Update README.md

update README to 2.0.0

.github/.stale.yaml

@@ -4,8 +4,8 @@ daysUntilStale: 30
 daysUntilClose: 14
 # Issues with these labels will never be considered stale
 exemptLabels:
-  - lifecycle/frozen
-staleLabel: lifecycle/stale
+  - frozen
+staleLabel: stale
 # Comment to post when marking an issue as stale. Set to `false` to disable
 markComment: >
   This issue has been automatically marked as stale because it has not had

.gitignore

@@ -23,3 +23,4 @@ tmp/
 
 # OSX trash
 .DS_Store
+api.json

.travis.yml

@@ -7,24 +7,23 @@ git:
   depth: false
 
 go:
-  - 1.10
+  - 1.12
 
 go_import_path: kubesphere.io/kubesphere
 
 before_install:
-  - curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh
+  - go get -u github.com/golang/dep/cmd/dep
 
 before_script:
-  - dep ensure -v
   - docker --version
-  - dep ensure -v
+  - bash hack/install_kubebuilder.sh
 
 script:
-  - make fmt-check && make build
+  - make all 
 
 deploy:
   skip_cleanup: true
   provider: script
-  script: bash install/scripts/docker_push
+  script: bash hack/docker_build.sh 
   on:
     branch: master

Dockerfile

@@ -1,17 +0,0 @@
-# Copyright 2018 The KubeSphere Authors. All rights reserved.
-# Use of this source code is governed by a Apache license
-# that can be found in the LICENSE file.
-
-FROM kubesphere/kubesphere-builder as builder
-
-WORKDIR /go/src/kubesphere.io/kubesphere/
-COPY . .
-
-RUN go generate kubesphere.io/kubesphere/pkg/version && \
-	go install  kubesphere.io/kubesphere/cmd/...
-
-FROM alpine:3.6
-RUN apk add --update ca-certificates && update-ca-certificates
-COPY --from=builder /go/bin/* /usr/local/bin/
-
-CMD ["sh"]

Dockerfile.dev

@@ -1,10 +0,0 @@
-FROM alpine:3.6
-
-RUN apk add --update ca-certificates \
-    && update-ca-certificates \ 
-    && mkdir -p /etc/kubesphere/ingress-controller
-
-COPY ./bin/* /usr/local/bin/
-COPY ./install/ingress-controller /etc/kubesphere/ingress-controller
-COPY ./install/swagger-ui        /usr/lib/kubesphere/swagger-ui
-CMD ["sh"]

Gopkg.toml

@@ -1,76 +1,78 @@
-# Gopkg.toml example
-#
-# Refer to https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md
-# for detailed Gopkg.toml documentation.
-#
-# required = ["github.com/user/thing/cmd/thing"]
-# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"]
-#
-# [[constraint]]
-#   name = "github.com/user/project"
-#   version = "1.0.0"
-#
-# [[constraint]]
-#   name = "github.com/user/project2"
-#   branch = "dev"
-#   source = "github.com/myfork/project2"
-#
-# [[override]]
-#   name = "github.com/x/y"
-#   version = "2.4.0"
-#
-# [prune]
-#   non-go = false
-#   go-tests = true
-#   unused-packages = true
-
-[[constraint]]
-  name = "github.com/coreos/etcd"
-  version = "3.3.7"
+required = [
+    "github.com/emicklei/go-restful",
+    "github.com/onsi/ginkgo", # for test framework
+    "github.com/onsi/gomega", # for test matchers
+    "k8s.io/gengo/examples/defaulter-gen/generators",
+    "k8s.io/gengo/examples/deepcopy-gen/generators",
+    "k8s.io/client-go/plugin/pkg/client/auth/gcp", # for development against gcp
+    "k8s.io/code-generator/cmd/client-gen",
+    "sigs.k8s.io/controller-tools/cmd/controller-gen", # for crd/rbac generation
+    "sigs.k8s.io/controller-runtime/pkg/client/config",
+    "sigs.k8s.io/controller-runtime/pkg/controller",
+    "sigs.k8s.io/controller-runtime/pkg/handler",
+    "sigs.k8s.io/controller-runtime/pkg/manager",
+    "sigs.k8s.io/controller-runtime/pkg/runtime/signals",
+    "sigs.k8s.io/controller-runtime/pkg/source",
+    "sigs.k8s.io/testing_frameworks/integration", # for integration testing
+    "github.com/kubesphere/s2ioperator/pkg/client/clientset/versioned",
+    "github.com/kubesphere/s2ioperator/pkg/client/informers/externalversions",
+    "github.com/kubesphere/s2ioperator/pkg/apis/devops/v1alpha1"
+]
 
 [[constraint]]
   name = "github.com/docker/docker"
   version = "v17.05.0-ce"
 
-[[constraint]]
-  name = "github.com/emicklei/go-restful"
-  version = "2.7.1"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/golang/glog"
-
-[[constraint]]
-  name = "github.com/spf13/pflag"
-  version = "1.0.1"
-
-[[constraint]]
-  name = "gopkg.in/igm/sockjs-go.v2"
-  version = "2.0.0"
-
-[[constraint]]
-  name = "gopkg.in/yaml.v2"
-  version = "2.2.1"
-
-[[constraint]]
+[[override]]
   name = "k8s.io/api"
-  version = "kubernetes-1.10.0"
+  version = "kubernetes-1.13.1"
 
-[[constraint]]
+[[override]]
   name = "k8s.io/apimachinery"
-  version = "kubernetes-1.10.0"
+  version = "kubernetes-1.13.1"
+
+[[override]]
+  name = "k8s.io/apiserver"
+  version = "kubernetes-1.13.1"
 
 [[constraint]]
+  name = "k8s.io/code-generator"
+  version = "kubernetes-1.13.1"
+
+[[override]]
   name = "k8s.io/client-go"
-  version = "7.0.0"
+  version = "kubernetes-1.13.1"
 
 [[constraint]]
   name = "k8s.io/kubernetes"
-  version = "1.10.4"
+  version = "1.13.1"
+
+[[constraint]]
+  name="sigs.k8s.io/controller-runtime"
+  version="v0.1.7"
+
+[[constraint]]
+  name="sigs.k8s.io/controller-tools"
+  version="v0.1.7"
+
+[[constraint]]
+  name="github.com/kubesphere/s2ioperator"
+  version="v0.0.8"
+
+[[override]]
+  name="github.com/bifurcation/mint"
+  revision="824af65410658916142a7600349144e1289f2110"
 
 [prune]
   go-tests = true
   unused-packages = true
+  non-go = true
+
+[[prune.project]]
+  name = "k8s.io/code-generator"
+  unused-packages = false
+  non-go = false
+
 
 # To use reference package:
 #   vendor/github.com/docker/docker/client/container_commit.go:17: undefined: reference.ParseNormalizedNamed
@@ -87,4 +89,47 @@
 #   vendor/github.com/docker/docker/registry/service_v2.go:11: cannot call non-function tlsconfig.ServerDefault (type tls.Config)
 [[override]]
   name = "github.com/docker/go-connections"
-  branch = "master"
+  version = "0.4.0"
+
+# For dependency below: Refer to issue https://github.com/golang/dep/issues/1799
+[[override]]
+  name = "gopkg.in/fsnotify.v1"
+  source = "https://github.com/fsnotify/fsnotify.git"
+  version = "v1.4.7"
+
+[[override]]
+  name = "github.com/russross/blackfriday"
+  version = "v1.5.2"
+
+# offical application controller doesn't limit observe scope to namespace
+# use our own version instead
+[[constraint]]
+  name = "sigs.k8s.io/application"
+  source = "https://github.com/kubesphere/application"
+  branch = "kubesphere"
+
+[[constraint]]
+  name = "github.com/kiali/kiali"
+  source = "https://github.com/kubesphere/kiali"
+  branch = "kubesphere"
+
+[[constraint]]
+  name = "github.com/kubernetes-sigs/application"
+  source = "https://github.com/kubesphere/application"
+  branch = "kubesphere"
+
+[[constraint]]
+  name = "github.com/knative/pkg"
+  revision = "cd278f2d3394c865fda66bca12459e879e0279b8"
+
+[[constraint]]
+  name = "gopkg.in/igm/sockjs-go.v2"
+  version = "2.0.0"
+
+[[constraint]]
+  name = "github.com/gocraft/dbr"
+  revision = "a0fd650918f6287ffe111d1c7b66bb755ff3be4a"
+
+[[constraint]]
+  name = "github.com/kubesphere/sonargo"
+  version = "0.0.2"

Makefile

@@ -3,107 +3,83 @@
 # that can be found in the LICENSE file.
 
 # The binary to build 
-BIN ?= kubesphere
+BIN ?= ks-apiserver
 
-TRAG.Org:=kubesphere
-TRAG.Name:=ks-apiserver
-TRAG.Gopkg:=kubesphere.io/kubesphere
-TRAG.Version:=$(TRAG.Gopkg)/pkg/version
+IMG ?= kubespheredev/ks-apiserver
+OUTPUT_DIR=bin
 
-DOCKER_TAGS=latest
-RUN_IN_DOCKER:=docker run -it --rm -v `pwd`:/go/src/$(TRAG.Gopkg) -v `pwd`/tmp/cache:/root/.cache/go-build  -w /go/src/$(TRAG.Gopkg) -e GOBIN=/go/src/$(TRAG.Gopkg)/tmp/bin -e USER_ID=`id -u` -e GROUP_ID=`id -g` kubesphere/kubesphere-builder
-GO_FMT:=goimports -l -w -e -local=kubesphere -srcdir=/go/src/$(TRAG.Gopkg)
-GO_FILES:=./cmd ./pkg
-
-REGISTRY ?= kubespheredev/ks-apiserver
-
-define get_diff_files
-    $(eval DIFF_FILES=$(shell git diff --name-only --diff-filter=ad | grep -E "^(test|cmd|pkg)/.+\.go"))
+define ALL_HELP_INFO
+# Build code.
+#
+# Args:
+#   WHAT: Directory names to build.  If any of these directories has a 'main'
+#     package, the build will produce executable files under $(OUT_DIR).
+#     If not specified, "everything" will be built.
+#   GOFLAGS: Extra flags to pass to 'go' when building.
+#   GOLDFLAGS: Extra linking flags passed to 'go' when building.
+#   GOGCFLAGS: Additional go compile flags passed to 'go' when building.
+#
+# Example:
+#   make
+#   make all
+#   make all WHAT=cmd/ks-apiserver
+#     Note: Use the -N -l options to disable compiler optimizations an inlining.
+#           Using these build options allows you to subsequently use source
+#           debugging tools like delve.
 endef
-define get_build_flags
-    $(eval SHORT_VERSION=$(shell git describe --tags --always --dirty="-dev"))
-    $(eval SHA1_VERSION=$(shell git show --quiet --pretty=format:%H))
-	$(eval DATE=$(shell date +'%Y-%m-%dT%H:%M:%S'))
-	$(eval BUILD_FLAG= -X $(TRAG.Version).ShortVersion="$(SHORT_VERSION)" \
-		-X $(TRAG.Version).GitSha1Version="$(SHA1_VERSION)" \
-		-X $(TRAG.Version).BuildDate="$(DATE)")
-endef
-
 .PHONY: all
-all: generate build
+all: test ks-apiserver ks-apigateway ks-iam controller-manager
 
-.PHONY: help
-help:
-# TODO: update help info to last version
-	@echo "TODO"
+# Build ks-apiserver binary
+ks-apiserver: test
+	hack/gobuild.sh cmd/ks-apiserver
 
-.PHONY: init-vendor
-init-vendor:
-	@if [[ ! -f "$$(which govendor)" ]]; then \
-		go get -u github.com/kardianos/govendor; \
-	fi
-	govendor init
-	govendor add +external
-	@echo "init-vendor done"
+# Build ks-apigateway binary
+ks-apigateway: test
+	hack/gobuild.sh cmd/ks-apigateway
 
-.PHONY: update-vendor
-update-vendor:
-	@if [[ ! -f "$$(which govendor)" ]]; then \
-		go get -u github.com/kardianos/govendor; \
-	fi
-	govendor update +external
-	govendor list
-	@echo "update-vendor done"
+# Build ks-iam binary
+ks-iam: test
+	hack/gobuild.sh cmd/ks-iam
 
-.PHONY: update-builder
-update-builder:
-	docker pull kubesphere/kubesphere-builder
-	@echo "update-builder done"
+# Build controller-manager binary
+controller-manager: test
+	hack/gobuild.sh cmd/controller-manager
 
-.PHONY: generate-in-local
-generate-in-local:
-	go generate ./pkg/version/
-
-.PHONY: generate
-generate:
-	$(RUN_IN_DOCKER) make generate-in-local
-	@echo "generate done"
-
-.PHONY: fmt-all
-fmt-all:
-	mkdir -p ./tmp/bin && cp -r ./install ./tmp/
-	$(RUN_IN_DOCKER) $(GO_FMT) $(GO_FILES)
-	@echo "fmt done"
-
-.PHONY: fmt
+# Run go fmt against code 
 fmt:
-	$(call get_diff_files)
-	$(if $(DIFF_FILES), \
-		$(RUN_IN_DOCKER) $(GO_FMT) ${DIFF_FILES}, \
-		$(info cannot find modified files from git) \
-	)
-	@echo "fmt done"
+	go fmt ./pkg/... ./cmd/...
 
-.PHONY: fmt-check
-fmt-check: fmt-all
-	$(call get_diff_files)
-	$(if $(DIFF_FILES), \
-		exit 2 \
-	)
+# Run go vet against code
+vet:
+	go vet ./pkg/... ./cmd/...
 
-.PHONY: build
-build: fmt
-	mkdir -p ./tmp/bin && cp -r ./install/ ./tmp/
-	$(call get_build_flags)
-	$(RUN_IN_DOCKER) time go install -ldflags '$(BUILD_FLAG)' $(TRAG.Gopkg)/cmd/...
-	mv ./tmp/bin/cmd ./tmp/bin/$(TRAG.Name)
-	@docker build -t ${REGISTRY} -f - ./tmp < ./Dockerfile.dev 
-	@docker image prune -f 1>/dev/null 2>&1
-	@echo "build done"
+# Generate manifests e.g. CRD, RBAC etc.
+manifests:
+	go run vendor/sigs.k8s.io/controller-tools/cmd/controller-gen/main.go all
 
-.PHONY: release
-release:
-	@echo "TODO"
+deploy: manifests
+	kubectl apply -f config/crds
+	kustomize build config/default | kubectl apply -f -
+
+# Generate DeepCopy to implement runtime.Object
+deepcopy:
+	./vendor/k8s.io/code-generator/generate-groups.sh all kubesphere.io/kubesphere/pkg/client kubesphere.io/kubesphere/pkg/apis "servicemesh:v1alpha2 tenant:v1alpha1"
+
+# Generate code
+generate:
+ifndef GOPATH
+	$(error GOPATH not defined, please define GOPATH. Run "go help gopath" to learn more about GOPATH)
+endif
+	go generate ./pkg/... ./cmd/...
+
+# Build the docker image
+docker-build: all
+	docker build . -t ${IMG}
+
+# Run tests
+test: generate fmt vet
+	go test ./pkg/... ./cmd/... -coverprofile cover.out
 
 .PHONY: clean
 clean:

PROJECT

@@ -0,0 +1,3 @@
+version: "1"
+domain: kubesphere.io
+repo: kubesphere.io/kubesphere

README.md

@@ -3,35 +3,102 @@
 [![Build Status](https://travis-ci.org/kubesphere/kubesphere.svg?branch=master)](https://travis-ci.org/kubesphere/kubesphere)
 
 ----
-***KubeSphere*** is a distribution of [Kubernetes](https://kubernetes.io), aimed to provide quick setup, friendly and easily use, and powerful management features for Kubernetes clusters, which could help both personal and enterprise users, reduce their learning curve of Kubernetes, accelerate their transform process from other container platforms to Kubernetes.   
 
-**Features:**
- - Multiple IaaS platform support, including baremetal/KVM/QingCloud, and more will be supported in future release.  
- - Easy setup of Kubernetes standalone(only one master node) and cluster environment(including High Availability support).  
- - Powerful management console to help business users to manage and monitor the Kubernetes.  
- - Integrate with [OpenPitrix](https://github.com/openpitrix) to provide full life cycle of application management and be compatible of helm package.  
- - Support popular open source network solutions, including calico and flannel, also could use [qingcloud hostnic solution](https://github.com/yunify/hostnic-cni) if the Kubernetes is deployed on QingCloud platform.  
- - Support popular open source storage solutions, including Glusterfs and Cephfs, also could use [qingcloud storage solution](https://github.com/yunify/qingcloud-csi) or [qingstor storage solution](https://github.com/yunify/qingstor-csi) if the Kubernetes is deployed on QingCloud platform or QingStor NeonSAN.  
- - CI/CD support.  
- - Service Mesh support.  
- - Multiple image registries support.  
- - Integrate with QingCloud IAM.  
+## What is KubeSphere
+
+[KubeSphere](https://kubesphere.io/) is an enterprise-grade multi-tenant container management platform that built on [Kubernetes](https://kubernetes.io). It provides an easy-to-use UI enables creation of computing resources with a few clicks and one-click deployment, which reduces the learning curve and empower the DevOps teams. It greatly reduces the complexity of the daily work of development, testing, operation and maintenance, aiming to solve the pain spots of Kubernetes' storage, network, security and ease of use, etc.
+
+> See this [document](https://docs.kubesphere.io/advanced-v2.0/zh-CN/introduction/intro/) that describes the KubeSphere landscape and details.
+
+## Features
+
+KubeSphere Advanced Edition 2.0.0 provides an easy-to-use console with the awesome user experience that allows you to quickly get started with a container management platform. KubeSphere provides and supports following core features:
+
+
+- Workload management
+- Service mesh (Istio-based)
+- DevOps
+- Source to Image
+- Multi-tenant management
+- Multi-dimensional and Multi-tenant Monitoring, Logging, Alerting, Notification
+- Service and network management
+- Application template and repository
+- Infrastructure management, image registry management
+- Integrate Harbor and GitLab
+- LB controller for Kubernetes on bare metal ([Porter](https://github.com/kubesphere/porter)), [cloud LB plugin](https://github.com/yunify/qingcloud-cloud-controller-manager)
+- Support GPU node
+
+
+It also supports multiple open source storage and high-performance cloud storage as the persistent storage services, as well as supports multiple open source network plugins.
+
+> See this [document](https://docs.kubesphere.io/advanced-v2.0/zh-CN/introduction/features/) that elaborates on the KubeSphere features and services from a professional point of view.
+
 ----
 
-## Motivation
+## Latest Release
 
-The project originates from the requirement and pains we heard from our customers on public and private QingCloud platform, who have strong will to deploy Kubernetes in their IT system but struggle on completed setup process and long learning curve. With help of KubeSphere, their IT operators could setup Kubernetes environment quickly and use an easy management UI interface to mange their applications, also KubeSphere provides more features to help customers to handle daily business more easily, including CI/CD, micro services management...etc.
+KubeSphere Advanced Edition 2.0.0 was released on **May 18th, 2019**. See the [Release Notes For 2.0.0](https://docs.kubesphere.io/advanced-v2.0/release/release-v200/) to preview the updates.
 
-Getting Started
----------------
-**TBD**
+## Installation
 
-## Design
+KubeSphere installation supports following 2 kinds of installation, please reference the following guides on how to get KubeSphere up and running.
+
+### All-in-One
+
+[All-in-One](https://docs.kubesphere.io/advanced-v2.0/zh-CN/installation/all-in-one/): For those who are new to KubeSphere and looking for the fastest way to install and experience the dashboard. 
+
+Just download the installer and execute the `install.sh` under `/scripts` folder, choose `"1) All-in-one"` to trigger the installation. Generally, you can install it directly without any modification, for details please reference [All-in-One](https://docs.kubesphere.io/advanced-v2.0/zh-CN/installation/all-in-one/).
+
+```bash
+$ curl -L https://kubesphere.io/download/stable/advanced-2.0.0 > advanced-2.0.0.tar.gz
+$ tar -zxf advanced-2.0.0.tar.gz
+```
+
+### Multi-Node
+
+[Multi-Node](https://docs.kubesphere.io/advanced-v2.0/zh-CN/installation/multi-node/) is used for installing KubeSphere on multiple instances, supports for installing a highly available cluster which is able to use in a formal environment.
+
+
+### Minimum Requirements
+
+- Operating Systems
+   - CentOS 7.5 (64 bit)
+   - Ubuntu 16.04/18.04 LTS (64 bit)
+   - Red Hat Enterprise Linux Server 7.4 (64 bit)
+   - Debian Stretch 9.5 (64 bit)
+- Hardware
+   - CPU：8 Core,  Memory：16 G, Disk Space：100 G
+
+## Quick Start
+
+The [Quick Start Guide](https://docs.kubesphere.io/advanced-v2.0/quick-start/admin-quick-start/) provides 12 quick-start examples to walk you through the process and common manipulation in KubeSphere, with a quick overview of the core features of KubeSphere that helps you to get familiar with it.
+
+
+## RoadMap
+
+Currently, KubeSphere has released the following 4 major editions. Advanced Edition 2.0.0 was released on May 18, 2019. The future releases will include Big data, AI, Multicluster, QingCloud SDN, etc.
+
+**Community Edition** => **Express Edition** => **Advanced Edition 1.0.0** => **Advanced Edition 2.0.0**
+
+![Roadmap](docs/images/roadmap-en.png)
+
+## Documentation
+
+- [KubeSphere Documentation (En/中) ](https://docs.kubesphere.io/)
+- [KubeSphere Docementation (PDF)](https://docs.kubesphere.io/KubeSphere-advanced-v2.0.pdf)
+
+## Support, Discussion, and Community
+
+If you need any help with KubeSphere, please join us at [Slack channel](http://kubesphere.slack.com/) where most of our team hangs out at.
+
+Please submit any KubeSphere bugs, issues, and feature requests to [KubeSphere GitHub Issue](https://github.com/kubesphere/kubesphere/issues).
 
