .Values.extension.ingress.httpPort }}
+        httpsPort: {{ .Values.extension.ingress.httpsPort }}
+      {{- end }}
+    experimental:
+      {{- $validationDirective := (.Values.experimental).validationDirective | default ""  }}
+      {{- if not (or (eq $validationDirective "") (eq $validationDirective "Ignore") (eq $validationDirective "Strict") (eq $validationDirective "Warn")) }}
+        {{- fail "Invalid value for validationDirective. Must be '', 'Ignore', 'Strict', or 'Warn'." }}
+      {{- else }}
+      validationDirective: {{ $validationDirective | quote }}
+      {{- end }}
+    composedApp:
+      appSelector: {{ .Values.composedApp.appSelector | quote }}
+    kubesphere:
+      tls: {{ .Values.internalTLS }}
+    {{- if and .Values.cloud.enabled (eq (include "role" .) "host") }}
+    telemetry:
+      {{- if eq .Values.cloud.env "clouddev.kubesphere.io" }}
+      ksCloudURL: "https://clouddev.kubesphere.io"
+      {{- else if eq .Values.cloud.env "kubesphere.cloud" }}
+      ksCloudURL: "https://kubesphere.cloud"
+      {{- else if and .Values.cloud.customEnv .Values.cloud.customEnv.url }}
+      ksCloudURL: {{ $.Values.cloud.customEnv.url | quote }}
       {{- end }}
-{{- else if eq (default .Values.config.multicluster.clusterRole "none") "member" }}
-      oauthOptions:
-        accessTokenMaxAge: 0
-{{- end }}
-    monitoring:
-      endpoint: {{ .Values.config.monitoring.endpoint | default "http://prometheus-operated.kubesphere-monitoring-system.svc:9090" }}
-    notification:
-      endpoint: {{ .Values.config.notification.endpoint | default "http://notification-manager-svc.kubesphere-monitoring-system.svc:19093" }}
-    {{- with .Values.config.servicemesh }}
-    servicemesh:
-      {{- toYaml . | nindent 6 }}
     {{- end }}
-
-{{- end }}
+    {{- if .Values.ha.enabled -}}
+    {{- if .Values.ha.cache }}
+    cache: {{- toYaml .Values.ha.cache | nindent 6}}
+    {{- else }}
+    cache:
+      type: redis
+      options:
+        host: redis.kubesphere-system.svc
+        port: {{ if .Values.redisHA.enabled }}{{ .Values.redisHA.haproxy.servicePort | default 6379 }}{{ else }}{{ .Values.redis.port | default 6379 }}{{ end }}
+        password: KUBESPHERE_CACHE_OPTIONS_PASSWORD
+        db: 0
+    {{- end }}
+    {{- end }}
+    auditing: {{- toYaml .Values.auditing | nindent 6}}

config/ks-core/templates/oauthclient-config.yaml

@@ -0,0 +1,20 @@
+{{ if eq (include "role" .) "host" }}
+apiVersion: v1
+stringData:
+  configuration.yaml: |
+    name: kubesphere
+    secret: kubesphere
+    grantMethod: auto
+    trusted: true
+    scopeRestrictions:
+      - 'openid'
+      - 'email'
+      - 'profile'
+kind: Secret
+metadata:
+  name: oauthclient-kubesphere
+  namespace: kubesphere-system
+  labels:
+    config.kubesphere.io/type: oauthclient
+type: config.kubesphere.io/oauthclient
+{{ end }}

config/ks-core/templates/post-delete-job.yaml

@@ -0,0 +1,88 @@
+{{- $kubeVersion := .Capabilities.KubeVersion }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "{{ .Release.Name }}-post-delete-scripts"
+  annotations:
+    "helm.sh/hook": post-delete
+    "helm.sh/hook-weight": "-1"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+data:
+  map.yaml: |
+    mappings:
+    {{- range $path, $_ := .Files.Glob "charts/ks-crds/crds/**" }}
+    {{- $crd := $.Files.Get $path | fromYaml }}
+    {{- range $_, $version := $crd.spec.versions }}
+      - deprecatedAPI: "apiVersion: {{ $crd.spec.group }}/{{ $version.name }}\nkind: {{ $crd.spec.names.kind }}\n"
+        removedInVersion: "{{ $kubeVersion }}"
+    {{- end }}
+    {{- end }}
+{{ (.Files.Glob "scripts/post-delete.sh").AsConfig | indent 2 }}
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: "{{ .Release.Name }}-post-delete"
+  annotations:
+    "helm.sh/hook": post-delete
+    "helm.sh/hook-weight": "-1"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: "{{ .Release.Name }}-post-delete"
+  annotations:
+    "helm.sh/hook": post-delete
+    "helm.sh/hook-weight": "-1"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: "{{ .Release.Name }}-post-delete"
+    namespace: {{ .Release.Namespace }}
+
+---
+
+{{- $crdNameList := list }}
+{{- range $path, $_ := .Files.Glob "charts/ks-crds/crds/**" }}
+{{- $crd := $.Files.Get $path | fromYaml }}
+{{- $crdNameList = append $crdNameList $crd.metadata.name }}
+{{- end }}
+
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ .Release.Name }}-post-delete"
+  annotations:
+    "helm.sh/hook": post-delete
+    "helm.sh/hook-weight": "0"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      serviceAccountName: "{{ .Release.Name }}-post-delete"
+      containers:
+        - name: post-delete-job
+          image: {{ template "kubectl.image" . }}
+          command:
+            - /bin/bash
+            - /scripts/post-delete.sh
+            - '{{ join " " $crdNameList }}'
+            - /scripts/map.yaml
+          volumeMounts:
+            - mountPath: /scripts
+              name: scripts
+      volumes:
+        - name: scripts
+          configMap:
+            name: "{{ .Release.Name }}-post-delete-scripts"
+            defaultMode: 420

config/ks-core/templates/post-patch-system-ns-job.yaml

@@ -0,0 +1,28 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ .Release.Name }}-post-patch-system-ns"
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      serviceAccountName: {{ include "ks-core.serviceAccountName" . }}
+      containers:
+        - name: post-patch-system-ns
+          image:  {{ template "kubectl.image" . }}
+          command:
+            - /bin/bash
+            - -c
+            - |
+              kubectl create namespace kubesphere-controls-system --dry-run=client -o yaml | kubectl apply -f -
+              for ns in kubesphere-system kubesphere-controls-system default kube-node-lease kube-public kube-system;
+              do
+                kubectl label ns $ns kubesphere.io/workspace=system-workspace
+                kubectl label ns $ns kubesphere.io/managed=true
+              done
+              kubectl get ns -l 'kubesphere.io/workspace,!kubesphere.io/managed' --no-headers -o custom-columns=NAME:.metadata.name | \
+              xargs -I {} kubectl label ns {} kubesphere.io/managed=true

config/ks-core/templates/redis.yaml

@@ -0,0 +1,148 @@
+{{- if and .Values.ha.enabled (not .Values.ha.cache) }}
+{{- if lookup "v1" "Secret" "kubesphere-system" "redis-secret" }}
+{{- lookup "v1" "Secret" "kubesphere-system" "redis-secret" | toYaml }}
+{{- else }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: redis-secret
+  namespace: kubesphere-system
+type: Opaque
+data:
+  auth: {{  randAlphaNum 15 | b64enc }}
+{{- end }}
+{{- end }}
+
+{{- if and (and .Values.ha.enabled (not .Values.redisHA.enabled)) (not .Values.ha.cache) }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: redis
+    tier: database
+    version: redis-4.0
+  name: redis
+  namespace: kubesphere-system
+spec:
+  replicas: {{ .Values.redis.replicaCount }}
+  selector:
+    matchLabels:
+      app: redis
+      tier: database
+  template:
+    metadata:
+      labels:
+        app: redis
+        tier: database
+        version: redis-4.0
+    spec:
+      containers:
+        - image: {{ template "redis.image" . }}
+          imagePullPolicy: {{ .Values.redis.image.pullPolicy }}
+          command: ['sh', '-c', 'cat /tmp/redis/redis.conf | sed "s/REDIS_PASSWORD/$KUBESPHERE_CACHE_OPTIONS_PASSWORD/" > /data/redis.conf | redis-server /data/redis.conf']
+          name: redis
+          args: ["/data/redis.conf"]
+          env:
+            - name: KUBESPHERE_CACHE_OPTIONS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: redis-secret
+                  key: auth
+          volumeMounts:
+            - name: redis-config
+              mountPath: "/tmp/redis"
+              readOnly: true
+{{- if .Values.redis.persistentVolume.enabled }}
+            - mountPath: /data
+              name: redis-pvc
+              subPath: redis-data
+{{- end }}
+          ports:
+            - containerPort: {{ .Values.redis.port | default 6379 }}
+              protocol: TCP
+          resources:
+            limits:
+              cpu: 1000m
+              memory: 1000Mi
+            requests:
+              cpu: 20m
+              memory: 100Mi
+      volumes:
+        - name: redis-config
+          configMap:
+            name: redis-configmap
+{{- if .Values.redis.persistentVolume.enabled }}
+        - name: redis-pvc
+          persistentVolumeClaim:
+            claimName: redis-pvc
+{{- end }}
+      affinity: {{ if .Values.affinity }}{{ .Values.affinity | toYaml | nindent 8 }}
+        {{- else }}
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              preference:
+                matchExpressions:
+                  - key: node-role.kubernetes.io/master
+                    operator: In
+                    values:
+                      - ""
+        {{- end }}
+      {{- if .Values.nodeSelector }}
+      nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 }}{{- end }}
+      {{- if .Values.tolerations }}
+      tolerations: {{- toYaml .Values.tolerations | nindent 8 }}{{- end }}
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: redis-configmap
+  labels:
+    app: redis
+    tier: database
+    version: redis-4.0
+data:
+  redis.conf: |
+    requirepass REDIS_PASSWORD
+    masterauth REDIS_PASSWORD
+    port {{ .Values.redis.port | default 6379 }}
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: redis
+    tier: database
+  name: redis
+  namespace: kubesphere-system
+spec:
+  ports:
+    - name: redis
+      port: {{ .Values.redis.port | default 6379 }}
+      protocol: TCP
+      targetPort: {{ .Values.redis.port | default 6379 }}
+  selector:
+    app: redis
+    tier: database
+  sessionAffinity: None
+  type: ClusterIP
+
+{{- if .Values.redis.persistentVolume.enabled }}
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: redis-pvc
+  namespace: kubesphere-system
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.redis.persistentVolume.size | default "2Gi" }}
+{{- end }}
+
+{{- end }}