 ## Contributing to the project
 
 All members of the KubeSphere community must abide by [Code of Conduct](docs/code-of-conduct.md). Only by respecting each other can we develop a productive, collaborative community.
 
-You can then find out more detail [here](docs/welcome-toKubeSphere-new-developer-guide.md).
+How to submit a pull request to KubeSphere? See [Pull Request Instruction](docs/pull-requests.md).
+
+You can then find out more detail [here](docs/welcome-to-KubeSphere-new-developer-guide.md).
 
 

build/builder-docker/.ash_history

@@ -1,3 +0,0 @@
-ls /go/bin
-go version
-exit

build/builder-docker/Dockerfile

@@ -1,19 +0,0 @@
-# Copyright 2018 The KubeSphere Authors. All rights reserved.
-# Use of this source code is governed by a Apache license
-# that can be found in the LICENSE file.
-
-FROM golang:1.10.2-alpine3.7 as builder
-
-RUN apk add --no-cache git curl openssl
-
-RUN go get github.com/tools/godep
-#RUN go get github.com/emicklei/go-restful
-#RUN go get github.com/golang/glog
-#RUN go get github.com/spf13/pflag
-RUN go get golang.org/x/tools/cmd/goimports
-
-FROM golang:1.10.2-alpine3.7
-
-RUN apk add --no-cache git make curl openssl jq rsync godep
-
-COPY --from=builder /go/bin /go/bin

build/builder-docker/Makefile

@@ -1,17 +0,0 @@
-# Copyright 2018 The KubeSphere Authors. All rights reserved.
-# Use of this source code is governed by a Apache license
-# that can be found in the LICENSE file.
-
-default:
-	docker build -t kubesphere/kubesphere-builder .
-	@echo "ok"
-
-pull:
-	docker pull kubesphere/kubesphere-builder
-	@echo "ok"
-
-run:
-	docker run --rm -it -v `pwd`:/root kubesphere/kubesphere-builder
-
-clean:
-	@echo "ok"

build/ks-apigateway/Dockerfile

@@ -0,0 +1,20 @@
+# Copyright 2018 The KubeSphere Authors. All rights reserved.
+# Use of this source code is governed by a Apache license
+# that can be found in the LICENSE file.
+
+# Copyright 2018 The KubeSphere Authors. All rights reserved.
+# Use of this source code is governed by a Apache license
+# that can be found in the LICENSE file.
+
+FROM golang:1.12 as ks-apigateway-builder
+
+COPY / /go/src/kubesphere.io/kubesphere
+WORKDIR /go/src/kubesphere.io/kubesphere
+RUN CGO_ENABLED=0 GO111MODULE=off GOOS=linux GOARCH=amd64 go build -i -ldflags '-w -s' -o ks-apigateway cmd/ks-apigateway/apiserver.go && \
+    go run tools/cmd/doc-gen/main.go --output=install/swagger-ui/api.json
+
+FROM alpine:3.9
+RUN apk add --update ca-certificates && update-ca-certificates
+COPY --from=ks-apigateway-builder /go/src/kubesphere.io/kubesphere/ks-apigateway /usr/local/bin/
+COPY --from=ks-apigateway-builder /go/src/kubesphere.io/kubesphere/install/swagger-ui /var/static/swagger-ui
+CMD ["sh"]

build/ks-apiserver/Dockerfile

@@ -0,0 +1,18 @@
+# Copyright 2018 The KubeSphere Authors. All rights reserved.
+# Use of this source code is governed by a Apache license
+# that can be found in the LICENSE file.
+
+# Copyright 2018 The KubeSphere Authors. All rights reserved.
+# Use of this source code is governed by a Apache license
+# that can be found in the LICENSE file.
+FROM golang:1.12 as ks-apiserver-builder
+
+COPY / /go/src/kubesphere.io/kubesphere
+
+WORKDIR /go/src/kubesphere.io/kubesphere
+RUN CGO_ENABLED=0 GO111MODULE=off GOOS=linux GOARCH=amd64 go build -i -ldflags '-w -s' -o ks-apiserver cmd/ks-apiserver/apiserver.go
+
+FROM alpine:3.9
+RUN apk add --update ca-certificates && update-ca-certificates
+COPY --from=ks-apiserver-builder /go/src/kubesphere.io/kubesphere/ks-apiserver /usr/local/bin/
+CMD ["sh"]

build/ks-controller-manager/Dockerfile

@@ -0,0 +1,18 @@
+# Copyright 2018 The KubeSphere Authors. All rights reserved.
+# Use of this source code is governed by a Apache license
+# that can be found in the LICENSE file.
+
+# Copyright 2018 The KubeSphere Authors. All rights reserved.
+# Use of this source code is governed by a Apache license
+# that can be found in the LICENSE file.
+FROM golang:1.12 as controller-manager-builder
+
+COPY / /go/src/kubesphere.io/kubesphere
+WORKDIR /go/src/kubesphere.io/kubesphere
+
+RUN GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build --ldflags "-extldflags -static" -o controller-manager ./cmd/controller-manager/
+
+FROM alpine:3.7
+RUN apk add --update ca-certificates && update-ca-certificates
+COPY --from=controller-manager-builder /go/src/kubesphere.io/kubesphere/controller-manager /usr/local/bin/
+CMD controller-manager

build/ks-iam/Dockerfile

@@ -0,0 +1,18 @@
+# Copyright 2018 The KubeSphere Authors. All rights reserved.
+# Use of this source code is governed by a Apache license
+# that can be found in the LICENSE file.
+
+# Copyright 2018 The KubeSphere Authors. All rights reserved.
+# Use of this source code is governed by a Apache license
+# that can be found in the LICENSE file.
+FROM golang:1.12 as ks-iam-builder
+
+COPY / /go/src/kubesphere.io/kubesphere
+
+WORKDIR /go/src/kubesphere.io/kubesphere
+RUN CGO_ENABLED=0 GO111MODULE=off GOOS=linux GOARCH=amd64 go build -i -ldflags '-w -s' -o ks-iam cmd/ks-iam/apiserver.go
+
+FROM alpine:3.9
+RUN apk add --update ca-certificates && update-ca-certificates
+COPY --from=ks-iam-builder /go/src/kubesphere.io/kubesphere/ks-iam /usr/local/bin/
+CMD ["sh"]

cmd/controller-manager/app/controllers.go

@@ -0,0 +1,126 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package app
+
+import (
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	"kubesphere.io/kubesphere/pkg/controller/application"
+	"kubesphere.io/kubesphere/pkg/controller/destinationrule"
+	"kubesphere.io/kubesphere/pkg/controller/job"
+
+	//"kubesphere.io/kubesphere/pkg/controller/job"
+	"kubesphere.io/kubesphere/pkg/controller/virtualservice"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"time"
+
+	logf "sigs.k8s.io/controller-runtime/pkg/runtime/log"
+
+	istioclientset "github.com/knative/pkg/client/clientset/versioned"
+	istioinformers "github.com/knative/pkg/client/informers/externalversions"
+	applicationclientset "github.com/kubernetes-sigs/application/pkg/client/clientset/versioned"
+	applicationinformers "github.com/kubernetes-sigs/application/pkg/client/informers/externalversions"
+	servicemeshclientset "kubesphere.io/kubesphere/pkg/client/clientset/versioned"
+	servicemeshinformers "kubesphere.io/kubesphere/pkg/client/informers/externalversions"
+)
+
+const defaultResync = 600 * time.Second
+
+var log = logf.Log.WithName("controller-manager")
+
+func AddControllers(mgr manager.Manager, cfg *rest.Config, stopCh <-chan struct{}) error {
+
+	kubeClient, err := kubernetes.NewForConfig(cfg)
+	if err != nil {
+		log.Error(err, "building kubernetes client failed")
+	}
+
+	istioclient, err := istioclientset.NewForConfig(cfg)
+	if err != nil {
+		log.Error(err, "create istio client failed")
+		return err
+	}
+
+	applicationClient, err := applicationclientset.NewForConfig(cfg)
+	if err != nil {
+		log.Error(err, "create application client failed")
+		return err
+	}
+
+	informerFactory := informers.NewSharedInformerFactory(kubeClient, defaultResync)
+	istioInformer := istioinformers.NewSharedInformerFactory(istioclient, defaultResync)
+	applicationInformer := applicationinformers.NewSharedInformerFactory(applicationClient, defaultResync)
+
+	servicemeshclient, err := servicemeshclientset.NewForConfig(cfg)
+	if err != nil {
+		log.Error(err, "create servicemesh client failed")
+		return err
+	}
+
+	servicemeshInformer := servicemeshinformers.NewSharedInformerFactory(servicemeshclient, defaultResync)
+
+	vsController := virtualservice.NewVirtualServiceController(informerFactory.Core().V1().Services(),
+		istioInformer.Networking().V1alpha3().VirtualServices(),
+		istioInformer.Networking().V1alpha3().DestinationRules(),
+		servicemeshInformer.Servicemesh().V1alpha2().Strategies(),
+		kubeClient,
+		istioclient,
+		servicemeshclient)
+
+	drController := destinationrule.NewDestinationRuleController(informerFactory.Apps().V1().Deployments(),
+		istioInformer.Networking().V1alpha3().DestinationRules(),
+		informerFactory.Core().V1().Services(),
+		servicemeshInformer.Servicemesh().V1alpha2().ServicePolicies(),
+		kubeClient,
+		istioclient,
+		servicemeshclient)
+
+	apController := application.NewApplicationController(informerFactory.Core().V1().Services(),
+		informerFactory.Apps().V1().Deployments(),
+		informerFactory.Apps().V1().StatefulSets(),
+		servicemeshInformer.Servicemesh().V1alpha2().Strategies(),
+		servicemeshInformer.Servicemesh().V1alpha2().ServicePolicies(),
+		applicationInformer.App().V1beta1().Applications(),
+		kubeClient,
+		applicationClient)
+
+	jobController := job.NewJobController(informerFactory.Batch().V1().Jobs(), kubeClient)
+
+	servicemeshInformer.Start(stopCh)
+	istioInformer.Start(stopCh)
+	informerFactory.Start(stopCh)
+	applicationInformer.Start(stopCh)
+
+	controllers := map[string]manager.Runnable{
+		"virtualservice-controller":  vsController,
+		"destinationrule-controller": drController,
+		"application-controller":     apController,
+		"job-controller":             jobController,
+	}
+
+	for name, ctrl := range controllers {
+		err = mgr.Add(ctrl)
+		if err != nil {
+			log.Error(err, "add controller to manager failed", "name", name)
+			return err
+		}
+	}
+
+	return nil
+}

cmd/controller-manager/app/helper.go

@@ -0,0 +1,38 @@
+package app
+
+import (
+	"fmt"
+	"k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/klog"
+	"net/http"
+	"time"
+)
+
+// WaitForAPIServer waits for the API Server's /healthz endpoint to report "ok" with timeout.
+func WaitForAPIServer(client clientset.Interface, timeout time.Duration) error {
+	var lastErr error
+
+	err := wait.PollImmediate(time.Second, timeout, func() (bool, error) {
+		healthStatus := 0
+		result := client.Discovery().RESTClient().Get().AbsPath("/healthz").Do().StatusCode(&healthStatus)
+		if result.Error() != nil {
+			lastErr = fmt.Errorf("failed to get apiserver /healthz status: %v", result.Error())
+			return false, nil
+		}
+		if healthStatus != http.StatusOK {
+			content, _ := result.Raw()
+			lastErr = fmt.Errorf("APIServer isn't healthy: %v", string(content))
+			klog.Warningf("APIServer isn't healthy yet: %v. Waiting a little while.", string(content))
+			return false, nil
+		}
+
+		return true, nil
+	})
+
+	if err != nil {
+		return fmt.Errorf("%v: %v", err, lastErr)
+	}
+
+	return nil
+}

cmd/controller-manager/controller-manager.go

@@ -0,0 +1,89 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package main
+
+import (
+	"flag"
+	"k8s.io/client-go/tools/clientcmd"
+	"kubesphere.io/kubesphere/cmd/controller-manager/app"
+	"kubesphere.io/kubesphere/pkg/apis"
+	"kubesphere.io/kubesphere/pkg/controller"
+	"os"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	logf "sigs.k8s.io/controller-runtime/pkg/runtime/log"
+	"sigs.k8s.io/controller-runtime/pkg/runtime/signals"
+)
+
+var (
+	masterURL   string
+	kubeconfig  string
+	metricsAddr string
+)
+
+func init() {
+	flag.StringVar(&masterURL, "master-url", "", "only need if out of cluster")
+	flag.StringVar(&kubeconfig, "kubeconfig", "", "only need if out of cluster")
+	flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
+}
+
+func main() {
+	flag.Parse()
+
+	logf.SetLogger(logf.ZapLogger(false))
+	log := logf.Log.WithName("controller-manager")
+
+	cfg, err := clientcmd.BuildConfigFromFlags(masterURL, kubeconfig)
+	if err != nil {
+		log.Error(err, "failed to build kubeconfig")
+		os.Exit(1)
+	}
+
+	stopCh := signals.SetupSignalHandler()
+
+	log.Info("setting up manager")
+	mgr, err := manager.New(cfg, manager.Options{})
+	if err != nil {
+		log.Error(err, "unable to set up overall controller manager")
+		os.Exit(1)
+	}
+
+	log.Info("setting up scheme")
+	if err := apis.AddToScheme(mgr.GetScheme()); err != nil {
+		log.Error(err, "unable add APIs to scheme")
+		os.Exit(1)
+	}
+
+	log.Info("Setting up controllers")
+	if err := controller.AddToManager(mgr); err != nil {
+		log.Error(err, "unable to register controllers to the manager")
+		os.Exit(1)
+	}
+
+	if err := app.AddControllers(mgr, cfg, stopCh); err != nil {
+		log.Error(err, "unable to register controllers to the manager")
+		os.Exit(1)
+	}
+
+	log.Info("Starting the Cmd.")
+	if err := mgr.Start(stopCh); err != nil {
+		log.Error(err, "unable to run the manager")
+		os.Exit(1)
+	}
+
+}

cmd/ks-apigateway/apiserver.go

@@ -0,0 +1,35 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package main
+
+import (
+	"github.com/mholt/caddy/caddy/caddymain"
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+
+	// Install apis
+	_ "kubesphere.io/kubesphere/pkg/apigateway/caddy-plugin/authenticate"
+	_ "kubesphere.io/kubesphere/pkg/apigateway/caddy-plugin/authentication"
+	_ "kubesphere.io/kubesphere/pkg/apigateway/caddy-plugin/swagger"
+)
+
+func main() {
+	httpserver.RegisterDevDirective("authenticate", "jwt")
+	httpserver.RegisterDevDirective("authentication", "jwt")
+	httpserver.RegisterDevDirective("swagger", "jwt")
+	caddymain.Run()
+}

cmd/ks-apiserver/apiserver.go

@@ -0,0 +1,41 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package main
+
+import (
+	"kubesphere.io/kubesphere/cmd/ks-apiserver/app"
+	"log"
+	// Install apis
+	_ "kubesphere.io/kubesphere/pkg/apis/devops/install"
+	_ "kubesphere.io/kubesphere/pkg/apis/logging/install"
+	_ "kubesphere.io/kubesphere/pkg/apis/monitoring/install"
+	_ "kubesphere.io/kubesphere/pkg/apis/operations/install"
+	_ "kubesphere.io/kubesphere/pkg/apis/resources/install"
+	_ "kubesphere.io/kubesphere/pkg/apis/servicemesh/metrics/install"
+	_ "kubesphere.io/kubesphere/pkg/apis/tenant/install"
+	_ "kubesphere.io/kubesphere/pkg/apis/terminal/install"
+)
+
+func main() {
+
+	cmd := app.NewAPIServerCommand()
+
+	if err := cmd.Execute(); err != nil {
+		log.Fatalln(err)
+	}
+}

cmd/ks-apiserver/app/options/options.go

@@ -0,0 +1,45 @@
+package options
+
+import (
+	"github.com/spf13/pflag"
+	genericoptions "kubesphere.io/kubesphere/pkg/options"
+)
+
+type ServerRunOptions struct {
+	GenericServerRunOptions *genericoptions.ServerRunOptions
+
+	// istio pilot discovery service url
+	IstioPilotServiceURL string
+
+	// jaeger query service url
+	JaegerQueryServiceUrl string
+
+	// prometheus service url for servicemesh metrics
+	ServicemeshPrometheusServiceUrl string
+
+	// openpitrix api gateway service url
+	OpenPitrixServer string
+
+	// openpitrix service token
+	OpenPitrixProxyToken string
+}
+
+func NewServerRunOptions() *ServerRunOptions {
+
+	s := ServerRunOptions{
+		GenericServerRunOptions: genericoptions.NewServerRunOptions(),
+		IstioPilotServiceURL:    "http://istio-pilot.istio-system.svc:8080/version",
+		JaegerQueryServiceUrl:   "http://jaeger-query.istio-system.svc:16686/jaeger",
+	}
+
+	return &s
+}
+
+func (s *ServerRunOptions) AddFlags(fs *pflag.FlagSet) {
+
+	s.GenericServerRunOptions.AddFlags(fs)
+
+	fs.StringVar(&s.IstioPilotServiceURL, "istio-pilot-service-url", "http://istio-pilot.istio-system.svc:8080/version", "istio pilot discovery service url")
+	fs.StringVar(&s.JaegerQueryServiceUrl, "jaeger-query-service-url", "http://jaeger-query.istio-system.svc:16686/jaeger", "jaeger query service url")
+	fs.StringVar(&s.ServicemeshPrometheusServiceUrl, "servicemesh-prometheus-service-url", "http://prometheus-k8s-system.kubesphere-monitoring-system.svc:9090", "prometheus service for servicemesh")
+}

cmd/ks-apiserver/app/server.go

@@ -0,0 +1,198 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package app
+
+import (
+	goflag "flag"
+	"fmt"
+	"github.com/golang/glog"
+	"github.com/json-iterator/go"
+	kconfig "github.com/kiali/kiali/config"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	"kubesphere.io/kubesphere/cmd/ks-apiserver/app/options"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+	"kubesphere.io/kubesphere/pkg/apiserver/servicemesh/tracing"
+	"kubesphere.io/kubesphere/pkg/filter"
+	"kubesphere.io/kubesphere/pkg/informers"
+	"kubesphere.io/kubesphere/pkg/models/devops"
+	logging "kubesphere.io/kubesphere/pkg/models/log"
+	"kubesphere.io/kubesphere/pkg/server"
+	"kubesphere.io/kubesphere/pkg/signals"
+	"kubesphere.io/kubesphere/pkg/simple/client/admin_jenkins"
+	"kubesphere.io/kubesphere/pkg/simple/client/devops_mysql"
+	"log"
+	"net/http"
+)
+
+var jsonIter = jsoniter.ConfigCompatibleWithStandardLibrary
+
+func NewAPIServerCommand() *cobra.Command {
+	s := options.NewServerRunOptions()
+
+	cmd := &cobra.Command{
+		Use: "ks-apiserver",
+		Long: `The KubeSphere API server validates and configures data
+for the api objects. The API Server services REST operations and provides the frontend to the
+cluster's shared state through which all other components interact.`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return Run(s)
+		},
+	}
+
+	s.AddFlags(cmd.Flags())
+	cmd.Flags().AddGoFlagSet(goflag.CommandLine)
+	glog.CopyStandardLogTo("INFO")
+
+	return cmd
+}
+
+func Run(s *options.ServerRunOptions) error {
+
+	pflag.VisitAll(func(flag *pflag.Flag) {
+		log.Printf("FLAG: --%s=%q", flag.Name, flag.Value)
+	})
+
+	var err error
+
+	waitForResourceSync()
+
+	container := runtime.Container
+	container.DoNotRecover(false)
+	container.Filter(filter.Logging)
+	container.RecoverHandler(server.LogStackOnRecover)
+	for _, webservice := range container.RegisteredWebServices() {
+		for _, route := range webservice.Routes() {
+			log.Println(route.Method, route.Path)
+		}
+	}
+
+	initializeAdminJenkins()
+	initializeDevOpsDatabase()
+	initializeESClientConfig()
+	initializeServicemeshConfig(s)
+
+	if s.GenericServerRunOptions.InsecurePort != 0 {
+		log.Printf("Server listening on %d.", s.GenericServerRunOptions.InsecurePort)
+		err = http.ListenAndServe(fmt.Sprintf("%s:%d", s.GenericServerRunOptions.BindAddress, s.GenericServerRunOptions.InsecurePort), container)
+	}
+
+	if s.GenericServerRunOptions.SecurePort != 0 && len(s.GenericServerRunOptions.TlsCertFile) > 0 && len(s.GenericServerRunOptions.TlsPrivateKey) > 0 {
+		log.Printf("Server listening on %d.", s.GenericServerRunOptions.SecurePort)
+		err = http.ListenAndServeTLS(fmt.Sprintf("%s:%d", s.GenericServerRunOptions.BindAddress, s.GenericServerRunOptions.SecurePort), s.GenericServerRunOptions.TlsCertFile, s.GenericServerRunOptions.TlsPrivateKey, container)
+	}
+
+	return err
+}
+
+func initializeAdminJenkins() {
+	devops.JenkinsInit()
+	admin_jenkins.Client()
+}
+
+func initializeDevOpsDatabase() {
+	devops_mysql.OpenDatabase()
+}
+
+func initializeServicemeshConfig(s *options.ServerRunOptions) {
+	// Initialize kiali config
+	config := kconfig.NewConfig()
+
+	tracing.JaegerQueryUrl = s.JaegerQueryServiceUrl
+
+	// Exclude system namespaces
+	config.API.Namespaces.Exclude = []string{"istio-system", "kubesphere*", "kube*"}
+	config.InCluster = true
+
+	// Set default prometheus service url
+	config.ExternalServices.PrometheusServiceURL = s.ServicemeshPrometheusServiceUrl
+	config.ExternalServices.PrometheusCustomMetricsURL = config.ExternalServices.PrometheusServiceURL
+
+	// Set istio pilot discovery service url
+	config.ExternalServices.Istio.UrlServiceVersion = s.IstioPilotServiceURL
+
+	kconfig.Set(config)
+}
+
+func initializeESClientConfig() {
+
+	// List all outputs
+	outputs, err := logging.GetFluentbitOutputFromConfigMap()
+	if err != nil {
+		glog.Errorln(err)
+		return
+	}
+
+	// Iterate the outputs to get elasticsearch configs
+	for _, output := range outputs {
+		if configs := logging.ParseEsOutputParams(output.Parameters); configs != nil {
+			configs.WriteESConfigs()
+			return
+		}
+	}
+}
+
+func waitForResourceSync() {
+	stopChan := signals.SetupSignalHandler()
+
+	informerFactory := informers.SharedInformerFactory()
+	informerFactory.Rbac().V1().Roles().Lister()
+	informerFactory.Rbac().V1().RoleBindings().Lister()
+	informerFactory.Rbac().V1().ClusterRoles().Lister()
+	informerFactory.Rbac().V1().ClusterRoleBindings().Lister()
+
+	informerFactory.Storage().V1().StorageClasses().Lister()
+
+	informerFactory.Core().V1().Namespaces().Lister()
+	informerFactory.Core().V1().Nodes().Lister()
+	informerFactory.Core().V1().ResourceQuotas().Lister()
+	informerFactory.Core().V1().Pods().Lister()
+	informerFactory.Core().V1().Services().Lister()
+	informerFactory.Core().V1().PersistentVolumeClaims().Lister()
+	informerFactory.Core().V1().Secrets().Lister()
+	informerFactory.Core().V1().ConfigMaps().Lister()
+
+	informerFactory.Apps().V1().ControllerRevisions().Lister()
+	informerFactory.Apps().V1().StatefulSets().Lister()
+	informerFactory.Apps().V1().Deployments().Lister()
+	informerFactory.Apps().V1().DaemonSets().Lister()
+	informerFactory.Apps().V1().ReplicaSets().Lister()
+
+	informerFactory.Batch().V1().Jobs().Lister()
+	informerFactory.Batch().V1beta1().CronJobs().Lister()
+	informerFactory.Extensions().V1beta1().Ingresses().Lister()
+
+	informerFactory.Start(stopChan)
+	informerFactory.WaitForCacheSync(stopChan)
+
+	s2iInformerFactory := informers.S2iSharedInformerFactory()
+	s2iInformerFactory.Devops().V1alpha1().S2iBuilderTemplates().Lister()
+	s2iInformerFactory.Devops().V1alpha1().S2iRuns().Lister()
+	s2iInformerFactory.Devops().V1alpha1().S2iBuilders().Lister()
+
+	s2iInformerFactory.Start(stopChan)
+	s2iInformerFactory.WaitForCacheSync(stopChan)
+
+	ksInformerFactory := informers.KsSharedInformerFactory()
+	ksInformerFactory.Tenant().V1alpha1().Workspaces().Lister()
+
+	ksInformerFactory.Start(stopChan)
+	ksInformerFactory.WaitForCacheSync(stopChan)
+
+	log.Println("resources sync success")
+}