config/ks-core/templates/role-templates.yaml

@@ -1,247 +0,0 @@
----
-apiVersion: iam.kubesphere.io/v1alpha2
-kind: GlobalRole
-metadata:
-  annotations:
-    iam.kubesphere.io/aggregation-roles: '["role-template-manage-clusters","role-template-view-clusters","role-template-view-roles","role-template-view-workspaces","role-template-manage-workspaces","role-template-manage-users","role-template-view-users","role-template-manage-app-templates","role-template-view-app-templates","role-template-manage-platform-settings"]'
-    kubesphere.io/creator: admin
-  name: platform-admin
-rules:
-  - apiGroups:
-      - '*'
-    resources:
-      - '*'
-    verbs:
-      - '*'
-  - nonResourceURLs:
-      - '*'
-    verbs:
-      - '*'
-
----
-apiVersion: iam.kubesphere.io/v1alpha2
-kind: GlobalRole
-metadata:
-  name: anonymous
-rules: []
-
----
-apiVersion: iam.kubesphere.io/v1alpha2
-kind: GlobalRoleBinding
-metadata:
-  name: anonymous
-roleRef:
-  apiGroup: iam.kubesphere.io/v1alpha2
-  kind: GlobalRole
-  name: anonymous
-subjects:
-  - apiGroup: iam.kubesphere.io/v1alpha2
-    kind: Group
-    name: system:unauthenticated
-
----
-apiVersion: iam.kubesphere.io/v1alpha2
-kind: GlobalRole
-metadata:
-  annotations:
-    iam.kubesphere.io/role-template-rules: '{"basic": "view"}'
-  labels:
-    iam.kubesphere.io/role-template: "true"
-  name: role-template-view-basic
-rules: []
-
----
-apiVersion: iam.kubesphere.io/v1alpha2
-kind: GlobalRole
-metadata:
-  annotations:
-    iam.kubesphere.io/module: Clusters Management
-    iam.kubesphere.io/role-template-rules: '{"clusters": "view"}'
-    kubesphere.io/alias-name: Clusters View
-  labels:
-    iam.kubesphere.io/role-template: "true"
-  name: role-template-view-clusters
-rules: []
-
----
-apiVersion: iam.kubesphere.io/v1alpha2
-kind: GlobalRole
-metadata:
-  annotations:
-    iam.kubesphere.io/dependencies: '["role-template-view-clusters"]'
-    iam.kubesphere.io/module: Clusters Management
-    iam.kubesphere.io/role-template-rules: '{"clusters": "manage"}'
-    kubesphere.io/alias-name: Clusters Management
-  labels:
-    iam.kubesphere.io/role-template: "true"
-  name: role-template-manage-clusters
-rules: []
-
----
-apiVersion: iam.kubesphere.io/v1alpha2
-kind: GlobalRole
-metadata:
-  annotations:
-    iam.kubesphere.io/module: Access Control
-    iam.kubesphere.io/role-template-rules: '{"workspaces": "view"}'
-    kubesphere.io/alias-name: Workspaces View
-  labels:
-    iam.kubesphere.io/role-template: "true"
-    kubefed.io/managed: "true"
-  name: role-template-view-workspaces
-rules: []
-
----
-apiVersion: iam.kubesphere.io/v1alpha2
-kind: GlobalRole
-metadata:
-  annotations:
-    iam.kubesphere.io/dependencies: '["role-template-view-workspaces"]'
-    iam.kubesphere.io/module: Access Control
-    iam.kubesphere.io/role-template-rules: '{"workspaces": "manage"}'
-    kubesphere.io/alias-name: Workspaces Management
-  labels:
-    iam.kubesphere.io/role-template: "true"
-  name: role-template-manage-workspaces
-rules: []
-
-
----
-apiVersion: iam.kubesphere.io/v1alpha2
-kind: GlobalRole
-metadata:
-  annotations:
-    iam.kubesphere.io/module: Access Control
-    iam.kubesphere.io/role-template-rules: '{"users": "view"}'
-    kubesphere.io/alias-name: Users View
-  labels:
-    iam.kubesphere.io/role-template: "true"
-  name: role-template-view-users
-rules: []
-
----
-apiVersion: iam.kubesphere.io/v1alpha2
-kind: GlobalRole
-metadata:
-  annotations:
-    iam.kubesphere.io/dependencies: '["role-template-view-users","role-template-view-roles"]'
-    iam.kubesphere.io/module: Access Control
-    iam.kubesphere.io/role-template-rules: '{"users": "manage"}'
-    kubesphere.io/alias-name: Users Management
-  labels:
-    iam.kubesphere.io/role-template: "true"
-  name: role-template-manage-users
-rules: []
-
----
-apiVersion: iam.kubesphere.io/v1alpha2
-kind: GlobalRole
-metadata:
-  annotations:
-    iam.kubesphere.io/dependencies: '["role-template-view-users"]'
-    iam.kubesphere.io/module: Access Control
-    iam.kubesphere.io/role-template-rules: '{"roles": "view"}'
-    kubesphere.io/alias-name: Roles View
-  labels:
-    iam.kubesphere.io/role-template: "true"
-  name: role-template-view-roles
-rules: []
-
----
-apiVersion: iam.kubesphere.io/v1alpha2
-kind: GlobalRole
-metadata:
-  annotations:
-    iam.kubesphere.io/dependencies: '["role-template-view-roles"]'
-    iam.kubesphere.io/module: Access Control
-    iam.kubesphere.io/role-template-rules: '{"roles": "manage"}'
-    kubesphere.io/alias-name: Roles Management
-  labels:
-    iam.kubesphere.io/role-template: "true"
-  name: role-template-manage-roles
-rules: []
-
----
-apiVersion: iam.kubesphere.io/v1alpha2
-kind: GlobalRole
-metadata:
-  annotations:
-    iam.kubesphere.io/module: Apps Management
-    iam.kubesphere.io/role-template-rules: '{"app-templates": "view"}'
-    kubesphere.io/alias-name: App Templates View
-  labels:
-    iam.kubesphere.io/role-template: "true"
-  name: role-template-view-app-templates
-rules: []
-
----
-apiVersion: iam.kubesphere.io/v1alpha2
-kind: GlobalRole
-metadata:
-  annotations:
-    iam.kubesphere.io/dependencies: '["role-template-view-app-templates"]'
-    iam.kubesphere.io/module: Apps Management
-    iam.kubesphere.io/role-template-rules: '{"app-templates": "manage"}'
-    kubesphere.io/alias-name: App Templates Management
-  labels:
-    iam.kubesphere.io/role-template: "true"
-  name: role-template-manage-app-templates
-rules: []
-
----
-apiVersion: iam.kubesphere.io/v1alpha2
-kind: GlobalRole
-metadata:
-  annotations:
-    iam.kubesphere.io/module: Platform Settings
-    iam.kubesphere.io/role-template-rules: '{"platform-settings": "manage"}'
-    kubesphere.io/alias-name: Platform Settings Management
-  labels:
-    iam.kubesphere.io/role-template: "true"
-  name: role-template-manage-platform-settings
-rules: []
-
----
-apiVersion: iam.kubesphere.io/v1alpha2
-kind: GlobalRoleBinding
-metadata:
-  name: admin
-roleRef:
-  apiGroup: iam.kubesphere.io/v1alpha2
-  kind: GlobalRole
-  name: platform-admin
-subjects:
-  - apiGroup: iam.kubesphere.io/v1alpha2
-    kind: User
-    name: admin
-
----
-apiVersion: tenant.kubesphere.io/v1alpha2
-kind: WorkspaceTemplate
-metadata:
-  labels:
-    kubefed.io/managed: "false"
-  annotations:
-    kubesphere.io/creator: admin
-    kubesphere.io/description: "system-workspace is a built-in workspace automatically created by KubeSphere. It contains all system components to run KubeSphere."
-  name: system-workspace
-spec:
-  placement:
-    clusterSelector: {}
-  template:
-    spec:
-      manager: admin
-      networkIsolation: false
-
----
-apiVersion: tenant.kubesphere.io/v1alpha1
-kind: Workspace
-metadata:
-  labels:
-    kubefed.io/managed: "false"
-  annotations:
-    kubesphere.io/creator: admin
-  name: system-workspace
-spec:
-  manager: admin
-  networkIsolation: false