cmd/ks-iam/apiserver.go

@@ -0,0 +1,34 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package main
+
+import (
+	"kubesphere.io/kubesphere/cmd/ks-iam/app"
+	"log"
+	// Install apis
+	_ "kubesphere.io/kubesphere/pkg/apis/iam/install"
+)
+
+func main() {
+
+	cmd := app.NewAPIServerCommand()
+
+	if err := cmd.Execute(); err != nil {
+		log.Fatalln(err)
+	}
+}

cmd/ks-iam/app/options/options.go

@@ -0,0 +1,46 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package options
+
+import (
+	"github.com/spf13/pflag"
+	genericoptions "kubesphere.io/kubesphere/pkg/options"
+)
+
+type ServerRunOptions struct {
+	GenericServerRunOptions *genericoptions.ServerRunOptions
+	AdminEmail              string
+	AdminPassword           string
+	TokenExpireTime         string
+	JWTSecret               string
+}
+
+func NewServerRunOptions() *ServerRunOptions {
+	s := &ServerRunOptions{
+		GenericServerRunOptions: genericoptions.NewServerRunOptions(),
+	}
+	return s
+}
+
+func (s *ServerRunOptions) AddFlags(fs *pflag.FlagSet) {
+	fs.StringVar(&s.AdminEmail, "admin-email", "admin@kubesphere.io", "default administrator's email")
+	fs.StringVar(&s.AdminPassword, "admin-password", "passw0rd", "default administrator's password")
+	fs.StringVar(&s.TokenExpireTime, "token-expire-time", "2h", "token expire time,valid time units are \"ns\",\"us\",\"ms\",\"s\",\"m\",\"h\"")
+	fs.StringVar(&s.JWTSecret, "jwt-secret", "", "jwt secret")
+	s.GenericServerRunOptions.AddFlags(fs)
+}

cmd/ks-iam/app/server.go

@@ -0,0 +1,137 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package app
+
+import (
+	goflag "flag"
+	"fmt"
+	"github.com/golang/glog"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	"kubesphere.io/kubesphere/cmd/ks-iam/app/options"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+	"kubesphere.io/kubesphere/pkg/filter"
+	"kubesphere.io/kubesphere/pkg/informers"
+	"kubesphere.io/kubesphere/pkg/models/iam"
+	"kubesphere.io/kubesphere/pkg/server"
+	"kubesphere.io/kubesphere/pkg/signals"
+	"kubesphere.io/kubesphere/pkg/simple/client/admin_jenkins"
+	"kubesphere.io/kubesphere/pkg/simple/client/devops_mysql"
+	"kubesphere.io/kubesphere/pkg/utils/jwtutil"
+	"log"
+	"net/http"
+	"time"
+)
+
+func NewAPIServerCommand() *cobra.Command {
+	s := options.NewServerRunOptions()
+
+	cmd := &cobra.Command{
+		Use: "ks-iam",
+		Long: `The KubeSphere API server validates and configures data
+for the api objects. The API Server services REST operations and provides the frontend to the
+cluster's shared state through which all other components interact.`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return Run(s)
+		},
+	}
+	s.AddFlags(cmd.Flags())
+	cmd.Flags().AddGoFlagSet(goflag.CommandLine)
+	glog.CopyStandardLogTo("INFO")
+
+	return cmd
+}
+
+func Run(s *options.ServerRunOptions) error {
+	pflag.VisitAll(func(flag *pflag.Flag) {
+		log.Printf("FLAG: --%s=%q", flag.Name, flag.Value)
+	})
+
+	var err error
+
+	expireTime, err := time.ParseDuration(s.TokenExpireTime)
+
+	if err != nil {
+		return err
+	}
+
+	waitForResourceSync()
+
+	initializeAdminJenkins()
+	initializeDevOpsDatabase()
+
+	err = iam.Init(s.AdminEmail, s.AdminPassword, expireTime)
+	jwtutil.Setup(s.JWTSecret)
+
+	if err != nil {
+		return err
+	}
+
+	container := runtime.Container
+	container.Filter(filter.Logging)
+	container.DoNotRecover(false)
+	container.RecoverHandler(server.LogStackOnRecover)
+
+	for _, webservice := range container.RegisteredWebServices() {
+		for _, route := range webservice.Routes() {
+			log.Println(route.Method, route.Path)
+		}
+	}
+
+	if s.GenericServerRunOptions.InsecurePort != 0 {
+		log.Printf("Server listening on %d.", s.GenericServerRunOptions.InsecurePort)
+		err = http.ListenAndServe(fmt.Sprintf("%s:%d", s.GenericServerRunOptions.BindAddress, s.GenericServerRunOptions.InsecurePort), container)
+	}
+
+	if s.GenericServerRunOptions.SecurePort != 0 && len(s.GenericServerRunOptions.TlsCertFile) > 0 && len(s.GenericServerRunOptions.TlsPrivateKey) > 0 {
+		log.Printf("Server listening on %d.", s.GenericServerRunOptions.SecurePort)
+		err = http.ListenAndServeTLS(fmt.Sprintf("%s:%d", s.GenericServerRunOptions.BindAddress, s.GenericServerRunOptions.SecurePort), s.GenericServerRunOptions.TlsCertFile, s.GenericServerRunOptions.TlsPrivateKey, container)
+	}
+
+	return err
+}
+
+func waitForResourceSync() {
+	stopChan := signals.SetupSignalHandler()
+
+	informerFactory := informers.SharedInformerFactory()
+	informerFactory.Rbac().V1().Roles().Lister()
+	informerFactory.Rbac().V1().RoleBindings().Lister()
+	informerFactory.Rbac().V1().ClusterRoles().Lister()
+	informerFactory.Rbac().V1().ClusterRoleBindings().Lister()
+
+	informerFactory.Core().V1().Namespaces().Lister()
+
+	informerFactory.Start(stopChan)
+	informerFactory.WaitForCacheSync(stopChan)
+
+	ksInformerFactory := informers.KsSharedInformerFactory()
+	ksInformerFactory.Tenant().V1alpha1().Workspaces().Lister()
+
+	ksInformerFactory.Start(stopChan)
+	ksInformerFactory.WaitForCacheSync(stopChan)
+	log.Println("resources sync success")
+}
+
+func initializeAdminJenkins() {
+	admin_jenkins.Client()
+}
+
+func initializeDevOpsDatabase() {
+	devops_mysql.OpenDatabase()
+}

cmd/kubesphere.go

@@ -1,40 +0,0 @@
-/*
-Copyright 2018 The KubeSphere Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"github.com/spf13/pflag"
-
-	"kubesphere.io/kubesphere/pkg/app"
-	"kubesphere.io/kubesphere/pkg/logs"
-	"kubesphere.io/kubesphere/pkg/options"
-	"kubesphere.io/kubesphere/pkg/version"
-)
-
-func main() {
-
-	options.AddFlags(pflag.CommandLine)
-
-	pflag.Parse()
-	logs.InitLogs()
-
-	defer logs.FlushLogs()
-
-	version.PrintAndExitIfRequested()
-
-	app.Run()
-}

config/crds/app_v1beta1_application.yaml

@@ -0,0 +1,239 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: applications.app.k8s.io
+spec:
+  group: app.k8s.io
+  names:
+    kind: Application
+    plural: applications
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          type: string
+        kind:
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            assemblyPhase:
+              type: string
+            componentKinds:
+              items:
+                type: object
+              type: array
+            descriptor:
+              properties:
+                description:
+                  type: string
+                icons:
+                  items:
+                    properties:
+                      size:
+                        type: string
+                      src:
+                        type: string
+                      type:
+                        type: string
+                    required:
+                    - src
+                    type: object
+                  type: array
+                keywords:
+                  items:
+                    type: string
+                  type: array
+                links:
+                  items:
+                    properties:
+                      description:
+                        type: string
+                      url:
+                        type: string
+                    type: object
+                  type: array
+                maintainers:
+                  items:
+                    properties:
+                      email:
+                        type: string
+                      name:
+                        type: string
+                      url:
+                        type: string
+                    type: object
+                  type: array
+                notes:
+                  type: string
+                owners:
+                  items:
+                    properties:
+                      email:
+                        type: string
+                      name:
+                        type: string
+                      url:
+                        type: string
+                    type: object
+                  type: array
+                type:
+                  type: string
+                version:
+                  type: string
+              type: object
+            info:
+              items:
+                properties:
+                  name:
+                    type: string
+                  type:
+                    type: string
+                  value:
+                    type: string
+                  valueFrom:
+                    properties:
+                      configMapKeyRef:
+                        properties:
+                          apiVersion:
+                            type: string
+                          fieldPath:
+                            type: string
+                          key:
+                            type: string
+                          kind:
+                            type: string
+                          name:
+                            type: string
+                          namespace:
+                            type: string
+                          resourceVersion:
+                            type: string
+                          uid:
+                            type: string
+                        type: object
+                      ingressRef:
+                        properties:
+                          apiVersion:
+                            type: string
+                          fieldPath:
+                            type: string
+                          host:
+                            type: string
+                          kind:
+                            type: string
+                          name:
+                            type: string
+                          namespace:
+                            type: string
+                          path:
+                            type: string
+                          resourceVersion:
+                            type: string
+                          uid:
+                            type: string
+                        type: object
+                      secretKeyRef:
+                        properties:
+                          apiVersion:
+                            type: string
+                          fieldPath:
+                            type: string
+                          key:
+                            type: string
+                          kind:
+                            type: string
+                          name:
+                            type: string
+                          namespace:
+                            type: string
+                          resourceVersion:
+                            type: string
+                          uid:
+                            type: string
+                        type: object
+                      serviceRef:
+                        properties:
+                          apiVersion:
+                            type: string
+                          fieldPath:
+                            type: string
+                          kind:
+                            type: string
+                          name:
+                            type: string
+                          namespace:
+                            type: string
+                          path:
+                            type: string
+                          port:
+                            format: int32
+                            type: integer
+                          resourceVersion:
+                            type: string
+                          uid:
+                            type: string
+                        type: object
+                      type:
+                        type: string
+                    type: object
+                type: object
+              type: array
+            selector:
+              type: object
+          type: object
+        status:
+          properties:
+            components:
+              items:
+                properties:
+                  group:
+                    type: string
+                  kind:
+                    type: string
+                  link:
+                    type: string
+                  name:
+                    type: string
+                  status:
+                    type: string
+                type: object
+              type: array
+            conditions:
+              items:
+                properties:
+                  lastTransitionTime:
+                    format: date-time
+                    type: string
+                  lastUpdateTime:
+                    format: date-time
+                    type: string
+                  message:
+                    type: string
+                  reason:
+                    type: string
+                  status:
+                    type: string
+                  type:
+                    type: string
+                required:
+                - type
+                - status
+                type: object
+              type: array
+            observedGeneration:
+              format: int64
+              type: integer
+          type: object
+  version: v1beta1
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/istio_v1alpha3_destinationrule.yaml