config/ks-core/templates/roletemplate-categories.yaml

@@ -0,0 +1,276 @@
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: Category
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "global"
+    kubesphere.io/managed: 'true'
+  name: global-platform-settings
+spec:
+  displayName:
+    en: 'Platform Settings'
+    zh: '平台设置'
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: Category
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "global"
+    kubesphere.io/managed: 'true'
+  name: global-access-control
+spec:
+  displayName:
+    en: Access Control
+    zh: '访问控制'
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: Category
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "global"
+    kubesphere.io/managed: 'true'
+  name: global-workspace-management
+spec:
+  displayName:
+    en: Workspace
+    zh: '企业空间'
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: Category
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "global"
+    kubesphere.io/managed: 'true'
+  name: global-cluster-management
+spec:
+  displayName:
+    en: Cluster Management
+    zh: '集群管理'
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: Category
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "cluster"
+    kubesphere.io/managed: 'true'
+  name: cluster-access-control
+spec:
+  displayName:
+    en: Access Control
+    zh: '访问控制'
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: Category
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "cluster"
+    kubesphere.io/managed: 'true'
+  name: cluster-resource-management
+spec:
+  displayName:
+    en: Cluster Resources
+    zh: '集群资源'
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: Category
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "cluster"
+    kubesphere.io/managed: 'true'
+  name: cluster-settings
+spec:
+  displayName:
+    en: Cluster Settings
+    zh: '集群设置'
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: Category
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "cluster"
+    kubesphere.io/managed: 'true'
+  name: cluster-app-workloads-management
+spec:
+  displayName:
+    en: Application Workloads
+    zh: '应用负载'
+
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: Category
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "cluster"
+    kubesphere.io/managed: 'true'
+  name: cluster-project-management
+spec:
+  displayName:
+    en: Project
+    zh: '项目'
+
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: Category
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "cluster"
+    kubesphere.io/managed: 'true'
+  name: cluster-storage-management
+spec:
+  displayName:
+    en: Storage
+    zh: '存储'
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: Category
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "workspace"
+    kubesphere.io/managed: 'true'
+  name: workspace-settings
+spec:
+  displayName:
+    en: Workspace Settings
+    zh: '企业空间设置'
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: Category
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "workspace"
+    kubesphere.io/managed: 'true'
+  name: workspace-project-management
+spec:
+  displayName:
+    en: Projects
+    zh: '项目'
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: Category
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "workspace"
+    kubesphere.io/managed: 'true'
+  name: workspace-access-control
+spec:
+  displayName:
+    en: Access Control
+    zh: '访问控制'
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: Category
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "namespace"
+    kubesphere.io/managed: "true"
+  name: namespace-access-control
+spec:
+  displayName:
+    en: Access Control
+    zh: '访问控制'
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: Category
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "namespace"
+    kubesphere.io/managed: "true"
+  name: namespace-configuration-management
+spec:
+  displayName:
+    en: Configuration
+    zh: '配置'
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: Category
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "namespace"
+    kubesphere.io/managed: "true"
+  name: namespace-storage-management
+spec:
+  displayName:
+    en: Storage
+    zh: '存储'
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: Category
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "namespace"
+    kubesphere.io/managed: "true"
+  name: namespace-application-workloads
+spec:
+  displayName:
+    en: Application Workloads
+    zh: '应用负载'
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: Category
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "namespace"
+    kubesphere.io/managed: "true"
+  name: namespace-settings
+spec:
+  displayName:
+    en: Project Settings
+    zh: '项目设置'
+
+---
+  # category
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: Category
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "global"
+    kubesphere.io/managed: "true"
+  name: manage-app
+spec:
+  displayName:
+    en: 'AppStore Manage'
+    zh: '应用商店管理'
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: Category
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "workspace"
+    kubesphere.io/managed: "true"
+  name: workspace-app
+spec:
+  displayName:
+    en: 'Workspace Apps'
+    zh: '应用管理'
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: Category
+metadata:
+  labels:
+    iam.kubesphere.io/scope: "namespace"
+    kubesphere.io/managed: "true"
+  name: namespace-app
+spec:
+  displayName:
+    en: 'App Releases'
+    zh: '应用'

config/ks-core/templates/serviceaccount.yaml

@@ -3,12 +3,34 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "ks-core.serviceAccountName" . }}
+  namespace: kubesphere-system
   labels:
     {{- include "ks-core.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+
+{{- if semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.GitVersion }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "ks-core.serviceAccountTokenName" . }}
+  labels:
+    kubesphere.io/service-account-token: ""
+    {{- include "ks-core.labels" . | nindent 4 }}
+  {{- if .Values.serviceAccount.annotations }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+    kubernetes.io/service-account.name: {{ include "ks-core.serviceAccountName" . }}
+    {{- end }}
+  {{- else }}
+  annotations:
+    kubernetes.io/service-account.name: {{ include "ks-core.serviceAccountName" . }}
+  {{- end }}
+type: kubernetes.io/service-account-token
 {{- end }}
 
 ---
@@ -23,4 +45,5 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ include "ks-core.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: kubesphere-system
+{{- end }}

config/ks-core/templates/services.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kubernetes.io/created-by: kubesphere.io/ks-apiserver
+  labels:
+    app: ks-apiserver
+    tier: backend
+    version: {{ .Chart.AppVersion }}
+  name: ks-apiserver
+  namespace: kubesphere-system
+spec:
+  ports:
+    - protocol: TCP
+    {{- if .Values.internalTLS }}
+      port: 443
+    {{- else }}
+      port: 80
+    {{- end }}
+      targetPort: 9090
+    {{- with .Values.apiserver.nodePort }}
+      nodePort:
+      {{- toYaml . | nindent 8 }}
+    {{- end }}
+  selector:
+    {{- if eq (include "role" .) "host" }}
+    app: ks-apiserver
+    {{- else }}
+    app: ks-agent
+    {{- end }}
+    tier: backend
+    # version: {{ .Chart.AppVersion }}
+{{- if .Values.apiserver.nodePort }}
+  type: NodePort
+{{- else}}
+  type: ClusterIP
+{{- end}}
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: ks-controller-manager
+    tier: backend
+    version: {{ .Chart.AppVersion }}
+  name: ks-controller-manager
+  namespace: kubesphere-system
+spec:
+  ports:
+    - port: 443
+      protocol: TCP
+      targetPort: 8443
+  selector:
+    {{- if eq (include "role" .) "host" }}
+    app: ks-controller-manager
+    {{- else }}
+    app: ks-agent
+    {{- end }}
+    tier: backend
+    # version: {{ .Chart.AppVersion }}
+  sessionAffinity: None
+  type: ClusterIP