@@ -0,0 +1,763 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: destinationrules.istio.kubesphere.io
+spec:
+  group: istio.kubesphere.io
+  names:
+    kind: DestinationRule
+    plural: destinationrules
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            host:
+              description: 'REQUIRED. The name of a service from the service registry.
+                Service names are looked up from the platform''s service registry
+                (e.g., Kubernetes services, Consul services, etc.) and from the hosts
+                declared by [ServiceEntries](#ServiceEntry). Rules defined for services
+                that do not exist in the service registry will be ignored.  *Note
+                for Kubernetes users*: When short names are used (e.g. "reviews" instead
+                of "reviews.default.svc.cluster.local"), Istio will interpret the
+                short name based on the namespace of the rule, not the service. A
+                rule in the "default" namespace containing a host "reviews will be
+                interpreted as "reviews.default.svc.cluster.local", irrespective of
+                the actual namespace associated with the reviews service. _To avoid
+                potential misconfigurations, it is recommended to always use fully
+                qualified domain names over short names._  Note that the host field
+                applies to both HTTP and TCP services.'
+              type: string
+            subsets:
+              description: One or more named sets that represent individual versions
+                of a service. Traffic policies can be overridden at subset level.
+              items:
+                properties:
+                  labels:
+                    description: REQUIRED. Labels apply a filter over the endpoints
+                      of a service in the service registry. See route rules for examples
+                      of usage.
+                    type: object
+                  name:
+                    description: REQUIRED. Name of the subset. The service name and
+                      the subset name can be used for traffic splitting in a route
+                      rule.
+                    type: string
+                  trafficPolicy:
+                    description: Traffic policies that apply to this subset. Subsets
+                      inherit the traffic policies specified at the DestinationRule
+                      level. Settings specified at the subset level will override
+                      the corresponding settings specified at the DestinationRule
+                      level.
+                    properties:
+                      connectionPool:
+                        description: Settings controlling the volume of connections
+                          to an upstream service
+                        properties:
+                          http:
+                            description: HTTP connection pool settings.
+                            properties:
+                              maxRequestsPerConnection:
+                                description: Maximum number of requests per connection
+                                  to a backend. Setting this parameter to 1 disables
+                                  keep alive.
+                                format: int32
+                                type: integer
+                              maxRetries:
+                                description: Maximum number of retries that can be
+                                  outstanding to all hosts in a cluster at a given
+                                  time. Defaults to 3.
+                                format: int32
+                                type: integer
+                            type: object
+                          tcp:
+                            description: Settings common to both HTTP and TCP upstream
+                              connections.
+                            properties:
+                              connectTimeout:
+                                description: TCP connection timeout.
+                                type: string
+                              maxConnections:
+                                description: Maximum number of HTTP1 /TCP connections
+                                  to a destination host.
+                                format: int32
+                                type: integer
+                            type: object
+                        type: object
+                      loadBalancer:
+                        description: Settings controlling the load balancer algorithms.
+                        properties:
+                          consistentHash:
+                            properties:
+                              httpCookie:
+                                description: Hash based on HTTP cookie.
+                                properties:
+                                  name:
+                                    description: REQUIRED. Name of the cookie.
+                                    type: string
+                                  path:
+                                    description: Path to set for the cookie.
+                                    type: string
+                                  ttl:
+                                    description: REQUIRED. Lifetime of the cookie.
+                                    type: string
+                                required:
+                                - name
+                                - ttl
+                                type: object
+                              httpHeaderName:
+                                description: 'It is required to specify exactly one
+                                  of the fields as hash key: HttpHeaderName, HttpCookie,
+                                  or UseSourceIP. Hash based on a specific HTTP header.'
+                                type: string
+                              minimumRingSize:
+                                description: The minimum number of virtual nodes to
+                                  use for the hash ring. Defaults to 1024. Larger
+                                  ring sizes result in more granular load distributions.
+                                  If the number of hosts in the load balancing pool
+                                  is larger than the ring size, each host will be
+                                  assigned a single virtual node.
+                                format: int64
+                                type: integer
+                              useSourceIp:
+                                description: Hash based on the source IP address.
+                                type: boolean
+                            type: object
+                          simple:
+                            description: 'It is required to specify exactly one of
+                              the fields: Simple or ConsistentHash'
+                            type: string
+                        type: object
+                      outlierDetection:
+                        description: Settings controlling eviction of unhealthy hosts
+                          from the load balancing pool
+                        properties:
+                          baseEjectionTime:
+                            description: 'Minimum ejection duration. A host will remain
+                              ejected for a period equal to the product of minimum
+                              ejection duration and the number of times the host has
+                              been ejected. This technique allows the system to automatically
+                              increase the ejection period for unhealthy upstream
+                              servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default
+                              is 30s.'
+                            type: string
+                          consecutiveErrors:
+                            description: Number of errors before a host is ejected
+                              from the connection pool. Defaults to 5. When the upstream
+                              host is accessed over HTTP, a 5xx return code qualifies
+                              as an error. When the upstream host is accessed over
+                              an opaque TCP connection, connect timeouts and connection
+                              error/failure events qualify as an error.
+                            format: int32
+                            type: integer
+                          interval:
+                            description: 'Time interval between ejection sweep analysis.
+                              format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
+                            type: string
+                          maxEjectionPercent:
+                            description: Maximum % of hosts in the load balancing
+                              pool for the upstream service that can be ejected. Defaults
+                              to 10%.
+                            format: int32
+                            type: integer
+                        type: object
+                      portLevelSettings:
+                        description: Traffic policies specific to individual ports.
+                          Note that port level settings will override the destination-level
+                          settings. Traffic settings specified at the destination-level
+                          will not be inherited when overridden by port-level settings,
+                          i.e. default values will be applied to fields omitted in
+                          port-level traffic policies.
+                        items:
+                          properties:
+                            connectionPool:
+                              description: Settings controlling the volume of connections
+                                to an upstream service
+                              properties:
+                                http:
+                                  description: HTTP connection pool settings.
+                                  properties:
+                                    maxRequestsPerConnection:
+                                      description: Maximum number of requests per
+                                        connection to a backend. Setting this parameter
+                                        to 1 disables keep alive.
+                                      format: int32
+                                      type: integer
+                                    maxRetries:
+                                      description: Maximum number of retries that
+                                        can be outstanding to all hosts in a cluster
+                                        at a given time. Defaults to 3.
+                                      format: int32
+                                      type: integer
+                                  type: object
+                                tcp:
+                                  description: Settings common to both HTTP and TCP
+                                    upstream connections.
+                                  properties:
+                                    connectTimeout:
+                                      description: TCP connection timeout.
+                                      type: string
+                                    maxConnections:
+                                      description: Maximum number of HTTP1 /TCP connections
+                                        to a destination host.
+                                      format: int32
+                                      type: integer
+                                  type: object
+                              type: object
+                            loadBalancer:
+                              description: Settings controlling the load balancer
+                                algorithms.
+                              properties:
+                                consistentHash:
+                                  properties:
+                                    httpCookie:
+                                      description: Hash based on HTTP cookie.
+                                      properties:
+                                        name:
+                                          description: REQUIRED. Name of the cookie.
+                                          type: string
+                                        path:
+                                          description: Path to set for the cookie.
+                                          type: string
+                                        ttl:
+                                          description: REQUIRED. Lifetime of the cookie.
+                                          type: string
+                                      required:
+                                      - name
+                                      - ttl
+                                      type: object
+                                    httpHeaderName:
+                                      description: 'It is required to specify exactly
+                                        one of the fields as hash key: HttpHeaderName,
+                                        HttpCookie, or UseSourceIP. Hash based on
+                                        a specific HTTP header.'
+                                      type: string
+                                    minimumRingSize:
+                                      description: The minimum number of virtual nodes
+                                        to use for the hash ring. Defaults to 1024.
+                                        Larger ring sizes result in more granular
+                                        load distributions. If the number of hosts
+                                        in the load balancing pool is larger than
+                                        the ring size, each host will be assigned
+                                        a single virtual node.
+                                      format: int64
+                                      type: integer
+                                    useSourceIp:
+                                      description: Hash based on the source IP address.
+                                      type: boolean
+                                  type: object
+                                simple:
+                                  description: 'It is required to specify exactly
+                                    one of the fields: Simple or ConsistentHash'
+                                  type: string
+                              type: object
+                            outlierDetection:
+                              description: Settings controlling eviction of unhealthy
+                                hosts from the load balancing pool
+                              properties:
+                                baseEjectionTime:
+                                  description: 'Minimum ejection duration. A host
+                                    will remain ejected for a period equal to the
+                                    product of minimum ejection duration and the number
+                                    of times the host has been ejected. This technique
+                                    allows the system to automatically increase the
+                                    ejection period for unhealthy upstream servers.
+                                    format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is
+                                    30s.'
+                                  type: string
+                                consecutiveErrors:
+                                  description: Number of errors before a host is ejected
+                                    from the connection pool. Defaults to 5. When
+                                    the upstream host is accessed over HTTP, a 5xx
+                                    return code qualifies as an error. When the upstream
+                                    host is accessed over an opaque TCP connection,
+                                    connect timeouts and connection error/failure
+                                    events qualify as an error.
+                                  format: int32
+                                  type: integer
+                                interval:
+                                  description: 'Time interval between ejection sweep
+                                    analysis. format: 1h/1m/1s/1ms. MUST BE >=1ms.
+                                    Default is 10s.'
+                                  type: string
+                                maxEjectionPercent:
+                                  description: Maximum % of hosts in the load balancing
+                                    pool for the upstream service that can be ejected.
+                                    Defaults to 10%.
+                                  format: int32
+                                  type: integer
+                              type: object
+                            port:
+                              description: Specifies the port name or number of a
+                                port on the destination service on which this policy
+                                is being applied.  Names must comply with DNS label
+                                syntax (rfc1035) and therefore cannot collide with
+                                numbers. If there are multiple ports on a service
+                                with the same protocol the names should be of the
+                                form <protocol-name>-<DNS label>.
+                              properties:
+                                name:
+                                  description: Valid port name
+                                  type: string
+                                number:
+                                  description: Valid port number
+                                  format: int32
+                                  type: integer
+                              type: object
+                            tls:
+                              description: TLS related settings for connections to
+                                the upstream service.
+                              properties:
+                                caCertificates:
+                                  description: 'OPTIONAL: The path to the file containing
+                                    certificate authority certificates to use in verifying
+                                    a presented server certificate. If omitted, the
+                                    proxy will not verify the server''s certificate.
+                                    Should be empty if mode is `ISTIO_MUTUAL`.'
+                                  type: string
+                                clientCertificate:
+                                  description: REQUIRED if mode is `MUTUAL`. The path
+                                    to the file holding the client-side TLS certificate
+                                    to use. Should be empty if mode is `ISTIO_MUTUAL`.
+                                  type: string
+                                mode:
+                                  description: 'REQUIRED: Indicates whether connections
+                                    to this port should be secured using TLS. The
+                                    value of this field determines how TLS is enforced.'
+                                  type: string
+                                privateKey:
+                                  description: REQUIRED if mode is `MUTUAL`. The path
+                                    to the file holding the client's private key.
+                                    Should be empty if mode is `ISTIO_MUTUAL`.
+                                  type: string
+                                sni:
+                                  description: SNI string to present to the server
+                                    during TLS handshake. Should be empty if mode
+                                    is `ISTIO_MUTUAL`.
+                                  type: string
+                                subjectAltNames:
+                                  description: A list of alternate names to verify
+                                    the subject identity in the certificate. If specified,
+                                    the proxy will verify that the server certificate's
+                                    subject alt name matches one of the specified
+                                    values. Should be empty if mode is `ISTIO_MUTUAL`.
+                                  items:
+                                    type: string
+                                  type: array
+                              required:
+                              - mode
+                              type: object
+                          required:
+                          - port
+                          type: object
+                        type: array
+                      tls:
+                        description: TLS related settings for connections to the upstream
+                          service.
+                        properties:
+                          caCertificates:
+                            description: 'OPTIONAL: The path to the file containing
+                              certificate authority certificates to use in verifying
+                              a presented server certificate. If omitted, the proxy
+                              will not verify the server''s certificate. Should be
+                              empty if mode is `ISTIO_MUTUAL`.'
+                            type: string
+                          clientCertificate:
+                            description: REQUIRED if mode is `MUTUAL`. The path to
+                              the file holding the client-side TLS certificate to
+                              use. Should be empty if mode is `ISTIO_MUTUAL`.
+                            type: string
+                          mode:
+                            description: 'REQUIRED: Indicates whether connections
+                              to this port should be secured using TLS. The value
+                              of this field determines how TLS is enforced.'
+                            type: string
+                          privateKey:
+                            description: REQUIRED if mode is `MUTUAL`. The path to
+                              the file holding the client's private key. Should be
+                              empty if mode is `ISTIO_MUTUAL`.
+                            type: string
+                          sni:
+                            description: SNI string to present to the server during
+                              TLS handshake. Should be empty if mode is `ISTIO_MUTUAL`.
+                            type: string
+                          subjectAltNames:
+                            description: A list of alternate names to verify the subject
+                              identity in the certificate. If specified, the proxy
+                              will verify that the server certificate's subject alt
+                              name matches one of the specified values. Should be
+                              empty if mode is `ISTIO_MUTUAL`.
+                            items:
+                              type: string
+                            type: array
+                        required:
+                        - mode
+                        type: object
+                    type: object
+                required:
+                - name
+                - labels
+                type: object
+              type: array
+            trafficPolicy:
+              description: Traffic policies to apply (load balancing policy, connection
+                pool sizes, outlier detection).
+              properties:
+                connectionPool:
+                  description: Settings controlling the volume of connections to an
+                    upstream service
+                  properties:
+                    http:
+                      description: HTTP connection pool settings.
+                      properties:
+                        maxRequestsPerConnection:
+                          description: Maximum number of requests per connection to
+                            a backend. Setting this parameter to 1 disables keep alive.
+                          format: int32
+                          type: integer
+                        maxRetries:
+                          description: Maximum number of retries that can be outstanding
+                            to all hosts in a cluster at a given time. Defaults to
+                            3.
+                          format: int32
+                          type: integer
+                      type: object
+                    tcp:
+                      description: Settings common to both HTTP and TCP upstream connections.
+                      properties:
+                        connectTimeout:
+                          description: TCP connection timeout.
+                          type: string
+                        maxConnections:
+                          description: Maximum number of HTTP1 /TCP connections to
+                            a destination host.
+                          format: int32
+                          type: integer
+                      type: object
+                  type: object
+                loadBalancer:
+                  description: Settings controlling the load balancer algorithms.
+                  properties:
+                    consistentHash:
+                      properties:
+                        httpCookie:
+                          description: Hash based on HTTP cookie.
+                          properties:
+                            name:
+                              description: REQUIRED. Name of the cookie.
+                              type: string
+                            path:
+                              description: Path to set for the cookie.
+                              type: string
+                            ttl:
+                              description: REQUIRED. Lifetime of the cookie.
+                              type: string
+                          required:
+                          - name
+                          - ttl
+                          type: object
+                        httpHeaderName:
+                          description: 'It is required to specify exactly one of the
+                            fields as hash key: HttpHeaderName, HttpCookie, or UseSourceIP.
+                            Hash based on a specific HTTP header.'
+                          type: string
+                        minimumRingSize:
+                          description: The minimum number of virtual nodes to use
+                            for the hash ring. Defaults to 1024. Larger ring sizes
+                            result in more granular load distributions. If the number
+                            of hosts in the load balancing pool is larger than the
+                            ring size, each host will be assigned a single virtual
+                            node.
+                          format: int64
+                          type: integer
+                        useSourceIp:
+                          description: Hash based on the source IP address.
+                          type: boolean
+                      type: object
+                    simple:
+                      description: 'It is required to specify exactly one of the fields:
+                        Simple or ConsistentHash'
+                      type: string
+                  type: object
+                outlierDetection:
+                  description: Settings controlling eviction of unhealthy hosts from
+                    the load balancing pool
+                  properties:
+                    baseEjectionTime:
+                      description: 'Minimum ejection duration. A host will remain
+                        ejected for a period equal to the product of minimum ejection
+                        duration and the number of times the host has been ejected.
+                        This technique allows the system to automatically increase
+                        the ejection period for unhealthy upstream servers. format:
+                        1h/1m/1s/1ms. MUST BE >=1ms. Default is 30s.'
+                      type: string
+                    consecutiveErrors:
+                      description: Number of errors before a host is ejected from
+                        the connection pool. Defaults to 5. When the upstream host
+                        is accessed over HTTP, a 5xx return code qualifies as an error.
+                        When the upstream host is accessed over an opaque TCP connection,
+                        connect timeouts and connection error/failure events qualify
+                        as an error.
+                      format: int32
+                      type: integer
+                    interval:
+                      description: 'Time interval between ejection sweep analysis.
+                        format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
+                      type: string
+                    maxEjectionPercent:
+                      description: Maximum % of hosts in the load balancing pool for
+                        the upstream service that can be ejected. Defaults to 10%.
+                      format: int32
+                      type: integer
+                  type: object
+                portLevelSettings:
+                  description: Traffic policies specific to individual ports. Note
+                    that port level settings will override the destination-level settings.
+                    Traffic settings specified at the destination-level will not be
+                    inherited when overridden by port-level settings, i.e. default
+                    values will be applied to fields omitted in port-level traffic
+                    policies.
+                  items:
+                    properties:
+                      connectionPool:
+                        description: Settings controlling the volume of connections
+                          to an upstream service
+                        properties:
+                          http:
+                            description: HTTP connection pool settings.
+                            properties:
+                              maxRequestsPerConnection:
+                                description: Maximum number of requests per connection
+                                  to a backend. Setting this parameter to 1 disables
+                                  keep alive.
+                                format: int32
+                                type: integer
+                              maxRetries:
+                                description: Maximum number of retries that can be
+                                  outstanding to all hosts in a cluster at a given
+                                  time. Defaults to 3.
+                                format: int32
+                                type: integer
+                            type: object
+                          tcp:
+                            description: Settings common to both HTTP and TCP upstream
+                              connections.
+                            properties:
+                              connectTimeout:
+                                description: TCP connection timeout.
+                                type: string
+                              maxConnections:
+                                description: Maximum number of HTTP1 /TCP connections
+                                  to a destination host.
+                                format: int32
+                                type: integer
+                            type: object
+                        type: object
+                      loadBalancer:
+                        description: Settings controlling the load balancer algorithms.
+                        properties:
+                          consistentHash:
+                            properties:
+                              httpCookie:
+                                description: Hash based on HTTP cookie.
+                                properties:
+                                  name:
+                                    description: REQUIRED. Name of the cookie.
+                                    type: string
+                                  path:
+                                    description: Path to set for the cookie.
+                                    type: string
+                                  ttl:
+                                    description: REQUIRED. Lifetime of the cookie.
+                                    type: string
+                                required:
+                                - name
+                                - ttl
+                                type: object
+                              httpHeaderName:
+                                description: 'It is required to specify exactly one
+                                  of the fields as hash key: HttpHeaderName, HttpCookie,
+                                  or UseSourceIP. Hash based on a specific HTTP header.'
+                                type: string
+                              minimumRingSize:
+                                description: The minimum number of virtual nodes to
+                                  use for the hash ring. Defaults to 1024. Larger
+                                  ring sizes result in more granular load distributions.
+                                  If the number of hosts in the load balancing pool
+                                  is larger than the ring size, each host will be
+                                  assigned a single virtual node.
+                                format: int64
+                                type: integer
+                              useSourceIp:
+                                description: Hash based on the source IP address.
+                                type: boolean
+                            type: object
+                          simple:
+                            description: 'It is required to specify exactly one of
+                              the fields: Simple or ConsistentHash'
+                            type: string
+                        type: object
+                      outlierDetection:
+                        description: Settings controlling eviction of unhealthy hosts
+                          from the load balancing pool
+                        properties:
+                          baseEjectionTime:
+                            description: 'Minimum ejection duration. A host will remain
+                              ejected for a period equal to the product of minimum
+                              ejection duration and the number of times the host has
+                              been ejected. This technique allows the system to automatically
+                              increase the ejection period for unhealthy upstream
+                              servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default
+                              is 30s.'
+                            type: string
+                          consecutiveErrors:
+                            description: Number of errors before a host is ejected
+                              from the connection pool. Defaults to 5. When the upstream
+                              host is accessed over HTTP, a 5xx return code qualifies
+                              as an error. When the upstream host is accessed over
+                              an opaque TCP connection, connect timeouts and connection
+                              error/failure events qualify as an error.
+                            format: int32
+                            type: integer
+                          interval:
+                            description: 'Time interval between ejection sweep analysis.
+                              format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
+                            type: string
+                          maxEjectionPercent:
+                            description: Maximum % of hosts in the load balancing
+                              pool for the upstream service that can be ejected. Defaults
+                              to 10%.
+                            format: int32
+                            type: integer
+                        type: object
+                      port:
+                        description: Specifies the port name or number of a port on
+                          the destination service on which this policy is being applied.  Names
+                          must comply with DNS label syntax (rfc1035) and therefore
+                          cannot collide with numbers. If there are multiple ports
+                          on a service with the same protocol the names should be
+                          of the form <protocol-name>-<DNS label>.
+                        properties:
+                          name:
+                            description: Valid port name
+                            type: string
+                          number:
+                            description: Valid port number
+                            format: int32
+                            type: integer
+                        type: object
+                      tls:
+                        description: TLS related settings for connections to the upstream
+                          service.
+                        properties:
+                          caCertificates:
+                            description: 'OPTIONAL: The path to the file containing
+                              certificate authority certificates to use in verifying
+                              a presented server certificate. If omitted, the proxy
+                              will not verify the server''s certificate. Should be
+                              empty if mode is `ISTIO_MUTUAL`.'
+                            type: string
+                          clientCertificate:
+                            description: REQUIRED if mode is `MUTUAL`. The path to
+                              the file holding the client-side TLS certificate to
+                              use. Should be empty if mode is `ISTIO_MUTUAL`.
+                            type: string
+                          mode:
+                            description: 'REQUIRED: Indicates whether connections
+                              to this port should be secured using TLS. The value
+                              of this field determines how TLS is enforced.'
+                            type: string
+                          privateKey:
+                            description: REQUIRED if mode is `MUTUAL`. The path to
+                              the file holding the client's private key. Should be
+                              empty if mode is `ISTIO_MUTUAL`.
+                            type: string
+                          sni:
+                            description: SNI string to present to the server during
+                              TLS handshake. Should be empty if mode is `ISTIO_MUTUAL`.
+                            type: string
+                          subjectAltNames:
+                            description: A list of alternate names to verify the subject
+                              identity in the certificate. If specified, the proxy
+                              will verify that the server certificate's subject alt
+                              name matches one of the specified values. Should be
+                              empty if mode is `ISTIO_MUTUAL`.
+                            items:
+                              type: string
+                            type: array
+                        required:
+                        - mode
+                        type: object
+                    required:
+                    - port
+                    type: object
+                  type: array
+                tls:
+                  description: TLS related settings for connections to the upstream
+                    service.
+                  properties:
+                    caCertificates:
+                      description: 'OPTIONAL: The path to the file containing certificate
+                        authority certificates to use in verifying a presented server
+                        certificate. If omitted, the proxy will not verify the server''s
+                        certificate. Should be empty if mode is `ISTIO_MUTUAL`.'
+                      type: string
+                    clientCertificate:
+                      description: REQUIRED if mode is `MUTUAL`. The path to the file
+                        holding the client-side TLS certificate to use. Should be
+                        empty if mode is `ISTIO_MUTUAL`.
+                      type: string
+                    mode:
+                      description: 'REQUIRED: Indicates whether connections to this
+                        port should be secured using TLS. The value of this field
+                        determines how TLS is enforced.'
+                      type: string
+                    privateKey:
+                      description: REQUIRED if mode is `MUTUAL`. The path to the file
+                        holding the client's private key. Should be empty if mode
+                        is `ISTIO_MUTUAL`.
+                      type: string
+                    sni:
+                      description: SNI string to present to the server during TLS
+                        handshake. Should be empty if mode is `ISTIO_MUTUAL`.
+                      type: string
+                    subjectAltNames:
+                      description: A list of alternate names to verify the subject
+                        identity in the certificate. If specified, the proxy will
+                        verify that the server certificate's subject alt name matches
+                        one of the specified values. Should be empty if mode is `ISTIO_MUTUAL`.
+                      items:
+                        type: string
+                      type: array
+                  required:
+                  - mode
+                  type: object
+              type: object
+          required:
+          - host
+          type: object
+      required:
+      - spec
+  version: v1alpha3
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/istio_v1alpha3_gateway.yaml

@@ -0,0 +1,129 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: gateways.istio.kubesphere.io
+spec:
+  group: istio.kubesphere.io
+  names:
+    kind: Gateway
+    plural: gateways
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            selector:
+              description: One or more labels that indicate a specific set of pods/VMs
+                on which this gateway configuration should be applied. If no selectors
+                are provided, the gateway will be implemented by the default istio-ingress
+                controller.
+              type: object
+            servers:
+              description: 'REQUIRED: A list of server specifications.'
+              items:
+                properties:
+                  hosts:
+                    description: A list of hosts exposed by this gateway. While typically
+                      applicable to HTTP services, it can also be used for TCP services
+                      using TLS with SNI. Standard DNS wildcard prefix syntax is permitted.  A
+                      VirtualService that is bound to a gateway must having a matching
+                      host in its default destination. Specifically one of the VirtualService
+                      destination hosts is a strict suffix of a gateway host or a
+                      gateway host is a suffix of one of the VirtualService hosts.
+                    items:
+                      type: string
+                    type: array
+                  port:
+                    description: 'REQUIRED: The Port on which the proxy should listen
+                      for incoming connections'
+                    properties:
+                      name:
+                        description: Label assigned to the port.
+                        type: string
+                      number:
+                        description: 'REQUIRED: A valid non-negative integer port
+                          number.'
+                        format: int64
+                        type: integer
+                      protocol:
+                        description: 'REQUIRED: The protocol exposed on the port.
+                          MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP.'
+                        type: string
+                    required:
+                    - number
+                    - protocol
+                    type: object
+                  tls:
+                    description: Set of TLS related options that govern the server's
+                      behavior. Use these options to control if all http requests
+                      should be redirected to https, and the TLS modes to use.
+                    properties:
+                      caCertificates:
+                        description: REQUIRED if mode is "MUTUAL". The path to a file
+                          containing certificate authority certificates to use in
+                          verifying a presented client side certificate.
+                        type: string
+                      httpsRedirect:
+                        description: If set to true, the load balancer will send a
+                          302 redirect for all http connections, asking the clients
+                          to use HTTPS.
+                        type: boolean
+                      mode:
+                        description: 'Optional: Indicates whether connections to this
+                          port should be secured using TLS. The value of this field
+                          determines how TLS is enforced.'
+                        type: string
+                      privateKey:
+                        description: REQUIRED if mode is "SIMPLE" or "MUTUAL". The
+                          path to the file holding the server's private key.
+                        type: string
+                      serverCertificate:
+                        description: REQUIRED if mode is "SIMPLE" or "MUTUAL". The
+                          path to the file holding the server-side TLS certificate
+                          to use.
+                        type: string
+                      subjectAltNames:
+                        description: A list of alternate names to verify the subject
+                          identity in the certificate presented by the client.
+                        items:
+                          type: string
+                        type: array
+                    required:
+                    - httpsRedirect
+                    - serverCertificate
+                    - privateKey
+                    - caCertificates
+                    - subjectAltNames
+                    type: object
+                required:
+                - port
+                type: object
+              type: array
+          required:
+          - servers
+          type: object
+      required:
+      - spec
+  version: v1alpha3
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/istio_v1alpha3_virtualservice.yaml

@@ -0,0 +1,695 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: virtualservices.istio.kubesphere.io
+spec:
+  group: istio.kubesphere.io
+  names:
+    kind: VirtualService
+    plural: virtualservices
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            gateways:
+              description: The names of gateways and sidecars that should apply these
+                routes. A single VirtualService is used for sidecars inside the mesh
+                as well as for one or more gateways. The selection condition imposed
+                by this field can be overridden using the source field in the match
+                conditions of HTTP/TCP routes. The reserved word "mesh" is used to
+                imply all the sidecars in the mesh. When this field is omitted, the
+                default gateway ("mesh") will be used, which would apply the rule
+                to all sidecars in the mesh. If a list of gateway names is provided,
+                the rules will apply only to the gateways. To apply the rules to both
+                gateways and sidecars, specify "mesh" as one of the gateway names.
+              items:
+                type: string
+              type: array
+            hosts:
+              description: REQUIRED. The destination address for traffic captured
+                by this virtual service. Could be a DNS name with wildcard prefix
+                or a CIDR prefix. Depending on the platform, short-names can also
+                be used instead of a FQDN (i.e. has no dots in the name). In such
+                a scenario, the FQDN of the host would be derived based on the underlying
+                platform.  For example on Kubernetes, when hosts contains a short
+                name, Istio will interpret the short name based on the namespace of
+                the rule. Thus, when a client namespace applies a rule in the "default"
+                namespace containing a name "reviews, Istio will setup routes to the
+                "reviews.default.svc.cluster.local" service. However, if a different
+                name such as "reviews.sales.svc.cluster.local" is used, it would be
+                treated as a FQDN during virtual host matching. In Consul, a plain
+                service name would be resolved to the FQDN "reviews.service.consul".  Note
+                that the hosts field applies to both HTTP and TCP services. Service
+                inside the mesh, i.e., those found in the service registry, must always
+                be referred to using their alphanumeric names. IP addresses or CIDR
+                prefixes are allowed only for services defined via the Gateway.
+              items:
+                type: string
+              type: array
+            http:
+              description: An ordered list of route rules for HTTP traffic. The first
+                rule matching an incoming request is used.
+              items:
+                properties:
+                  appendHeaders:
+                    description: Additional HTTP headers to add before forwarding
+                      a request to the destination service.
+                    type: object
+                  corsPolicy:
+                    description: Cross-Origin Resource Sharing policy
+                    properties:
+                      allowCredentials:
+                        description: Indicates whether the caller is allowed to send
+                          the actual request (not the preflight) using credentials.
+                          Translates to Access-Control-Allow-Credentials header.
+                        type: boolean
+                      allowHeaders:
+                        description: List of HTTP headers that can be used when requesting
+                          the resource. Serialized to Access-Control-Allow-Methods
+                          header.
+                        items:
+                          type: string
+                        type: array
+                      allowMethods:
+                        description: List of HTTP methods allowed to access the resource.
+                          The content will be serialized into the Access-Control-Allow-Methods
+                          header.
+                        items:
+                          type: string
+                        type: array
+                      allowOrigin:
+                        description: The list of origins that are allowed to perform
+                          CORS requests. The content will be serialized into the Access-Control-Allow-Origin
+                          header. Wildcard * will allow all origins.
+                        items:
+                          type: string
+                        type: array
+                      exposeHeaders:
+                        description: A white list of HTTP headers that the browsers
+                          are allowed to access. Serialized into Access-Control-Expose-Headers
+                          header.
+                        items:
+                          type: string
+                        type: array
+                      maxAge:
+                        description: Specifies how long the the results of a preflight
+                          request can be cached. Translates to the Access-Control-Max-Age
+                          header.
+                        type: string
+                    type: object
+                  fault:
+                    description: Fault injection policy to apply on HTTP traffic.
+                    properties:
+                      abort:
+                        description: Abort Http request attempts and return error
+                          codes back to downstream service, giving the impression
+                          that the upstream service is faulty.
+                        properties:
+                          httpStatus:
+                            description: REQUIRED. HTTP status code to use to abort
+                              the Http request.
+                            format: int64
+                            type: integer
+                          percent:
+                            description: Percentage of requests to be aborted with
+                              the error code provided (0-100).
+                            format: int64
+                            type: integer
+                        required:
+                        - httpStatus
+                        type: object
+                      delay:
+                        description: Delay requests before forwarding, emulating various
+                          failures such as network issues, overloaded upstream service,
+                          etc.
+                        properties:
+                          exponentialDelay:
+                            description: (-- Add a delay (based on an exponential
+                              function) before forwarding the request. mean delay
+                              needed to derive the exponential delay values --)
+                            type: string
+                          fixedDelay:
+                            description: 'REQUIRED. Add a fixed delay before forwarding
+                              the request. Format: 1h/1m/1s/1ms. MUST be >=1ms.'
+                            type: string
+                          percent:
+                            description: Percentage of requests on which the delay
+                              will be injected (0-100).
+                            format: int64
+                            type: integer
+                        required:
+                        - fixedDelay
+                        type: object
+                    type: object
+                  match:
+                    description: Match conditions to be satisfied for the rule to
+                      be activated. All conditions inside a single match block have
+                      AND semantics, while the list of match blocks have OR semantics.
+                      The rule is matched if any one of the match blocks succeed.
+                    items:
+                      properties:
+                        authority:
+                          description: 'HTTP Authority values are case-sensitive and
+                            formatted as follows:  - `exact: "value"` for exact string
+                            match  - `prefix: "value"` for prefix-based match  - `regex:
+                            "value"` for ECMAscript style regex-based match'
+                          properties:
+                            exact:
+                              description: exact string match
+                              type: string
+                            prefix:
+                              description: prefix-based match
+                              type: string
+                            regex:
+                              description: ECMAscript style regex-based match
+                              type: string
+                            suffix:
+                              description: suffix-based match.
+                              type: string
+                          type: object
+                        gateways:
+                          description: Names of gateways where the rule should be
+                            applied to. Gateway names at the top of the VirtualService
+                            (if any) are overridden. The gateway match is independent
+                            of sourceLabels.
+                          items:
+                            type: string
+                          type: array
+                        headers:
+                          description: 'The header keys must be lowercase and use
+                            hyphen as the separator, e.g. _x-request-id_.  Header
+                            values are case-sensitive and formatted as follows:  -
+                            `exact: "value"` for exact string match  - `prefix: "value"`
+                            for prefix-based match  - `regex: "value"` for ECMAscript
+                            style regex-based match  **Note:** The keys `uri`, `scheme`,
+                            `method`, and `authority` will be ignored.'
+                          type: object
+                        method:
+                          description: 'HTTP Method values are case-sensitive and
+                            formatted as follows:  - `exact: "value"` for exact string
+                            match  - `prefix: "value"` for prefix-based match  - `regex:
+                            "value"` for ECMAscript style regex-based match'
+                          properties:
+                            exact:
+                              description: exact string match
+                              type: string
+                            prefix:
+                              description: prefix-based match
+                              type: string
+                            regex:
+                              description: ECMAscript style regex-based match
+                              type: string
+                            suffix:
+                              description: suffix-based match.
+                              type: string
+                          type: object
+                        port:
+                          description: Specifies the ports on the host that is being
+                            addressed. Many services only expose a single port or
+                            label ports with the protocols they support, in these
+                            cases it is not required to explicitly select the port.
+                          format: int32
+                          type: integer
+                        scheme:
+                          description: 'URI Scheme values are case-sensitive and formatted
+                            as follows:  - `exact: "value"` for exact string match  -
+                            `prefix: "value"` for prefix-based match  - `regex: "value"`
+                            for ECMAscript style regex-based match'
+                          properties:
+                            exact:
+                              description: exact string match
+                              type: string
+                            prefix:
+                              description: prefix-based match
+                              type: string
+                            regex:
+                              description: ECMAscript style regex-based match
+                              type: string
+                            suffix:
+                              description: suffix-based match.
+                              type: string
+                          type: object
+                        sourceLabels:
+                          description: One or more labels that constrain the applicability
+                            of a rule to workloads with the given labels. If the VirtualService
+                            has a list of gateways specified at the top, it should
+                            include the reserved gateway `mesh` in order for this
+                            field to be applicable.
+                          type: object
+                        uri:
+                          description: 'URI to match values are case-sensitive and
+                            formatted as follows:  - `exact: "value"` for exact string
+                            match  - `prefix: "value"` for prefix-based match  - `regex:
+                            "value"` for ECMAscript style regex-based match'
+                          properties:
+                            exact:
+                              description: exact string match
+                              type: string
+                            prefix:
+                              description: prefix-based match
+                              type: string
+                            regex:
+                              description: ECMAscript style regex-based match
+                              type: string
+                            suffix:
+                              description: suffix-based match.
+                              type: string
+                          type: object
+                      type: object
+                    type: array
+                  mirror:
+                    description: Mirror HTTP traffic to a another destination in addition
+                      to forwarding the requests to the intended destination. Mirrored
+                      traffic is on a best effort basis where the sidecar/gateway
+                      will not wait for the mirrored cluster to respond before returning
+                      the response from the original destination.  Statistics will
+                      be generated for the mirrored destination.
+                    properties:
+                      host:
+                        description: 'REQUIRED. The name of a service from the service
+                          registry. Service names are looked up from the platform''s
+                          service registry (e.g., Kubernetes services, Consul services,
+                          etc.) and from the hosts declared by [ServiceEntry](#ServiceEntry).
+                          Traffic forwarded to destinations that are not found in
+                          either of the two, will be dropped.  *Note for Kubernetes
+                          users*: When short names are used (e.g. "reviews" instead
+                          of "reviews.default.svc.cluster.local"), Istio will interpret
+                          the short name based on the namespace of the rule, not the
+                          service. A rule in the "default" namespace containing a
+                          host "reviews will be interpreted as "reviews.default.svc.cluster.local",
+                          irrespective of the actual namespace associated with the
+                          reviews service. _To avoid potential misconfigurations,
+                          it is recommended to always use fully qualified domain names
+                          over short names._'
+                        type: string
+                      port:
+                        description: Specifies the port on the host that is being
+                          addressed. If a service exposes only a single port it is
+                          not required to explicitly select the port.
+                        properties:
+                          name:
+                            description: Valid port name
+                            type: string
+                          number:
+                            description: Valid port number
+                            format: int32
+                            type: integer
+                        type: object
+                      subset:
+                        description: The name of a subset within the service. Applicable
+                          only to services within the mesh. The subset must be defined
+                          in a corresponding DestinationRule.
+                        type: string
+                    required:
+                    - host
+                    type: object
+                  redirect:
+                    description: A http rule can either redirect or forward (default)
+                      traffic. If traffic passthrough option is specified in the rule,
+                      route/redirect will be ignored. The redirect primitive can be
+                      used to send a HTTP 302 redirect to a different URI or Authority.
+                    properties:
+                      authority:
+                        description: On a redirect, overwrite the Authority/Host portion
+                          of the URL with this value.
+                        type: string
+                      uri:
+                        description: On a redirect, overwrite the Path portion of
+                          the URL with this value. Note that the entire path will
+                          be replaced, irrespective of the request URI being matched
+                          as an exact path or prefix.
+                        type: string
+                    type: object
+                  removeResponseHeaders:
+                    description: Http headers to remove before returning the response
+                      to the caller
+                    type: object
+                  retries:
+                    description: Retry policy for HTTP requests.
+                    properties:
+                      attempts:
+                        description: REQUIRED. Number of retries for a given request.
+                          The interval between retries will be determined automatically
+                          (25ms+). Actual number of retries attempted depends on the
+                          httpReqTimeout.
+                        format: int64
+                        type: integer
+                      perTryTimeout:
+                        description: 'Timeout per retry attempt for a given request.
+                          format: 1h/1m/1s/1ms. MUST BE >=1ms.'
+                        type: string
+                    required:
+                    - attempts
+                    - perTryTimeout
+                    type: object
+                  rewrite:
+                    description: Rewrite HTTP URIs and Authority headers. Rewrite
+                      cannot be used with Redirect primitive. Rewrite will be performed
+                      before forwarding.
+                    properties:
+                      authority:
+                        description: rewrite the Authority/Host header with this value.
+                        type: string
+                      uri:
+                        description: rewrite the path (or the prefix) portion of the
+                          URI with this value. If the original URI was matched based
+                          on prefix, the value provided in this field will replace
+                          the corresponding matched prefix.
+                        type: string
+                    type: object
+                  route:
+                    description: A http rule can either redirect or forward (default)
+                      traffic. The forwarding target can be one of several versions
+                      of a service (see glossary in beginning of document). Weights
+                      associated with the service version determine the proportion
+                      of traffic it receives.
+                    items:
+                      properties:
+                        destination:
+                          description: REQUIRED. Destination uniquely identifies the
+                            instances of a service to which the request/connection
+                            should be forwarded to.
+                          properties:
+                            host:
+                              description: 'REQUIRED. The name of a service from the
+                                service registry. Service names are looked up from
+                                the platform''s service registry (e.g., Kubernetes
+                                services, Consul services, etc.) and from the hosts
+                                declared by [ServiceEntry](#ServiceEntry). Traffic
+                                forwarded to destinations that are not found in either
+                                of the two, will be dropped.  *Note for Kubernetes
+                                users*: When short names are used (e.g. "reviews"
+                                instead of "reviews.default.svc.cluster.local"), Istio
+                                will interpret the short name based on the namespace
+                                of the rule, not the service. A rule in the "default"
+                                namespace containing a host "reviews will be interpreted
+                                as "reviews.default.svc.cluster.local", irrespective
+                                of the actual namespace associated with the reviews
+                                service. _To avoid potential misconfigurations, it
+                                is recommended to always use fully qualified domain
+                                names over short names._'
+                              type: string
+                            port:
+                              description: Specifies the port on the host that is
+                                being addressed. If a service exposes only a single
+                                port it is not required to explicitly select the port.
+                              properties:
+                                name:
+                                  description: Valid port name
+                                  type: string
+                                number:
+                                  description: Valid port number
+                                  format: int32
+                                  type: integer
+                              type: object
+                            subset:
+                              description: The name of a subset within the service.
+                                Applicable only to services within the mesh. The subset
+                                must be defined in a corresponding DestinationRule.
+                              type: string
+                          required:
+                          - host
+                          type: object
+                        weight:
+                          description: REQUIRED. The proportion of traffic to be forwarded
+                            to the service version. (0-100). Sum of weights across
+                            destinations SHOULD BE == 100. If there is only destination
+                            in a rule, the weight value is assumed to be 100.
+                          format: int64
+                          type: integer
+                      required:
+                      - destination
+                      - weight
+                      type: object
+                    type: array
+                  timeout:
+                    description: Timeout for HTTP requests.
+                    type: string
+                  websocketUpgrade:
+                    description: Indicates that a HTTP/1.1 client connection to this
+                      particular route should be allowed (and expected) to upgrade
+                      to a WebSocket connection. The default is false. Istio's reference
+                      sidecar implementation (Envoy) expects the first request to
+                      this route to contain the WebSocket upgrade headers. Otherwise,
+                      the request will be rejected. Note that Websocket allows secondary
+                      protocol negotiation which may then be subject to further routing
+                      rules based on the protocol selected.
+                    type: boolean
+                type: object
+              type: array
+            tcp:
+              description: An ordered list of route rules for TCP traffic. The first
+                rule matching an incoming request is used.
+              items:
+                properties:
+                  match:
+                    description: Match conditions to be satisfied for the rule to
+                      be activated. All conditions inside a single match block have
+                      AND semantics, while the list of match blocks have OR semantics.
+                      The rule is matched if any one of the match blocks succeed.
+                    items:
+                      properties:
+                        destinationSubnets:
+                          description: IPv4 or IPv6 ip address of destination with
+                            optional subnet.  E.g., a.b.c.d/xx form or just a.b.c.d.
+                          items:
+                            type: string
+                          type: array
+                        gateways:
+                          description: Names of gateways where the rule should be
+                            applied to. Gateway names at the top of the VirtualService
+                            (if any) are overridden. The gateway match is independent
+                            of sourceLabels.
+                          items:
+                            type: string
+                          type: array
+                        port:
+                          description: Specifies the port on the host that is being
+                            addressed. Many services only expose a single port or
+                            label ports with the protocols they support, in these
+                            cases it is not required to explicitly select the port.
+                          format: int64
+                          type: integer
+                        sourceLabels:
+                          description: One or more labels that constrain the applicability
+                            of a rule to workloads with the given labels. If the VirtualService
+                            has a list of gateways specified at the top, it should
+                            include the reserved gateway `mesh` in order for this
+                            field to be applicable.
+                          type: object
+                      type: object
+                    type: array
+                  route:
+                    description: The destinations to which the connection should be
+                      forwarded to. Weights must add to 100%.
+                    items:
+                      properties:
+                        destination:
+                          description: REQUIRED. Destination uniquely identifies the
+                            instances of a service to which the request/connection
+                            should be forwarded to.
+                          properties:
+                            host:
+                              description: 'REQUIRED. The name of a service from the
+                                service registry. Service names are looked up from
+                                the platform''s service registry (e.g., Kubernetes
+                                services, Consul services, etc.) and from the hosts
+                                declared by [ServiceEntry](#ServiceEntry). Traffic
+                                forwarded to destinations that are not found in either
+                                of the two, will be dropped.  *Note for Kubernetes
+                                users*: When short names are used (e.g. "reviews"
+                                instead of "reviews.default.svc.cluster.local"), Istio
+                                will interpret the short name based on the namespace
+                                of the rule, not the service. A rule in the "default"
+                                namespace containing a host "reviews will be interpreted
+                                as "reviews.default.svc.cluster.local", irrespective
+                                of the actual namespace associated with the reviews
+                                service. _To avoid potential misconfigurations, it
+                                is recommended to always use fully qualified domain
+                                names over short names._'
+                              type: string
+                            port:
+                              description: Specifies the port on the host that is
+                                being addressed. If a service exposes only a single
+                                port it is not required to explicitly select the port.
+                              properties:
+                                name:
+                                  description: Valid port name
+                                  type: string
+                                number:
+                                  description: Valid port number
+                                  format: int32
+                                  type: integer
+                              type: object
+                            subset:
+                              description: The name of a subset within the service.
+                                Applicable only to services within the mesh. The subset
+                                must be defined in a corresponding DestinationRule.
+                              type: string
+                          required:
+                          - host
+                          type: object
+                        weight:
+                          description: REQUIRED. The proportion of traffic to be forwarded
+                            to the service version. (0-100). Sum of weights across
+                            destinations SHOULD BE == 100. If there is only destination
+                            in a rule, the weight value is assumed to be 100.
+                          format: int64
+                          type: integer
+                      required:
+                      - destination
+                      - weight
+                      type: object
+                    type: array
+                required:
+                - match
+                - route
+                type: object
+              type: array
+            tls:
+              items:
+                properties:
+                  match:
+                    description: REQUIRED. Match conditions to be satisfied for the
+                      rule to be activated. All conditions inside a single match block
+                      have AND semantics, while the list of match blocks have OR semantics.
+                      The rule is matched if any one of the match blocks succeed.
+                    items:
+                      properties:
+                        destinationSubnets:
+                          description: IPv4 or IPv6 ip addresses of destination with
+                            optional subnet.  E.g., a.b.c.d/xx form or just a.b.c.d.
+                          items:
+                            type: string
+                          type: array
+                        gateways:
+                          description: Names of gateways where the rule should be
+                            applied to. Gateway names at the top of the VirtualService
+                            (if any) are overridden. The gateway match is independent
+                            of sourceLabels.
+                          items:
+                            type: string
+                          type: array
+                        port:
+                          description: Specifies the port on the host that is being
+                            addressed. Many services only expose a single port or
+                            label ports with the protocols they support, in these
+                            cases it is not required to explicitly select the port.
+                          format: int64
+                          type: integer
+                        sniHosts:
+                          description: REQUIRED. SNI (server name indicator) to match
+                            on. Wildcard prefixes can be used in the SNI value, e.g.,
+                            *.com will match foo.example.com as well as example.com.
+                            An SNI value must be a subset (i.e., fall within the domain)
+                            of the corresponding virtual service's hosts
+                          items:
+                            type: string
+                          type: array
+                        sourceLabels:
+                          description: One or more labels that constrain the applicability
+                            of a rule to workloads with the given labels. If the VirtualService
+                            has a list of gateways specified at the top, it should
+                            include the reserved gateway `mesh` in order for this
+                            field to be applicable.
+                          type: object
+                      required:
+                      - sniHosts
+                      type: object
+                    type: array
+                  route:
+                    description: The destination to which the connection should be
+                      forwarded to.
+                    items:
+                      properties:
+                        destination:
+                          description: REQUIRED. Destination uniquely identifies the
+                            instances of a service to which the request/connection
+                            should be forwarded to.
+                          properties:
+                            host:
+                              description: 'REQUIRED. The name of a service from the
+                                service registry. Service names are looked up from
+                                the platform''s service registry (e.g., Kubernetes
+                                services, Consul services, etc.) and from the hosts
+                                declared by [ServiceEntry](#ServiceEntry). Traffic
+                                forwarded to destinations that are not found in either
+                                of the two, will be dropped.  *Note for Kubernetes
+                                users*: When short names are used (e.g. "reviews"
+                                instead of "reviews.default.svc.cluster.local"), Istio
+                                will interpret the short name based on the namespace
+                                of the rule, not the service. A rule in the "default"
+                                namespace containing a host "reviews will be interpreted
+                                as "reviews.default.svc.cluster.local", irrespective
+                                of the actual namespace associated with the reviews
+                                service. _To avoid potential misconfigurations, it
+                                is recommended to always use fully qualified domain
+                                names over short names._'
+                              type: string
+                            port:
+                              description: Specifies the port on the host that is
+                                being addressed. If a service exposes only a single
+                                port it is not required to explicitly select the port.
+                              properties:
+                                name:
+                                  description: Valid port name
+                                  type: string
+                                number:
+                                  description: Valid port number
+                                  format: int32
+                                  type: integer
+                              type: object
+                            subset:
+                              description: The name of a subset within the service.
+                                Applicable only to services within the mesh. The subset
+                                must be defined in a corresponding DestinationRule.
+                              type: string
+                          required:
+                          - host
+                          type: object
+                        weight:
+                          description: REQUIRED. The proportion of traffic to be forwarded
+                            to the service version. (0-100). Sum of weights across
+                            destinations SHOULD BE == 100. If there is only destination
+                            in a rule, the weight value is assumed to be 100.
+                          format: int64
+                          type: integer
+                      required:
+                      - destination
+                      - weight
+                      type: object
+                    type: array
+                required:
+                - match
+                - route
+                type: object
+              type: array
+          required:
+          - hosts
+          type: object
+      required:
+      - spec
+  version: v1alpha3
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/servicemesh_v1alpha2_servicepolicy.yaml