config/ks-core/templates/tls-secrets.yaml

@@ -0,0 +1,48 @@
+{{- if ne .Values.ingress.tls.source "letsEncrypt" -}}
+{{- if and (not (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1")) (not (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2")) (not (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1")) (not (.Capabilities.APIVersions.Has "cert-manager.io/v1")) }}
+{{- $ca := genCA "self-signed-ca" 3650 -}}
+{{- $cert := genSignedCert "ks-apiserver" nil (list "ks-apiserver" (printf "%s.%s" "ks-apiserver" .Release.Namespace) (printf "%s.%s.%s" "ks-apiserver" .Release.Namespace "svc")) 3650 $ca -}}
+{{- if .Values.internalTLS }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ks-apiserver-tls-certs
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  ca.crt: {{  b64enc $ca.Cert }}
+  tls.crt: {{ b64enc $cert.Cert }}
+  tls.key: {{ b64enc $cert.Key }}
+{{- end }}
+
+---
+{{- $consolecert := genSignedCert "ks-console" nil (list "ks-console" (printf "%s.%s" "ks-console" .Release.Namespace) (printf "%s.%s.%s" "ks-console" .Release.Namespace "svc") .Values.portal.hostname) 3650 $ca -}}
+{{- if .Values.internalTLS }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ks-console-tls-certs
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  ca.crt: {{ b64enc $ca.Cert }}
+  tls.crt: {{ b64enc $consolecert.Cert }}
+  tls.key: {{ b64enc $consolecert.Key }}
+{{- end }}
+
+---
+{{- $ingresscert := genSignedCert .Values.portal.hostname nil (list .Values.portal.hostname) 3650 $ca -}}
+{{- if and ( .Values.ingress.enabled ) ( .Values.ingress.tls.enabled ) (eq .Values.ingress.tls.source "generation") }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.ingress.tls.secretName }}
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  ca.crt: {{  b64enc $ca.Cert }}
+  tls.crt: {{ b64enc $ingresscert.Cert }}
+  tls.key: {{ b64enc $ingresscert.Key }}
+{{- end }}
+{{- end }}
+{{- end }}

config/ks-core/templates/traefik.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.internalTLS }}
+{{- if eq .Values.ingress.ingressClassName "traefik" }}
+apiVersion: traefik.containo.us/v1alpha1
+kind: ServersTransport
+metadata:
+  name: ks-console-transport
+  namespace: {{ .Release.Namespace }}
+spec:
+  serverName: ks-console
+  insecureSkipVerify: false
+  rootCAsSecrets:
+    - ks-console-tls-certs
+{{- end }}
+{{- end }}

config/ks-core/templates/user.yaml

@@ -1,11 +1,11 @@
----
-apiVersion: iam.kubesphere.io/v1alpha2
+apiVersion: iam.kubesphere.io/v1beta1
 kind: User
 metadata:
   name: admin
   annotations:
     iam.kubesphere.io/uninitialized: "true"
-    helm.sh/resource-policy: keep
+    iam.kubesphere.io/globalrole: "platform-admin"
+    kubesphere.io/creator: "system"
 spec:
   email: admin@kubesphere.io
   password: {{ include "getOrDefaultPass" . | quote }}