@@ -0,0 +1,822 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: servicepolicies.servicemesh.kubesphere.io
+spec:
+  group: servicemesh.kubesphere.io
+  names:
+    kind: ServicePolicy
+    plural: servicepolicies
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            selector:
+              description: Label selector for destination rules.
+              type: object
+            template:
+              description: Template used to create a destination rule
+              properties:
+                spec:
+                  description: Spec indicates the behavior of a destination rule.
+                  properties:
+                    host:
+                      description: 'REQUIRED. The name of a service from the service
+                        registry. Service names are looked up from the platform''s
+                        service registry (e.g., Kubernetes services, Consul services,
+                        etc.) and from the hosts declared by [ServiceEntries](#ServiceEntry).
+                        Rules defined for services that do not exist in the service
+                        registry will be ignored.  *Note for Kubernetes users*: When
+                        short names are used (e.g. "reviews" instead of "reviews.default.svc.cluster.local"),
+                        Istio will interpret the short name based on the namespace
+                        of the rule, not the service. A rule in the "default" namespace
+                        containing a host "reviews will be interpreted as "reviews.default.svc.cluster.local",
+                        irrespective of the actual namespace associated with the reviews
+                        service. _To avoid potential misconfigurations, it is recommended
+                        to always use fully qualified domain names over short names._  Note
+                        that the host field applies to both HTTP and TCP services.'
+                      type: string
+                    subsets:
+                      description: One or more named sets that represent individual
+                        versions of a service. Traffic policies can be overridden
+                        at subset level.
+                      items:
+                        properties:
+                          labels:
+                            description: REQUIRED. Labels apply a filter over the
+                              endpoints of a service in the service registry. See
+                              route rules for examples of usage.
+                            type: object
+                          name:
+                            description: REQUIRED. Name of the subset. The service
+                              name and the subset name can be used for traffic splitting
+                              in a route rule.
+                            type: string
+                          trafficPolicy:
+                            description: Traffic policies that apply to this subset.
+                              Subsets inherit the traffic policies specified at the
+                              DestinationRule level. Settings specified at the subset
+                              level will override the corresponding settings specified
+                              at the DestinationRule level.
+                            properties:
+                              connectionPool:
+                                description: Settings controlling the volume of connections
+                                  to an upstream service
+                                properties:
+                                  http:
+                                    description: HTTP connection pool settings.
+                                    properties:
+                                      maxRequestsPerConnection:
+                                        description: Maximum number of requests per
+                                          connection to a backend. Setting this parameter
+                                          to 1 disables keep alive.
+                                        format: int32
+                                        type: integer
+                                      maxRetries:
+                                        description: Maximum number of retries that
+                                          can be outstanding to all hosts in a cluster
+                                          at a given time. Defaults to 3.
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                  tcp:
+                                    description: Settings common to both HTTP and
+                                      TCP upstream connections.
+                                    properties:
+                                      connectTimeout:
+                                        description: TCP connection timeout.
+                                        type: string
+                                      maxConnections:
+                                        description: Maximum number of HTTP1 /TCP
+                                          connections to a destination host.
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                type: object
+                              loadBalancer:
+                                description: Settings controlling the load balancer
+                                  algorithms.
+                                properties:
+                                  consistentHash:
+                                    properties:
+                                      httpCookie:
+                                        description: Hash based on HTTP cookie.
+                                        properties:
+                                          name:
+                                            description: REQUIRED. Name of the cookie.
+                                            type: string
+                                          path:
+                                            description: Path to set for the cookie.
+                                            type: string
+                                          ttl:
+                                            description: REQUIRED. Lifetime of the
+                                              cookie.
+                                            type: string
+                                        required:
+                                        - name
+                                        - ttl
+                                        type: object
+                                      httpHeaderName:
+                                        description: 'It is required to specify exactly
+                                          one of the fields as hash key: HttpHeaderName,
+                                          HttpCookie, or UseSourceIP. Hash based on
+                                          a specific HTTP header.'
+                                        type: string
+                                      minimumRingSize:
+                                        description: The minimum number of virtual
+                                          nodes to use for the hash ring. Defaults
+                                          to 1024. Larger ring sizes result in more
+                                          granular load distributions. If the number
+                                          of hosts in the load balancing pool is larger
+                                          than the ring size, each host will be assigned
+                                          a single virtual node.
+                                        format: int64
+                                        type: integer
+                                      useSourceIp:
+                                        description: Hash based on the source IP address.
+                                        type: boolean
+                                    type: object
+                                  simple:
+                                    description: 'It is required to specify exactly
+                                      one of the fields: Simple or ConsistentHash'
+                                    type: string
+                                type: object
+                              outlierDetection:
+                                description: Settings controlling eviction of unhealthy
+                                  hosts from the load balancing pool
+                                properties:
+                                  baseEjectionTime:
+                                    description: 'Minimum ejection duration. A host
+                                      will remain ejected for a period equal to the
+                                      product of minimum ejection duration and the
+                                      number of times the host has been ejected. This
+                                      technique allows the system to automatically
+                                      increase the ejection period for unhealthy upstream
+                                      servers. format: 1h/1m/1s/1ms. MUST BE >=1ms.
+                                      Default is 30s.'
+                                    type: string
+                                  consecutiveErrors:
+                                    description: Number of errors before a host is
+                                      ejected from the connection pool. Defaults to
+                                      5. When the upstream host is accessed over HTTP,
+                                      a 5xx return code qualifies as an error. When
+                                      the upstream host is accessed over an opaque
+                                      TCP connection, connect timeouts and connection
+                                      error/failure events qualify as an error.
+                                    format: int32
+                                    type: integer
+                                  interval:
+                                    description: 'Time interval between ejection sweep
+                                      analysis. format: 1h/1m/1s/1ms. MUST BE >=1ms.
+                                      Default is 10s.'
+                                    type: string
+                                  maxEjectionPercent:
+                                    description: Maximum % of hosts in the load balancing
+                                      pool for the upstream service that can be ejected.
+                                      Defaults to 10%.
+                                    format: int32
+                                    type: integer
+                                type: object
+                              portLevelSettings:
+                                description: Traffic policies specific to individual
+                                  ports. Note that port level settings will override
+                                  the destination-level settings. Traffic settings
+                                  specified at the destination-level will not be inherited
+                                  when overridden by port-level settings, i.e. default
+                                  values will be applied to fields omitted in port-level
+                                  traffic policies.
+                                items:
+                                  properties:
+                                    connectionPool:
+                                      description: Settings controlling the volume
+                                        of connections to an upstream service
+                                      properties:
+                                        http:
+                                          description: HTTP connection pool settings.
+                                          properties:
+                                            maxRequestsPerConnection:
+                                              description: Maximum number of requests
+                                                per connection to a backend. Setting
+                                                this parameter to 1 disables keep
+                                                alive.
+                                              format: int32
+                                              type: integer
+                                            maxRetries:
+                                              description: Maximum number of retries
+                                                that can be outstanding to all hosts
+                                                in a cluster at a given time. Defaults
+                                                to 3.
+                                              format: int32
+                                              type: integer
+                                          type: object
+                                        tcp:
+                                          description: Settings common to both HTTP
+                                            and TCP upstream connections.
+                                          properties:
+                                            connectTimeout:
+                                              description: TCP connection timeout.
+                                              type: string
+                                            maxConnections:
+                                              description: Maximum number of HTTP1
+                                                /TCP connections to a destination
+                                                host.
+                                              format: int32
+                                              type: integer
+                                          type: object
+                                      type: object
+                                    loadBalancer:
+                                      description: Settings controlling the load balancer
+                                        algorithms.
+                                      properties:
+                                        consistentHash:
+                                          properties:
+                                            httpCookie:
+                                              description: Hash based on HTTP cookie.
+                                              properties:
+                                                name:
+                                                  description: REQUIRED. Name of the
+                                                    cookie.
+                                                  type: string
+                                                path:
+                                                  description: Path to set for the
+                                                    cookie.
+                                                  type: string
+                                                ttl:
+                                                  description: REQUIRED. Lifetime
+                                                    of the cookie.
+                                                  type: string
+                                              required:
+                                              - name
+                                              - ttl
+                                              type: object
+                                            httpHeaderName:
+                                              description: 'It is required to specify
+                                                exactly one of the fields as hash
+                                                key: HttpHeaderName, HttpCookie, or
+                                                UseSourceIP. Hash based on a specific
+                                                HTTP header.'
+                                              type: string
+                                            minimumRingSize:
+                                              description: The minimum number of virtual
+                                                nodes to use for the hash ring. Defaults
+                                                to 1024. Larger ring sizes result
+                                                in more granular load distributions.
+                                                If the number of hosts in the load
+                                                balancing pool is larger than the
+                                                ring size, each host will be assigned
+                                                a single virtual node.
+                                              format: int64
+                                              type: integer
+                                            useSourceIp:
+                                              description: Hash based on the source
+                                                IP address.
+                                              type: boolean
+                                          type: object
+                                        simple:
+                                          description: 'It is required to specify
+                                            exactly one of the fields: Simple or ConsistentHash'
+                                          type: string
+                                      type: object
+                                    outlierDetection:
+                                      description: Settings controlling eviction of
+                                        unhealthy hosts from the load balancing pool
+                                      properties:
+                                        baseEjectionTime:
+                                          description: 'Minimum ejection duration.
+                                            A host will remain ejected for a period
+                                            equal to the product of minimum ejection
+                                            duration and the number of times the host
+                                            has been ejected. This technique allows
+                                            the system to automatically increase the
+                                            ejection period for unhealthy upstream
+                                            servers. format: 1h/1m/1s/1ms. MUST BE
+                                            >=1ms. Default is 30s.'
+                                          type: string
+                                        consecutiveErrors:
+                                          description: Number of errors before a host
+                                            is ejected from the connection pool. Defaults
+                                            to 5. When the upstream host is accessed
+                                            over HTTP, a 5xx return code qualifies
+                                            as an error. When the upstream host is
+                                            accessed over an opaque TCP connection,
+                                            connect timeouts and connection error/failure
+                                            events qualify as an error.
+                                          format: int32
+                                          type: integer
+                                        interval:
+                                          description: 'Time interval between ejection
+                                            sweep analysis. format: 1h/1m/1s/1ms.
+                                            MUST BE >=1ms. Default is 10s.'
+                                          type: string
+                                        maxEjectionPercent:
+                                          description: Maximum % of hosts in the load
+                                            balancing pool for the upstream service
+                                            that can be ejected. Defaults to 10%.
+                                          format: int32
+                                          type: integer
+                                      type: object
+                                    port:
+                                      description: Specifies the port name or number
+                                        of a port on the destination service on which
+                                        this policy is being applied.  Names must
+                                        comply with DNS label syntax (rfc1035) and
+                                        therefore cannot collide with numbers. If
+                                        there are multiple ports on a service with
+                                        the same protocol the names should be of the
+                                        form <protocol-name>-<DNS label>.
+                                      properties:
+                                        name:
+                                          description: Valid port name
+                                          type: string
+                                        number:
+                                          description: Valid port number
+                                          format: int32
+                                          type: integer
+                                      type: object
+                                    tls:
+                                      description: TLS related settings for connections
+                                        to the upstream service.
+                                      properties:
+                                        caCertificates:
+                                          description: 'OPTIONAL: The path to the
+                                            file containing certificate authority
+                                            certificates to use in verifying a presented
+                                            server certificate. If omitted, the proxy
+                                            will not verify the server''s certificate.
+                                            Should be empty if mode is `ISTIO_MUTUAL`.'
+                                          type: string
+                                        clientCertificate:
+                                          description: REQUIRED if mode is `MUTUAL`.
+                                            The path to the file holding the client-side
+                                            TLS certificate to use. Should be empty
+                                            if mode is `ISTIO_MUTUAL`.
+                                          type: string
+                                        mode:
+                                          description: 'REQUIRED: Indicates whether
+                                            connections to this port should be secured
+                                            using TLS. The value of this field determines
+                                            how TLS is enforced.'
+                                          type: string
+                                        privateKey:
+                                          description: REQUIRED if mode is `MUTUAL`.
+                                            The path to the file holding the client's
+                                            private key. Should be empty if mode is
+                                            `ISTIO_MUTUAL`.
+                                          type: string
+                                        sni:
+                                          description: SNI string to present to the
+                                            server during TLS handshake. Should be
+                                            empty if mode is `ISTIO_MUTUAL`.
+                                          type: string
+                                        subjectAltNames:
+                                          description: A list of alternate names to
+                                            verify the subject identity in the certificate.
+                                            If specified, the proxy will verify that
+                                            the server certificate's subject alt name
+                                            matches one of the specified values. Should
+                                            be empty if mode is `ISTIO_MUTUAL`.
+                                          items:
+                                            type: string
+                                          type: array
+                                      required:
+                                      - mode
+                                      type: object
+                                  required:
+                                  - port
+                                  type: object
+                                type: array
+                              tls:
+                                description: TLS related settings for connections
+                                  to the upstream service.
+                                properties:
+                                  caCertificates:
+                                    description: 'OPTIONAL: The path to the file containing
+                                      certificate authority certificates to use in
+                                      verifying a presented server certificate. If
+                                      omitted, the proxy will not verify the server''s
+                                      certificate. Should be empty if mode is `ISTIO_MUTUAL`.'
+                                    type: string
+                                  clientCertificate:
+                                    description: REQUIRED if mode is `MUTUAL`. The
+                                      path to the file holding the client-side TLS
+                                      certificate to use. Should be empty if mode
+                                      is `ISTIO_MUTUAL`.
+                                    type: string
+                                  mode:
+                                    description: 'REQUIRED: Indicates whether connections
+                                      to this port should be secured using TLS. The
+                                      value of this field determines how TLS is enforced.'
+                                    type: string
+                                  privateKey:
+                                    description: REQUIRED if mode is `MUTUAL`. The
+                                      path to the file holding the client's private
+                                      key. Should be empty if mode is `ISTIO_MUTUAL`.
+                                    type: string
+                                  sni:
+                                    description: SNI string to present to the server
+                                      during TLS handshake. Should be empty if mode
+                                      is `ISTIO_MUTUAL`.
+                                    type: string
+                                  subjectAltNames:
+                                    description: A list of alternate names to verify
+                                      the subject identity in the certificate. If
+                                      specified, the proxy will verify that the server
+                                      certificate's subject alt name matches one of
+                                      the specified values. Should be empty if mode
+                                      is `ISTIO_MUTUAL`.
+                                    items:
+                                      type: string
+                                    type: array
+                                required:
+                                - mode
+                                type: object
+                            type: object
+                        required:
+                        - name
+                        - labels
+                        type: object
+                      type: array
+                    trafficPolicy:
+                      description: Traffic policies to apply (load balancing policy,
+                        connection pool sizes, outlier detection).
+                      properties:
+                        connectionPool:
+                          description: Settings controlling the volume of connections
+                            to an upstream service
+                          properties:
+                            http:
+                              description: HTTP connection pool settings.
+                              properties:
+                                maxRequestsPerConnection:
+                                  description: Maximum number of requests per connection
+                                    to a backend. Setting this parameter to 1 disables
+                                    keep alive.
+                                  format: int32
+                                  type: integer
+                                maxRetries:
+                                  description: Maximum number of retries that can
+                                    be outstanding to all hosts in a cluster at a
+                                    given time. Defaults to 3.
+                                  format: int32
+                                  type: integer
+                              type: object
+                            tcp:
+                              description: Settings common to both HTTP and TCP upstream
+                                connections.
+                              properties:
+                                connectTimeout:
+                                  description: TCP connection timeout.
+                                  type: string
+                                maxConnections:
+                                  description: Maximum number of HTTP1 /TCP connections
+                                    to a destination host.
+                                  format: int32
+                                  type: integer
+                              type: object
+                          type: object
+                        loadBalancer:
+                          description: Settings controlling the load balancer algorithms.
+                          properties:
+                            consistentHash:
+                              properties:
+                                httpCookie:
+                                  description: Hash based on HTTP cookie.
+                                  properties:
+                                    name:
+                                      description: REQUIRED. Name of the cookie.
+                                      type: string
+                                    path:
+                                      description: Path to set for the cookie.
+                                      type: string
+                                    ttl:
+                                      description: REQUIRED. Lifetime of the cookie.
+                                      type: string
+                                  required:
+                                  - name
+                                  - ttl
+                                  type: object
+                                httpHeaderName:
+                                  description: 'It is required to specify exactly
+                                    one of the fields as hash key: HttpHeaderName,
+                                    HttpCookie, or UseSourceIP. Hash based on a specific
+                                    HTTP header.'
+                                  type: string
+                                minimumRingSize:
+                                  description: The minimum number of virtual nodes
+                                    to use for the hash ring. Defaults to 1024. Larger
+                                    ring sizes result in more granular load distributions.
+                                    If the number of hosts in the load balancing pool
+                                    is larger than the ring size, each host will be
+                                    assigned a single virtual node.
+                                  format: int64
+                                  type: integer
+                                useSourceIp:
+                                  description: Hash based on the source IP address.
+                                  type: boolean
+                              type: object
+                            simple:
+                              description: 'It is required to specify exactly one
+                                of the fields: Simple or ConsistentHash'
+                              type: string
+                          type: object
+                        outlierDetection:
+                          description: Settings controlling eviction of unhealthy
+                            hosts from the load balancing pool
+                          properties:
+                            baseEjectionTime:
+                              description: 'Minimum ejection duration. A host will
+                                remain ejected for a period equal to the product of
+                                minimum ejection duration and the number of times
+                                the host has been ejected. This technique allows the
+                                system to automatically increase the ejection period
+                                for unhealthy upstream servers. format: 1h/1m/1s/1ms.
+                                MUST BE >=1ms. Default is 30s.'
+                              type: string
+                            consecutiveErrors:
+                              description: Number of errors before a host is ejected
+                                from the connection pool. Defaults to 5. When the
+                                upstream host is accessed over HTTP, a 5xx return
+                                code qualifies as an error. When the upstream host
+                                is accessed over an opaque TCP connection, connect
+                                timeouts and connection error/failure events qualify
+                                as an error.
+                              format: int32
+                              type: integer
+                            interval:
+                              description: 'Time interval between ejection sweep analysis.
+                                format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
+                              type: string
+                            maxEjectionPercent:
+                              description: Maximum % of hosts in the load balancing
+                                pool for the upstream service that can be ejected.
+                                Defaults to 10%.
+                              format: int32
+                              type: integer
+                          type: object
+                        portLevelSettings:
+                          description: Traffic policies specific to individual ports.
+                            Note that port level settings will override the destination-level
+                            settings. Traffic settings specified at the destination-level
+                            will not be inherited when overridden by port-level settings,
+                            i.e. default values will be applied to fields omitted
+                            in port-level traffic policies.
+                          items:
+                            properties:
+                              connectionPool:
+                                description: Settings controlling the volume of connections
+                                  to an upstream service
+                                properties:
+                                  http:
+                                    description: HTTP connection pool settings.
+                                    properties:
+                                      maxRequestsPerConnection:
+                                        description: Maximum number of requests per
+                                          connection to a backend. Setting this parameter
+                                          to 1 disables keep alive.
+                                        format: int32
+                                        type: integer
+                                      maxRetries:
+                                        description: Maximum number of retries that
+                                          can be outstanding to all hosts in a cluster
+                                          at a given time. Defaults to 3.
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                  tcp:
+                                    description: Settings common to both HTTP and
+                                      TCP upstream connections.
+                                    properties:
+                                      connectTimeout:
+                                        description: TCP connection timeout.
+                                        type: string
+                                      maxConnections:
+                                        description: Maximum number of HTTP1 /TCP
+                                          connections to a destination host.
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                type: object
+                              loadBalancer:
+                                description: Settings controlling the load balancer
+                                  algorithms.
+                                properties:
+                                  consistentHash:
+                                    properties:
+                                      httpCookie:
+                                        description: Hash based on HTTP cookie.
+                                        properties:
+                                          name:
+                                            description: REQUIRED. Name of the cookie.
+                                            type: string
+                                          path:
+                                            description: Path to set for the cookie.
+                                            type: string
+                                          ttl:
+                                            description: REQUIRED. Lifetime of the
+                                              cookie.
+                                            type: string
+                                        required:
+                                        - name
+                                        - ttl
+                                        type: object
+                                      httpHeaderName:
+                                        description: 'It is required to specify exactly
+                                          one of the fields as hash key: HttpHeaderName,
+                                          HttpCookie, or UseSourceIP. Hash based on
+                                          a specific HTTP header.'
+                                        type: string
+                                      minimumRingSize:
+                                        description: The minimum number of virtual
+                                          nodes to use for the hash ring. Defaults
+                                          to 1024. Larger ring sizes result in more
+                                          granular load distributions. If the number
+                                          of hosts in the load balancing pool is larger
+                                          than the ring size, each host will be assigned
+                                          a single virtual node.
+                                        format: int64
+                                        type: integer
+                                      useSourceIp:
+                                        description: Hash based on the source IP address.
+                                        type: boolean
+                                    type: object
+                                  simple:
+                                    description: 'It is required to specify exactly
+                                      one of the fields: Simple or ConsistentHash'
+                                    type: string
+                                type: object
+                              outlierDetection:
+                                description: Settings controlling eviction of unhealthy
+                                  hosts from the load balancing pool
+                                properties:
+                                  baseEjectionTime:
+                                    description: 'Minimum ejection duration. A host
+                                      will remain ejected for a period equal to the
+                                      product of minimum ejection duration and the
+                                      number of times the host has been ejected. This
+                                      technique allows the system to automatically
+                                      increase the ejection period for unhealthy upstream
+                                      servers. format: 1h/1m/1s/1ms. MUST BE >=1ms.
+                                      Default is 30s.'
+                                    type: string
+                                  consecutiveErrors:
+                                    description: Number of errors before a host is
+                                      ejected from the connection pool. Defaults to
+                                      5. When the upstream host is accessed over HTTP,
+                                      a 5xx return code qualifies as an error. When
+                                      the upstream host is accessed over an opaque
+                                      TCP connection, connect timeouts and connection
+                                      error/failure events qualify as an error.
+                                    format: int32
+                                    type: integer
+                                  interval:
+                                    description: 'Time interval between ejection sweep
+                                      analysis. format: 1h/1m/1s/1ms. MUST BE >=1ms.
+                                      Default is 10s.'
+                                    type: string
+                                  maxEjectionPercent:
+                                    description: Maximum % of hosts in the load balancing
+                                      pool for the upstream service that can be ejected.
+                                      Defaults to 10%.
+                                    format: int32
+                                    type: integer
+                                type: object
+                              port:
+                                description: Specifies the port name or number of
+                                  a port on the destination service on which this
+                                  policy is being applied.  Names must comply with
+                                  DNS label syntax (rfc1035) and therefore cannot
+                                  collide with numbers. If there are multiple ports
+                                  on a service with the same protocol the names should
+                                  be of the form <protocol-name>-<DNS label>.
+                                properties:
+                                  name:
+                                    description: Valid port name
+                                    type: string
+                                  number:
+                                    description: Valid port number
+                                    format: int32
+                                    type: integer
+                                type: object
+                              tls:
+                                description: TLS related settings for connections
+                                  to the upstream service.
+                                properties:
+                                  caCertificates:
+                                    description: 'OPTIONAL: The path to the file containing
+                                      certificate authority certificates to use in
+                                      verifying a presented server certificate. If
+                                      omitted, the proxy will not verify the server''s
+                                      certificate. Should be empty if mode is `ISTIO_MUTUAL`.'
+                                    type: string
+                                  clientCertificate:
+                                    description: REQUIRED if mode is `MUTUAL`. The
+                                      path to the file holding the client-side TLS
+                                      certificate to use. Should be empty if mode
+                                      is `ISTIO_MUTUAL`.
+                                    type: string
+                                  mode:
+                                    description: 'REQUIRED: Indicates whether connections
+                                      to this port should be secured using TLS. The
+                                      value of this field determines how TLS is enforced.'
+                                    type: string
+                                  privateKey:
+                                    description: REQUIRED if mode is `MUTUAL`. The
+                                      path to the file holding the client's private
+                                      key. Should be empty if mode is `ISTIO_MUTUAL`.
+                                    type: string
+                                  sni:
+                                    description: SNI string to present to the server
+                                      during TLS handshake. Should be empty if mode
+                                      is `ISTIO_MUTUAL`.
+                                    type: string
+                                  subjectAltNames:
+                                    description: A list of alternate names to verify
+                                      the subject identity in the certificate. If
+                                      specified, the proxy will verify that the server
+                                      certificate's subject alt name matches one of
+                                      the specified values. Should be empty if mode
+                                      is `ISTIO_MUTUAL`.
+                                    items:
+                                      type: string
+                                    type: array
+                                required:
+                                - mode
+                                type: object
+                            required:
+                            - port
+                            type: object
+                          type: array
+                        tls:
+                          description: TLS related settings for connections to the
+                            upstream service.
+                          properties:
+                            caCertificates:
+                              description: 'OPTIONAL: The path to the file containing
+                                certificate authority certificates to use in verifying
+                                a presented server certificate. If omitted, the proxy
+                                will not verify the server''s certificate. Should
+                                be empty if mode is `ISTIO_MUTUAL`.'
+                              type: string
+                            clientCertificate:
+                              description: REQUIRED if mode is `MUTUAL`. The path
+                                to the file holding the client-side TLS certificate
+                                to use. Should be empty if mode is `ISTIO_MUTUAL`.
+                              type: string
+                            mode:
+                              description: 'REQUIRED: Indicates whether connections
+                                to this port should be secured using TLS. The value
+                                of this field determines how TLS is enforced.'
+                              type: string
+                            privateKey:
+                              description: REQUIRED if mode is `MUTUAL`. The path
+                                to the file holding the client's private key. Should
+                                be empty if mode is `ISTIO_MUTUAL`.
+                              type: string
+                            sni:
+                              description: SNI string to present to the server during
+                                TLS handshake. Should be empty if mode is `ISTIO_MUTUAL`.
+                              type: string
+                            subjectAltNames:
+                              description: A list of alternate names to verify the
+                                subject identity in the certificate. If specified,
+                                the proxy will verify that the server certificate's
+                                subject alt name matches one of the specified values.
+                                Should be empty if mode is `ISTIO_MUTUAL`.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - mode
+                          type: object
+                      type: object
+                  required:
+                  - host
+                  type: object
+              type: object
+          type: object
+        status:
+          type: object
+  version: v1alpha2
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/servicemesh_v1alpha2_strategy.yaml