config/ks-core/templates/webhook.yaml

@@ -1,4 +1,4 @@
-{{- $ca := genCA "ks-controller-manager-ca" 3650 }}
+{{- $ca := genCA "self-signed-ca" 3650 }}
 {{- $cn := printf "%s-admission-webhook" .Release.Name }}
 {{- $altName1 := printf "ks-controller-manager.%s" .Release.Namespace }}
 {{- $altName2 := printf "ks-controller-manager.%s.svc" .Release.Namespace }}
@@ -13,78 +13,82 @@ kind: Secret
 metadata:
   name: ks-controller-manager-webhook-cert
 type: Opaque
+
+{{ if eq (include "role" .) "host" }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: users.iam.kubesphere.io
-webhooks:
-- admissionReviewVersions:
-  - v1beta1
-  clientConfig:
-    caBundle: {{ b64enc $ca.Cert | quote }}
-    service:
-      name: ks-controller-manager
-      namespace: {{ .Release.Namespace }}
-      path: /validate-email-iam-kubesphere-io-v1alpha2
-      port: 443
-  failurePolicy: Fail
-  matchPolicy: Exact
-  name: users.iam.kubesphere.io
-  namespaceSelector:
-    matchExpressions:
-    - key: control-plane
-      operator: DoesNotExist
-  objectSelector: {}
-  rules:
-  - apiGroups:
-    - iam.kubesphere.io
-    apiVersions:
-    - v1alpha2
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - users
-    scope: '*'
-  sideEffects: None
-  timeoutSeconds: 30
-
----
-
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: network.kubesphere.io
 webhooks:
   - admissionReviewVersions:
-      - v1beta1
+      - v1
     clientConfig:
       caBundle: {{ b64enc $ca.Cert | quote }}
       service:
         name: ks-controller-manager
-        namespace: {{ .Release.Namespace }}
-        path: /validate-network-kubesphere-io-v1alpha1
+        namespace: kubesphere-system
+        path: /validate-iam-kubesphere-io-v1beta1-user
         port: 443
-    failurePolicy: Fail
+    failurePolicy: Ignore
     matchPolicy: Exact
-    name: validating-network.kubesphere.io
-    namespaceSelector:
+    name: users.iam.kubesphere.io
+    namespaceSelector: {}
+    objectSelector:
       matchExpressions:
-        - key: control-plane
-          operator: DoesNotExist
-    objectSelector: {}
+        - key: app.kubernetes.io/managed-by
+          operator: NotIn
+          values:
+            - Helm
     rules:
       - apiGroups:
-          - network.kubesphere.io
+          - iam.kubesphere.io
         apiVersions:
-          - v1alpha1
+          - v1beta1
         operations:
           - CREATE
           - UPDATE
-          - DELETE
         resources:
-          - ippools
+          - users
+        scope: '*'
+    sideEffects: None
+    timeoutSeconds: 30
+
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: defaulter.installplan.kubesphere.io
+webhooks:
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      caBundle: {{ b64enc $ca.Cert | quote }}
+      service:
+        name: ks-controller-manager
+        namespace: kubesphere-system
+        path: /mutate-kubesphere-io-v1alpha1-installplan
+        port: 443
+    failurePolicy: Fail
+    matchPolicy: Exact
+    name: installplans.kubesphere.io
+    namespaceSelector: {}
+    objectSelector:
+      matchExpressions:
+        - key: app.kubernetes.io/managed-by
+          operator: NotIn
+          values:
+            - Helm
+    rules:
+      - apiGroups:
+          - kubesphere.io
+        apiVersions:
+          - 'v1alpha1'
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - installplans
         scope: '*'
     sideEffects: None
     timeoutSeconds: 30
@@ -93,15 +97,55 @@ webhooks:
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-  name: resourcesquotas.quota.kubesphere.io
+  name: validator.installplan.kubesphere.io
 webhooks:
   - admissionReviewVersions:
-      - v1beta1
+      - v1
     clientConfig:
       caBundle: {{ b64enc $ca.Cert | quote }}
       service:
         name: ks-controller-manager
-        namespace: {{ .Release.Namespace }}
+        namespace: kubesphere-system
+        path: /validate-kubesphere-io-v1alpha1-installplan
+        port: 443
+    failurePolicy: Fail
+    matchPolicy: Exact
+    name: installplans.kubesphere.io
+    namespaceSelector: {}
+    objectSelector:
+      matchExpressions:
+        - key: app.kubernetes.io/managed-by
+          operator: NotIn
+          values:
+            - Helm
+    rules:
+      - apiGroups:
+          - kubesphere.io
+        apiVersions:
+          - 'v1alpha1'
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - installplans
+        scope: '*'
+    sideEffects: None
+    timeoutSeconds: 30
+{{ end }}
+
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: resourcesquotas.quota.kubesphere.io
+webhooks:
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      caBundle: {{ b64enc $ca.Cert | quote }}
+      service:
+        name: ks-controller-manager
+        namespace: kubesphere-system
         path: /validate-quota-kubesphere-io-v1alpha2
         port: 443
     failurePolicy: Ignore
@@ -111,13 +155,15 @@ webhooks:
     objectSelector: {}
     rules:
       - apiGroups:
-          - '*'
+          - ''
         apiVersions:
-          - '*'
+          - v1
         operations:
           - CREATE
         resources:
           - pods
+          - persistentvolumeclaims
+          - services
         scope: '*'
     sideEffects: None
 