@@ -0,0 +1,787 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: strategies.servicemesh.kubesphere.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.type
+    description: type of strategy
+    name: Type
+    type: string
+  - JSONPath: .spec.template.spec.hosts
+    description: destination hosts
+    name: Hosts
+    type: string
+  - JSONPath: .metadata.creationTimestamp
+    description: 'CreationTimestamp is a timestamp representing the server time when
+      this object was created. It is not guaranteed to be set in happens-before order
+      across separate operations. Clients may not set this value. It is represented
+      in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+      lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+    name: Age
+    type: date
+  group: servicemesh.kubesphere.io
+  names:
+    kind: Strategy
+    plural: strategies
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            governor:
+              description: Governor version, the version takes control of all incoming
+                traffic label version value
+              type: string
+            principal:
+              description: Principal version, the one as reference version label version
+                value
+              type: string
+            selector:
+              description: Label selector for virtual services.
+              type: object
+            strategyPolicy:
+              description: strategy policy, how the strategy will be applied by the
+                strategy controller
+              type: string
+            template:
+              description: Template describes the virtual service that will be created.
+              properties:
+                metadata:
+                  description: Metadata of the virtual services created from this
+                    template
+                  type: object
+                spec:
+                  description: Spec indicates the behavior of a virtual service.
+                  properties:
+                    gateways:
+                      description: The names of gateways and sidecars that should
+                        apply these routes. A single VirtualService is used for sidecars
+                        inside the mesh as well as for one or more gateways. The selection
+                        condition imposed by this field can be overridden using the
+                        source field in the match conditions of HTTP/TCP routes. The
+                        reserved word "mesh" is used to imply all the sidecars in
+                        the mesh. When this field is omitted, the default gateway
+                        ("mesh") will be used, which would apply the rule to all sidecars
+                        in the mesh. If a list of gateway names is provided, the rules
+                        will apply only to the gateways. To apply the rules to both
+                        gateways and sidecars, specify "mesh" as one of the gateway
+                        names.
+                      items:
+                        type: string
+                      type: array
+                    hosts:
+                      description: REQUIRED. The destination address for traffic captured
+                        by this virtual service. Could be a DNS name with wildcard
+                        prefix or a CIDR prefix. Depending on the platform, short-names
+                        can also be used instead of a FQDN (i.e. has no dots in the
+                        name). In such a scenario, the FQDN of the host would be derived
+                        based on the underlying platform.  For example on Kubernetes,
+                        when hosts contains a short name, Istio will interpret the
+                        short name based on the namespace of the rule. Thus, when
+                        a client namespace applies a rule in the "default" namespace
+                        containing a name "reviews, Istio will setup routes to the
+                        "reviews.default.svc.cluster.local" service. However, if a
+                        different name such as "reviews.sales.svc.cluster.local" is
+                        used, it would be treated as a FQDN during virtual host matching.
+                        In Consul, a plain service name would be resolved to the FQDN
+                        "reviews.service.consul".  Note that the hosts field applies
+                        to both HTTP and TCP services. Service inside the mesh, i.e.,
+                        those found in the service registry, must always be referred
+                        to using their alphanumeric names. IP addresses or CIDR prefixes
+                        are allowed only for services defined via the Gateway.
+                      items:
+                        type: string
+                      type: array
+                    http:
+                      description: An ordered list of route rules for HTTP traffic.
+                        The first rule matching an incoming request is used.
+                      items:
+                        properties:
+                          appendHeaders:
+                            description: Additional HTTP headers to add before forwarding
+                              a request to the destination service.
+                            type: object
+                          corsPolicy:
+                            description: Cross-Origin Resource Sharing policy
+                            properties:
+                              allowCredentials:
+                                description: Indicates whether the caller is allowed
+                                  to send the actual request (not the preflight) using
+                                  credentials. Translates to Access-Control-Allow-Credentials
+                                  header.
+                                type: boolean
+                              allowHeaders:
+                                description: List of HTTP headers that can be used
+                                  when requesting the resource. Serialized to Access-Control-Allow-Methods
+                                  header.
+                                items:
+                                  type: string
+                                type: array
+                              allowMethods:
+                                description: List of HTTP methods allowed to access
+                                  the resource. The content will be serialized into
+                                  the Access-Control-Allow-Methods header.
+                                items:
+                                  type: string
+                                type: array
+                              allowOrigin:
+                                description: The list of origins that are allowed
+                                  to perform CORS requests. The content will be serialized
+                                  into the Access-Control-Allow-Origin header. Wildcard
+                                  * will allow all origins.
+                                items:
+                                  type: string
+                                type: array
+                              exposeHeaders:
+                                description: A white list of HTTP headers that the
+                                  browsers are allowed to access. Serialized into
+                                  Access-Control-Expose-Headers header.
+                                items:
+                                  type: string
+                                type: array
+                              maxAge:
+                                description: Specifies how long the the results of
+                                  a preflight request can be cached. Translates to
+                                  the Access-Control-Max-Age header.
+                                type: string
+                            type: object
+                          fault:
+                            description: Fault injection policy to apply on HTTP traffic.
+                            properties:
+                              abort:
+                                description: Abort Http request attempts and return
+                                  error codes back to downstream service, giving the
+                                  impression that the upstream service is faulty.
+                                properties:
+                                  httpStatus:
+                                    description: REQUIRED. HTTP status code to use
+                                      to abort the Http request.
+                                    format: int64
+                                    type: integer
+                                  percent:
+                                    description: Percentage of requests to be aborted
+                                      with the error code provided (0-100).
+                                    format: int64
+                                    type: integer
+                                required:
+                                - httpStatus
+                                type: object
+                              delay:
+                                description: Delay requests before forwarding, emulating
+                                  various failures such as network issues, overloaded
+                                  upstream service, etc.
+                                properties:
+                                  exponentialDelay:
+                                    description: (-- Add a delay (based on an exponential
+                                      function) before forwarding the request. mean
+                                      delay needed to derive the exponential delay
+                                      values --)
+                                    type: string
+                                  fixedDelay:
+                                    description: 'REQUIRED. Add a fixed delay before
+                                      forwarding the request. Format: 1h/1m/1s/1ms.
+                                      MUST be >=1ms.'
+                                    type: string
+                                  percent:
+                                    description: Percentage of requests on which the
+                                      delay will be injected (0-100).
+                                    format: int64
+                                    type: integer
+                                required:
+                                - fixedDelay
+                                type: object
+                            type: object
+                          match:
+                            description: Match conditions to be satisfied for the
+                              rule to be activated. All conditions inside a single
+                              match block have AND semantics, while the list of match
+                              blocks have OR semantics. The rule is matched if any
+                              one of the match blocks succeed.
+                            items:
+                              properties:
+                                authority:
+                                  description: 'HTTP Authority values are case-sensitive
+                                    and formatted as follows:  - `exact: "value"`
+                                    for exact string match  - `prefix: "value"` for
+                                    prefix-based match  - `regex: "value"` for ECMAscript
+                                    style regex-based match'
+                                  properties:
+                                    exact:
+                                      description: exact string match
+                                      type: string
+                                    prefix:
+                                      description: prefix-based match
+                                      type: string
+                                    regex:
+                                      description: ECMAscript style regex-based match
+                                      type: string
+                                    suffix:
+                                      description: suffix-based match.
+                                      type: string
+                                  type: object
+                                gateways:
+                                  description: Names of gateways where the rule should
+                                    be applied to. Gateway names at the top of the
+                                    VirtualService (if any) are overridden. The gateway
+                                    match is independent of sourceLabels.
+                                  items:
+                                    type: string
+                                  type: array
+                                headers:
+                                  description: 'The header keys must be lowercase
+                                    and use hyphen as the separator, e.g. _x-request-id_.  Header
+                                    values are case-sensitive and formatted as follows:  -
+                                    `exact: "value"` for exact string match  - `prefix:
+                                    "value"` for prefix-based match  - `regex: "value"`
+                                    for ECMAscript style regex-based match  **Note:**
+                                    The keys `uri`, `scheme`, `method`, and `authority`
+                                    will be ignored.'
+                                  type: object
+                                method:
+                                  description: 'HTTP Method values are case-sensitive
+                                    and formatted as follows:  - `exact: "value"`
+                                    for exact string match  - `prefix: "value"` for
+                                    prefix-based match  - `regex: "value"` for ECMAscript
+                                    style regex-based match'
+                                  properties:
+                                    exact:
+                                      description: exact string match
+                                      type: string
+                                    prefix:
+                                      description: prefix-based match
+                                      type: string
+                                    regex:
+                                      description: ECMAscript style regex-based match
+                                      type: string
+                                    suffix:
+                                      description: suffix-based match.
+                                      type: string
+                                  type: object
+                                port:
+                                  description: Specifies the ports on the host that
+                                    is being addressed. Many services only expose
+                                    a single port or label ports with the protocols
+                                    they support, in these cases it is not required
+                                    to explicitly select the port.
+                                  format: int32
+                                  type: integer
+                                scheme:
+                                  description: 'URI Scheme values are case-sensitive
+                                    and formatted as follows:  - `exact: "value"`
+                                    for exact string match  - `prefix: "value"` for
+                                    prefix-based match  - `regex: "value"` for ECMAscript
+                                    style regex-based match'
+                                  properties:
+                                    exact:
+                                      description: exact string match
+                                      type: string
+                                    prefix:
+                                      description: prefix-based match
+                                      type: string
+                                    regex:
+                                      description: ECMAscript style regex-based match
+                                      type: string
+                                    suffix:
+                                      description: suffix-based match.
+                                      type: string
+                                  type: object
+                                sourceLabels:
+                                  description: One or more labels that constrain the
+                                    applicability of a rule to workloads with the
+                                    given labels. If the VirtualService has a list
+                                    of gateways specified at the top, it should include
+                                    the reserved gateway `mesh` in order for this
+                                    field to be applicable.
+                                  type: object
+                                uri:
+                                  description: 'URI to match values are case-sensitive
+                                    and formatted as follows:  - `exact: "value"`
+                                    for exact string match  - `prefix: "value"` for
+                                    prefix-based match  - `regex: "value"` for ECMAscript
+                                    style regex-based match'
+                                  properties:
+                                    exact:
+                                      description: exact string match
+                                      type: string
+                                    prefix:
+                                      description: prefix-based match
+                                      type: string
+                                    regex:
+                                      description: ECMAscript style regex-based match
+                                      type: string
+                                    suffix:
+                                      description: suffix-based match.
+                                      type: string
+                                  type: object
+                              type: object
+                            type: array
+                          mirror:
+                            description: Mirror HTTP traffic to a another destination
+                              in addition to forwarding the requests to the intended
+                              destination. Mirrored traffic is on a best effort basis
+                              where the sidecar/gateway will not wait for the mirrored
+                              cluster to respond before returning the response from
+                              the original destination.  Statistics will be generated
+                              for the mirrored destination.
+                            properties:
+                              host:
+                                description: 'REQUIRED. The name of a service from
+                                  the service registry. Service names are looked up
+                                  from the platform''s service registry (e.g., Kubernetes
+                                  services, Consul services, etc.) and from the hosts
+                                  declared by [ServiceEntry](#ServiceEntry). Traffic
+                                  forwarded to destinations that are not found in
+                                  either of the two, will be dropped.  *Note for Kubernetes
+                                  users*: When short names are used (e.g. "reviews"
+                                  instead of "reviews.default.svc.cluster.local"),
+                                  Istio will interpret the short name based on the
+                                  namespace of the rule, not the service. A rule in
+                                  the "default" namespace containing a host "reviews
+                                  will be interpreted as "reviews.default.svc.cluster.local",
+                                  irrespective of the actual namespace associated
+                                  with the reviews service. _To avoid potential misconfigurations,
+                                  it is recommended to always use fully qualified
+                                  domain names over short names._'
+                                type: string
+                              port:
+                                description: Specifies the port on the host that is
+                                  being addressed. If a service exposes only a single
+                                  port it is not required to explicitly select the
+                                  port.
+                                properties:
+                                  name:
+                                    description: Valid port name
+                                    type: string
+                                  number:
+                                    description: Valid port number
+                                    format: int32
+                                    type: integer
+                                type: object
+                              subset:
+                                description: The name of a subset within the service.
+                                  Applicable only to services within the mesh. The
+                                  subset must be defined in a corresponding DestinationRule.
+                                type: string
+                            required:
+                            - host
+                            type: object
+                          redirect:
+                            description: A http rule can either redirect or forward
+                              (default) traffic. If traffic passthrough option is
+                              specified in the rule, route/redirect will be ignored.
+                              The redirect primitive can be used to send a HTTP 302
+                              redirect to a different URI or Authority.
+                            properties:
+                              authority:
+                                description: On a redirect, overwrite the Authority/Host
+                                  portion of the URL with this value.
+                                type: string
+                              uri:
+                                description: On a redirect, overwrite the Path portion
+                                  of the URL with this value. Note that the entire
+                                  path will be replaced, irrespective of the request
+                                  URI being matched as an exact path or prefix.
+                                type: string
+                            type: object
+                          removeResponseHeaders:
+                            description: Http headers to remove before returning the
+                              response to the caller
+                            type: object
+                          retries:
+                            description: Retry policy for HTTP requests.
+                            properties:
+                              attempts:
+                                description: REQUIRED. Number of retries for a given
+                                  request. The interval between retries will be determined
+                                  automatically (25ms+). Actual number of retries
+                                  attempted depends on the httpReqTimeout.
+                                format: int64
+                                type: integer
+                              perTryTimeout:
+                                description: 'Timeout per retry attempt for a given
+                                  request. format: 1h/1m/1s/1ms. MUST BE >=1ms.'
+                                type: string
+                            required:
+                            - attempts
+                            - perTryTimeout
+                            type: object
+                          rewrite:
+                            description: Rewrite HTTP URIs and Authority headers.
+                              Rewrite cannot be used with Redirect primitive. Rewrite
+                              will be performed before forwarding.
+                            properties:
+                              authority:
+                                description: rewrite the Authority/Host header with
+                                  this value.
+                                type: string
+                              uri:
+                                description: rewrite the path (or the prefix) portion
+                                  of the URI with this value. If the original URI
+                                  was matched based on prefix, the value provided
+                                  in this field will replace the corresponding matched
+                                  prefix.
+                                type: string
+                            type: object
+                          route:
+                            description: A http rule can either redirect or forward
+                              (default) traffic. The forwarding target can be one
+                              of several versions of a service (see glossary in beginning
+                              of document). Weights associated with the service version
+                              determine the proportion of traffic it receives.
+                            items:
+                              properties:
+                                destination:
+                                  description: REQUIRED. Destination uniquely identifies
+                                    the instances of a service to which the request/connection
+                                    should be forwarded to.
+                                  properties:
+                                    host:
+                                      description: 'REQUIRED. The name of a service
+                                        from the service registry. Service names are
+                                        looked up from the platform''s service registry
+                                        (e.g., Kubernetes services, Consul services,
+                                        etc.) and from the hosts declared by [ServiceEntry](#ServiceEntry).
+                                        Traffic forwarded to destinations that are
+                                        not found in either of the two, will be dropped.  *Note
+                                        for Kubernetes users*: When short names are
+                                        used (e.g. "reviews" instead of "reviews.default.svc.cluster.local"),
+                                        Istio will interpret the short name based
+                                        on the namespace of the rule, not the service.
+                                        A rule in the "default" namespace containing
+                                        a host "reviews will be interpreted as "reviews.default.svc.cluster.local",
+                                        irrespective of the actual namespace associated
+                                        with the reviews service. _To avoid potential
+                                        misconfigurations, it is recommended to always
+                                        use fully qualified domain names over short
+                                        names._'
+                                      type: string
+                                    port:
+                                      description: Specifies the port on the host
+                                        that is being addressed. If a service exposes
+                                        only a single port it is not required to explicitly
+                                        select the port.
+                                      properties:
+                                        name:
+                                          description: Valid port name
+                                          type: string
+                                        number:
+                                          description: Valid port number
+                                          format: int32
+                                          type: integer
+                                      type: object
+                                    subset:
+                                      description: The name of a subset within the
+                                        service. Applicable only to services within
+                                        the mesh. The subset must be defined in a
+                                        corresponding DestinationRule.
+                                      type: string
+                                  required:
+                                  - host
+                                  type: object
+                                weight:
+                                  description: REQUIRED. The proportion of traffic
+                                    to be forwarded to the service version. (0-100).
+                                    Sum of weights across destinations SHOULD BE ==
+                                    100. If there is only destination in a rule, the
+                                    weight value is assumed to be 100.
+                                  format: int64
+                                  type: integer
+                              required:
+                              - destination
+                              - weight
+                              type: object
+                            type: array
+                          timeout:
+                            description: Timeout for HTTP requests.
+                            type: string
+                          websocketUpgrade:
+                            description: Indicates that a HTTP/1.1 client connection
+                              to this particular route should be allowed (and expected)
+                              to upgrade to a WebSocket connection. The default is
+                              false. Istio's reference sidecar implementation (Envoy)
+                              expects the first request to this route to contain the
+                              WebSocket upgrade headers. Otherwise, the request will
+                              be rejected. Note that Websocket allows secondary protocol
+                              negotiation which may then be subject to further routing
+                              rules based on the protocol selected.
+                            type: boolean
+                        type: object
+                      type: array
+                    tcp:
+                      description: An ordered list of route rules for TCP traffic.
+                        The first rule matching an incoming request is used.
+                      items:
+                        properties:
+                          match:
+                            description: Match conditions to be satisfied for the
+                              rule to be activated. All conditions inside a single
+                              match block have AND semantics, while the list of match
+                              blocks have OR semantics. The rule is matched if any
+                              one of the match blocks succeed.
+                            items:
+                              properties:
+                                destinationSubnets:
+                                  description: IPv4 or IPv6 ip address of destination
+                                    with optional subnet.  E.g., a.b.c.d/xx form or
+                                    just a.b.c.d.
+                                  items:
+                                    type: string
+                                  type: array
+                                gateways:
+                                  description: Names of gateways where the rule should
+                                    be applied to. Gateway names at the top of the
+                                    VirtualService (if any) are overridden. The gateway
+                                    match is independent of sourceLabels.
+                                  items:
+                                    type: string
+                                  type: array
+                                port:
+                                  description: Specifies the port on the host that
+                                    is being addressed. Many services only expose
+                                    a single port or label ports with the protocols
+                                    they support, in these cases it is not required
+                                    to explicitly select the port.
+                                  format: int64
+                                  type: integer
+                                sourceLabels:
+                                  description: One or more labels that constrain the
+                                    applicability of a rule to workloads with the
+                                    given labels. If the VirtualService has a list
+                                    of gateways specified at the top, it should include
+                                    the reserved gateway `mesh` in order for this
+                                    field to be applicable.
+                                  type: object
+                              type: object
+                            type: array
+                          route:
+                            description: The destinations to which the connection
+                              should be forwarded to. Weights must add to 100%.
+                            items:
+                              properties:
+                                destination:
+                                  description: REQUIRED. Destination uniquely identifies
+                                    the instances of a service to which the request/connection
+                                    should be forwarded to.
+                                  properties:
+                                    host:
+                                      description: 'REQUIRED. The name of a service
+                                        from the service registry. Service names are
+                                        looked up from the platform''s service registry
+                                        (e.g., Kubernetes services, Consul services,
+                                        etc.) and from the hosts declared by [ServiceEntry](#ServiceEntry).
+                                        Traffic forwarded to destinations that are
+                                        not found in either of the two, will be dropped.  *Note
+                                        for Kubernetes users*: When short names are
+                                        used (e.g. "reviews" instead of "reviews.default.svc.cluster.local"),
+                                        Istio will interpret the short name based
+                                        on the namespace of the rule, not the service.
+                                        A rule in the "default" namespace containing
+                                        a host "reviews will be interpreted as "reviews.default.svc.cluster.local",
+                                        irrespective of the actual namespace associated
+                                        with the reviews service. _To avoid potential
+                                        misconfigurations, it is recommended to always
+                                        use fully qualified domain names over short
+                                        names._'
+                                      type: string
+                                    port:
+                                      description: Specifies the port on the host
+                                        that is being addressed. If a service exposes
+                                        only a single port it is not required to explicitly
+                                        select the port.
+                                      properties:
+                                        name:
+                                          description: Valid port name
+                                          type: string
+                                        number:
+                                          description: Valid port number
+                                          format: int32
+                                          type: integer
+                                      type: object
+                                    subset:
+                                      description: The name of a subset within the
+                                        service. Applicable only to services within
+                                        the mesh. The subset must be defined in a
+                                        corresponding DestinationRule.
+                                      type: string
+                                  required:
+                                  - host
+                                  type: object
+                                weight:
+                                  description: REQUIRED. The proportion of traffic
+                                    to be forwarded to the service version. (0-100).
+                                    Sum of weights across destinations SHOULD BE ==
+                                    100. If there is only destination in a rule, the
+                                    weight value is assumed to be 100.
+                                  format: int64
+                                  type: integer
+                              required:
+                              - destination
+                              - weight
+                              type: object
+                            type: array
+                        required:
+                        - match
+                        - route
+                        type: object
+                      type: array
+                    tls:
+                      items:
+                        properties:
+                          match:
+                            description: REQUIRED. Match conditions to be satisfied
+                              for the rule to be activated. All conditions inside
+                              a single match block have AND semantics, while the list
+                              of match blocks have OR semantics. The rule is matched
+                              if any one of the match blocks succeed.
+                            items:
+                              properties:
+                                destinationSubnets:
+                                  description: IPv4 or IPv6 ip addresses of destination
+                                    with optional subnet.  E.g., a.b.c.d/xx form or
+                                    just a.b.c.d.
+                                  items:
+                                    type: string
+                                  type: array
+                                gateways:
+                                  description: Names of gateways where the rule should
+                                    be applied to. Gateway names at the top of the
+                                    VirtualService (if any) are overridden. The gateway
+                                    match is independent of sourceLabels.
+                                  items:
+                                    type: string
+                                  type: array
+                                port:
+                                  description: Specifies the port on the host that
+                                    is being addressed. Many services only expose
+                                    a single port or label ports with the protocols
+                                    they support, in these cases it is not required
+                                    to explicitly select the port.
+                                  format: int64
+                                  type: integer
+                                sniHosts:
+                                  description: REQUIRED. SNI (server name indicator)
+                                    to match on. Wildcard prefixes can be used in
+                                    the SNI value, e.g., *.com will match foo.example.com
+                                    as well as example.com. An SNI value must be a
+                                    subset (i.e., fall within the domain) of the corresponding
+                                    virtual service's hosts
+                                  items:
+                                    type: string
+                                  type: array
+                                sourceLabels:
+                                  description: One or more labels that constrain the
+                                    applicability of a rule to workloads with the
+                                    given labels. If the VirtualService has a list
+                                    of gateways specified at the top, it should include
+                                    the reserved gateway `mesh` in order for this
+                                    field to be applicable.
+                                  type: object
+                              required:
+                              - sniHosts
+                              type: object
+                            type: array
+                          route:
+                            description: The destination to which the connection should
+                              be forwarded to.
+                            items:
+                              properties:
+                                destination:
+                                  description: REQUIRED. Destination uniquely identifies
+                                    the instances of a service to which the request/connection
+                                    should be forwarded to.
+                                  properties:
+                                    host:
+                                      description: 'REQUIRED. The name of a service
+                                        from the service registry. Service names are
+                                        looked up from the platform''s service registry
+                                        (e.g., Kubernetes services, Consul services,
+                                        etc.) and from the hosts declared by [ServiceEntry](#ServiceEntry).
+                                        Traffic forwarded to destinations that are
+                                        not found in either of the two, will be dropped.  *Note
+                                        for Kubernetes users*: When short names are
+                                        used (e.g. "reviews" instead of "reviews.default.svc.cluster.local"),
+                                        Istio will interpret the short name based
+                                        on the namespace of the rule, not the service.
+                                        A rule in the "default" namespace containing
+                                        a host "reviews will be interpreted as "reviews.default.svc.cluster.local",
+                                        irrespective of the actual namespace associated
+                                        with the reviews service. _To avoid potential
+                                        misconfigurations, it is recommended to always
+                                        use fully qualified domain names over short
+                                        names._'
+                                      type: string
+                                    port:
+                                      description: Specifies the port on the host
+                                        that is being addressed. If a service exposes
+                                        only a single port it is not required to explicitly
+                                        select the port.
+                                      properties:
+                                        name:
+                                          description: Valid port name
+                                          type: string
+                                        number:
+                                          description: Valid port number
+                                          format: int32
+                                          type: integer
+                                      type: object
+                                    subset:
+                                      description: The name of a subset within the
+                                        service. Applicable only to services within
+                                        the mesh. The subset must be defined in a
+                                        corresponding DestinationRule.
+                                      type: string
+                                  required:
+                                  - host
+                                  type: object
+                                weight:
+                                  description: REQUIRED. The proportion of traffic
+                                    to be forwarded to the service version. (0-100).
+                                    Sum of weights across destinations SHOULD BE ==
+                                    100. If there is only destination in a rule, the
+                                    weight value is assumed to be 100.
+                                  format: int64
+                                  type: integer
+                              required:
+                              - destination
+                              - weight
+                              type: object
+                            type: array
+                        required:
+                        - match
+                        - route
+                        type: object
+                      type: array
+                  required:
+                  - hosts
+                  type: object
+              type: object
+            type:
+              description: Strategy type
+              type: string
+          type: object
+        status:
+          type: object
+  version: v1alpha2
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/tenant_v1alpha1_workspace.yaml