@@ -125,32 +171,259 @@ webhooks:
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-  name: storageclass-accessor.storage.kubesphere.io
+  name: extensions.kubesphere.io
 webhooks:
+  {{- if eq (include "role" .) "host" }}
   - admissionReviewVersions:
-      - v1beta1
+      - v1
     clientConfig:
       caBundle: {{ b64enc $ca.Cert | quote }}
       service:
         name: ks-controller-manager
-        namespace: {{ .Release.Namespace }}
-        path: /persistentvolumeclaims
+        namespace: kubesphere-system
+        path: /validate-extensions-kubesphere-io-v1alpha1-jsbundle
         port: 443
-    failurePolicy: Ignore
+    failurePolicy: Fail
     matchPolicy: Exact
-    name: storageclass-accessor.storage.kubesphere.io
+    name: jsbundles.extensions.kubesphere.io
     namespaceSelector: {}
     objectSelector: {}
     rules:
       - apiGroups:
-          - '*'
+          - extensions.kubesphere.io
         apiVersions:
-          - '*'
+          - v1alpha1
         operations:
           - CREATE
           - UPDATE
-          - DELETE
         resources:
-          - persistentvolumeclaims
+          - jsbundles
         scope: '*'
-    sideEffects: None
+    sideEffects: None
+    timeoutSeconds: 30
+  {{- end }}
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      caBundle: {{ b64enc $ca.Cert | quote }}
+      service:
+        name: ks-controller-manager
+        namespace: kubesphere-system
+        path: /validate-extensions-kubesphere-io-v1alpha1-apiservice
+        port: 443
+    failurePolicy: Fail
+    matchPolicy: Exact
+    name: apiservices.extensions.kubesphere.io
+    namespaceSelector: {}
+    objectSelector: {}
+    rules:
+      - apiGroups:
+          - extensions.kubesphere.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - apiservices
+        scope: '*'
+    sideEffects: None
+    timeoutSeconds: 30
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      caBundle: {{ b64enc $ca.Cert | quote }}
+      service:
+        name: ks-controller-manager
+        namespace: kubesphere-system
+        path: /validate-extensions-kubesphere-io-v1alpha1-reverseproxy
+        port: 443
+    failurePolicy: Fail
+    matchPolicy: Exact
+    name: reverseproxies.extensions.kubesphere.io
+    namespaceSelector: {}
+    objectSelector: {}
+    rules:
+      - apiGroups:
+          - extensions.kubesphere.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - reverseproxies
+        scope: '*'
+    sideEffects: None
+    timeoutSeconds: 30
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      caBundle: {{ b64enc $ca.Cert | quote }}
+      service:
+        name: ks-controller-manager
+        namespace: kubesphere-system
+        path: /validate-extensions-kubesphere-io-v1alpha1-extensionentry
+        port: 443
+    failurePolicy: Fail
+    matchPolicy: Exact
+    name: extensionentries.extensions.kubesphere.io
+    namespaceSelector: {}
+    objectSelector: {}
+    rules:
+      - apiGroups:
+          - extensions.kubesphere.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - extensionentries
+        scope: '*'
+    sideEffects: None
+    timeoutSeconds: 30
+
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: validator.config.kubesphere.io
+webhooks:
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      caBundle: {{ b64enc $ca.Cert | quote }}
+      service:
+        name: ks-controller-manager
+        namespace: kubesphere-system
+        path: /validate--v1-secret
+        port: 443
+    failurePolicy: Ignore
+    matchPolicy: Exact
+    name: validator.config.kubesphere.io
+    namespaceSelector: {}
+    objectSelector:
+      matchExpressions:
+        - key: config.kubesphere.io/type
+          operator: Exists
+    rules:
+      - apiGroups:
+          - ""
+        apiVersions:
+          - v1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - secrets
+        scope: '*'
+    sideEffects: None
+    timeoutSeconds: 30
+
+{{- if eq (include "role" .) "host" }}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: extensions.kubesphere.io
+webhooks:
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      caBundle: {{ b64enc $ca.Cert | quote }}
+      service:
+        name: ks-controller-manager
+        namespace: kubesphere-system
+        path: /mutate-extensions-kubesphere-io-v1alpha1-jsbundle
+        port: 443
+    failurePolicy: Fail
+    matchPolicy: Exact
+    name: jsbundles.extensions.kubesphere.io
+    namespaceSelector: {}
+    objectSelector: {}
+    rules:
+      - apiGroups:
+          - extensions.kubesphere.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - jsbundles
+        scope: '*'
+    sideEffects: None
+    timeoutSeconds: 30
+{{- end }}
+
+---
+
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: serviceaccount.kubesphere.io
+webhooks:
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      caBundle: {{ b64enc $ca.Cert | quote }}
+      service:
+        name: ks-controller-manager
+        namespace: kubesphere-system
+        path: /serviceaccount-pod-injector
+        port: 443
+    failurePolicy: Ignore
+    matchPolicy: Exact
+    name: serviceaccount-pod-injector.kubesphere.io
+    namespaceSelector: {}
+    objectSelector: {}
+    rules:
+      - apiGroups:
+          - ""
+        apiVersions:
+          - v1
+        operations:
+          - CREATE
+        resources:
+          - pods
+        scope: '*'
+    sideEffects: None
+    timeoutSeconds: 30
+
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: defaulter.config.kubesphere.io
+webhooks:
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      caBundle: {{ b64enc $ca.Cert | quote }}
+      service:
+        name: ks-controller-manager
+        namespace: kubesphere-system
+        path: /mutate--v1-secret
+        port: 443
+    failurePolicy: Ignore
+    matchPolicy: Exact
+    name: defaulter.config.kubesphere.io
+    namespaceSelector: {}
+    objectSelector:
+      matchExpressions:
+        - key: config.kubesphere.io/type
+          operator: Exists
+    rules:
+      - apiGroups:
+          - ""
+        apiVersions:
+          - v1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - secrets
+        scope: '*'
+    sideEffects: None
+    timeoutSeconds: 30

config/ks-core/templates/workspace.yaml

@@ -0,0 +1,15 @@
+{{ if eq (include "role" .) "host" }}
+apiVersion: tenant.kubesphere.io/v1beta1
+kind: WorkspaceTemplate
+metadata:
+  annotations:
+    kubesphere.io/creator: admin
+    kubesphere.io/description: "system-workspace is a built-in workspace automatically created by KubeSphere. It contains all system components to run KubeSphere."
+  name: system-workspace
+spec:
+  placement:
+    clusterSelector: {}
+  template:
+    spec:
+      manager: admin
+{{ end }}