@@ -0,0 +1,42 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: workspaces.tenant.kubesphere.io
+spec:
+  group: tenant.kubesphere.io
+  names:
+    kind: Workspace
+    plural: workspaces
+  scope: Cluster
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            manager:
+              type: string
+          type: object
+        status:
+          type: object
+  version: v1alpha1
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/default/kustomization.yaml

@@ -0,0 +1,49 @@
+# Adds namespace to all resources.
+namespace: t-system
+
+# Value of this field is prepended to the
+# names of all resources, e.g. a deployment named
+# "wordpress" becomes "alices-wordpress".
+# Note that it should also match with the prefix (text before '-') of the namespace
+# field above.
+namePrefix: t-
+
+# Labels to add to all resources and selectors.
+#commonLabels:
+#  someName: someValue
+
+# Each entry in this list must resolve to an existing
+# resource definition in YAML.  These are the resource
+# files that kustomize reads, modifies and emits as a
+# YAML string, with resources separated by document
+# markers ("---").
+resources:
+- ../rbac/rbac_role.yaml
+- ../rbac/rbac_role_binding.yaml
+- ../manager/manager.yaml
+  # Comment the following 3 lines if you want to disable
+  # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
+  # which protects your /metrics endpoint.
+#- ../rbac/auth_proxy_service.yaml
+#- ../rbac/auth_proxy_role.yaml
+#- ../rbac/auth_proxy_role_binding.yaml
+
+patches:
+- manager_image_patch.yaml
+  # Protect the /metrics endpoint by putting it behind auth.
+  # Only one of manager_auth_proxy_patch.yaml and
+  # manager_prometheus_metrics_patch.yaml should be enabled.
+- manager_auth_proxy_patch.yaml
+  # If you want your controller-manager to expose the /metrics
+  # endpoint w/o any authn/z, uncomment the following line and
+  # comment manager_auth_proxy_patch.yaml.
+  # Only one of manager_auth_proxy_patch.yaml and
+  # manager_prometheus_metrics_patch.yaml should be enabled.
+#- manager_prometheus_metrics_patch.yaml
+
+vars:
+- name: WEBHOOK_SECRET_NAME
+  objref:
+    kind: Secret
+    name: webhook-server-secret
+    apiVersion: v1

config/default/manager_auth_proxy_patch.yaml

@@ -0,0 +1,24 @@
+# This patch inject a sidecar container which is a HTTP proxy for the controller manager,
+# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: kube-rbac-proxy
+        image: quay.io/coreos/kube-rbac-proxy:v0.4.0
+        args:
+        - "--secure-listen-address=0.0.0.0:8443"
+        - "--upstream=http://127.0.0.1:8080/"
+        - "--logtostderr=true"
+        - "--v=10"
+        ports:
+        - containerPort: 8443
+          name: https
+      - name: manager
+        args:
+        - "--metrics-addr=127.0.0.1:8080"

config/default/manager_image_patch.yaml

@@ -0,0 +1,12 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      # Change the value of image field below to your controller image URL
+      - image: kubespheredev/controller-manager:latest
+        name: manager

config/default/manager_prometheus_metrics_patch.yaml

@@ -0,0 +1,19 @@
+# This patch enables Prometheus scraping for the manager pod.
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    metadata:
+      annotations:
+        prometheus.io/scrape: 'true'
+    spec:
+      containers:
+      # Expose the prometheus metrics on default port
+      - name: manager
+        ports:
+        - containerPort: 8080
+          name: metrics
+          protocol: TCP

config/manager/manager.yaml

@@ -0,0 +1,83 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    control-plane: controller-manager
+    controller-tools.k8s.io: "1.0"
+  name: system
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: controller-manager-service
+  namespace: system
+  labels:
+    control-plane: controller-manager
+    controller-tools.k8s.io: "1.0"
+spec:
+  selector:
+    control-plane: controller-manager
+    controller-tools.k8s.io: "1.0"
+  ports:
+  - port: 443
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: controller-manager
+  namespace: system
+  labels:
+    control-plane: controller-manager
+    controller-tools.k8s.io: "1.0"
+spec:
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+      controller-tools.k8s.io: "1.0"
+  serviceName: controller-manager-service
+  template:
+    metadata:
+      labels:
+        control-plane: controller-manager
+        controller-tools.k8s.io: "1.0"
+    spec:
+      containers:
+      - command:
+        - ./controller-manager
+        image: kubespheredev/controller-manager:latest
+        imagePullPolicy: Always
+        name: manager
+        env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: SECRET_NAME
+            value: $(WEBHOOK_SECRET_NAME)
+        resources:
+          limits:
+            cpu: 100m
+            memory: 30Mi
+          requests:
+            cpu: 100m
+            memory: 20Mi
+        ports:
+        - containerPort: 9876
+          name: webhook-server
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /tmp/cert
+          name: cert
+          readOnly: true
+      terminationGracePeriodSeconds: 10
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: webhook-server-secret
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: webhook-server-secret
+  namespace: system

config/rbac/auth_proxy_role.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: proxy-role
+rules:
+- apiGroups: ["authentication.k8s.io"]
+  resources:
+  - tokenreviews
+  verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+  resources:
+  - subjectaccessreviews
+  verbs: ["create"]

config/rbac/auth_proxy_role_binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: proxy-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: proxy-role
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: system

config/rbac/auth_proxy_service.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    prometheus.io/port: "8443"
+    prometheus.io/scheme: https
+    prometheus.io/scrape: "true"
+  labels:
+    control-plane: controller-manager
+    controller-tools.k8s.io: "1.0"
+  name: controller-manager-metrics-service
+  namespace: system
+spec:
+  ports:
+  - name: https
+    port: 8443
+    targetPort: https
+  selector:
+    control-plane: controller-manager
+    controller-tools.k8s.io: "1.0"

config/rbac/rbac_role.yaml

@@ -0,0 +1,103 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: manager-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces/status
+    verbs:
+      - get
+      - update
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces/status
+    verbs:
+      - get
+      - update
+      - patch
+  - apiGroups:
+      - tenant.kubesphere.io
+    resources:
+      - workspaces
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - tenant.kubesphere.io
+    resources:
+      - workspaces/status
+    verbs:
+      - get
+      - update
+      - patch
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - mutatingwebhookconfigurations
+      - validatingwebhookconfigurations
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete

config/rbac/rbac_role_binding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  creationTimestamp: null
+  name: manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: manager-role
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: system

config/samples/servicemesh_v1alpha2_servicepolicy.yaml

@@ -0,0 +1,9 @@
+apiVersion: servicemesh.kubesphere.io/v1alpha2
+kind: ServicePolicy
+metadata:
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: servicepolicy-sample
+spec:
+  # Add fields here
+  foo: bar

config/samples/servicemesh_v1alpha2_strategy.yaml

@@ -0,0 +1,28 @@
+apiVersion: servicemesh.kubesphere.io/v1alpha2
+kind: Strategy
+metadata:
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: strategy-sample
+spec:
+  # Add fields here
+  type: Canary
+  selector:
+    matchLabels:
+      "servicemesh.kubesphere.io/type": "canary"
+  template:
+    spec:
+      service: "details"
+      principal: "v1"
+      hosts:
+      - details
+      http:
+      - route:
+        - destination:
+            host: "details"
+            subset: v1
+          weight: 60
+        - destination:
+            host: "details"
+            subset: v2
+          weight: 40

config/samples/tenant_v1alpha1_workspace.yaml

@@ -0,0 +1,8 @@
+apiVersion: tenant.kubesphere.io/v1alpha1
+kind: Workspace
+metadata:
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: workspace-sample
+  spec:
+    manager: admin

hack/boilerplate.go.txt

@@ -0,0 +1,15 @@
+/*
+Copyright 2019 The KubeSphere authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/

hack/custom-boilerplate.go.txt

@@ -0,0 +1,16 @@
+/*
+Copyright 2019 The KubeSphere Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+

hack/docker_build.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+set -ex
+set -o pipefail
+
+REPO=kubespheredev
+TAG=latest
+
+# check if build was triggered by a travis cronjob
+if [[ ! -v TRAVIS_EVENT_TYPE ]]; then
+    echo "TRAVIS_EVENT_TYPE is not set, treat as regular build"
+elif [[ -z "$TRAVIS_EVENT_TYPE" ]]; then
+    echo "TRAVIS_EVENT_TYPE is empty, also normaly build"
+elif [ $TRAVIS_EVENT_TYPE == "cron" ]; then
+    TAG=dev-$(date +%Y%m%d)
+fi
+
+
+docker build -f build/ks-apigateway/Dockerfile -t $REPO/ks-apigateway:$TAG .
+docker build -f build/ks-apiserver/Dockerfile -t $REPO/ks-apiserver:$TAG .
+docker build -f build/ks-iam/Dockerfile -t $REPO/ks-account:$TAG .
+docker build -f build/ks-controller-manager/Dockerfile -t $REPO/ks-controller-manager:$TAG .
+docker build -f ./pkg/db/Dockerfile -t $REPO/ks-devops:flyway-$TAG ./pkg/db/
+
+# Push image to dockerhub, need to support multiple push
+
+echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
+docker push $REPO/ks-apigateway:$TAG
+docker push $REPO/ks-apiserver:$TAG
+docker push $REPO/ks-account:$TAG
+docker push $REPO/ks-controller-manager:$TAG
+docker push $REPO/ks-devops:flyway-$TAG

hack/gobuild.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+# Copyright 2017 KubeSphere Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# This script builds and link stamps the output
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+VERBOSE=${VERBOSE:-"0"}
+V=""
+if [[ "${VERBOSE}" == "1" ]];then
+    V="-x"
+    set -x
+fi
+
+ROOTDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+
+OUTPUT_DIR=bin
+BUILDPATH=./${1:?"path to build"}
+OUT=${OUTPUT_DIR}/${1:?"output path"}
+
+set -e
+
+BUILD_GOOS=${GOOS:-linux}
+BUILD_GOARCH=${GOARCH:-amd64}
+GOBINARY=${GOBINARY:-go}
+
+# forgoing -i (incremental build) because it will be deprecated by tool chain.
+time GOOS=${BUILD_GOOS} GOARCH=${BUILD_GOARCH} ${GOBINARY} build \
+        -o ${OUT} \
+        ${BUILDPATH}

hack/install_kubebuilder.sh

@@ -0,0 +1,80 @@
+#!/bin/sh
+
+#
+# This file will be  fetched as: curl -L https://git.io/getLatestKubebuilder | sh -
+# so it should be pure bourne shell, not bash (and not reference other scripts)
+#
+# The script fetches the latest kubebuilder release candidate and untars it.
+# It lets users to do curl -L https://git.io//getLatestKubebuilder | KUBEBUILDER_VERSION=1.0.5 sh -
+# for instance to change the version fetched.
+
+# Check if the program is installed, otherwise exit
+function command_exists () {
+  if ! [ -x "$(command -v $1)" ]; then
+    echo "Error: $1 program is not installed." >&2
+    exit 1
+  fi
+}
+
+# Determine OS
+OS="$(uname)"
+case $OS in
+  Darwin)
+    OSEXT="darwin"
+    ;;
+  Linux)
+    OSEXT="linux"
+    ;;
+  *)
+    echo "Only OSX and Linux OS are supported !"
+    exit 1
+    ;;
+esac
+
+HW=$(uname -m)
+case $HW in
+    x86_64)
+      ARCH=amd64 ;;
+    *)
+      echo "Only x86_64 machines are supported !"
+      exit 1
+      ;;
+esac
+
+# Check if curl, tar commands/programs exist
+command_exists curl
+command_exists tar
+
+KUBEBUILDER_VERSION=v1.0.8
+KUBEBUILDER_VERSION=${KUBEBUILDER_VERSION#"v"}
+KUBEBUILDER_VERSION_NAME="kubebuilder_${KUBEBUILDER_VERSION}"
+KUBEBUILDER_DIR=/usr/local/kubebuilder
+
+# Check if folder containing kubebuilder executable exists and is not empty
+if [ -d "$KUBEBUILDER_DIR" ]; then
+  if [ "$(ls -A $KUBEBUILDER_DIR)" ]; then
+    echo "\n/usr/local/kubebuilder folder is not empty. Please delete or backup it before to install ${KUBEBUILDER_VERSION_NAME}"
+    exit 1
+  fi
+fi
+
+TMP_DIR=$(mktemp -d)
+pushd $TMP_DIR
+
+# Downloading Kubebuilder compressed file using curl program
+URL="https://github.com/kubernetes-sigs/kubebuilder/releases/download/v${KUBEBUILDER_VERSION}/${KUBEBUILDER_VERSION_NAME}_${OSEXT}_${ARCH}.tar.gz"
+echo "Downloading ${KUBEBUILDER_VERSION_NAME}\nfrom $URL\n"
+curl -L "$URL"| tar xz -C $TMP_DIR
+
+echo "Downloaded executable files"
+ls "${KUBEBUILDER_VERSION_NAME}_${OSEXT}_${ARCH}/bin"
+
+echo "Moving files to $KUBEBUILDER_DIR folder\n"
+mv ${KUBEBUILDER_VERSION_NAME}_${OSEXT}_${ARCH} kubebuilder && sudo mv -f kubebuilder /usr/local/
+
+echo "Add kubebuilder to your path; e.g copy paste in your shell and/or edit your ~/.profile file"
+echo "export PATH=\$PATH:/usr/local/kubebuilder/bin"
+popd
+rm -rf $TMP_DIR
+
+export PATH=$PATH:/usr/local/kubebuilder/bin

pkg/apigateway/caddy-plugin/authenticate/authenticate.go

@@ -0,0 +1,205 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package authenticate
+
+import (
+	"errors"
+	"fmt"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/apiserver/pkg/endpoints/request"
+	"log"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"github.com/dgrijalva/jwt-go"
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+)
+
+type Auth struct {
+	Rule Rule
+	Next httpserver.Handler
+}
+
+type Rule struct {
+	Secret       []byte
+	Path         string
+	ExceptedPath []string
+}
+
+type User struct {
+	Username string                  `json:"username"`
+	UID      string                  `json:"uid"`
+	Groups   *[]string               `json:"groups,omitempty"`
+	Extra    *map[string]interface{} `json:"extra,omitempty"`
+}
+
+var requestInfoFactory = request.RequestInfoFactory{
+	APIPrefixes:          sets.NewString("api", "apis", "kapis", "kapi"),
+	GrouplessAPIPrefixes: sets.NewString("api")}
+
+func (h Auth) ServeHTTP(resp http.ResponseWriter, req *http.Request) (int, error) {
+	for _, path := range h.Rule.ExceptedPath {
+		if httpserver.Path(req.URL.Path).Matches(path) {
+			return h.Next.ServeHTTP(resp, req)
+		}
+	}
+
+	if httpserver.Path(req.URL.Path).Matches(h.Rule.Path) {
+
+		uToken, err := h.ExtractToken(req)
+
+		if err != nil {
+			return h.HandleUnauthorized(resp, err), nil
+		}
+
+		token, err := h.Validate(uToken)
+
+		if err != nil {
+			return h.HandleUnauthorized(resp, err), nil
+		}
+
+		req, err = h.InjectContext(req, token)
+
+		if err != nil {
+			return h.HandleUnauthorized(resp, err), nil
+		}
+	}
+
+	return h.Next.ServeHTTP(resp, req)
+}
+
+func (h Auth) InjectContext(req *http.Request, token *jwt.Token) (*http.Request, error) {
+
+	payLoad, ok := token.Claims.(jwt.MapClaims)
+
+	if !ok {
+		return nil, errors.New("invalid payload")
+	}
+
+	for header := range req.Header {
+		if strings.HasPrefix(header, "X-Token-") {
+			req.Header.Del(header)
+		}
+	}
+
+	usr := &user.DefaultInfo{}
+
+	username, ok := payLoad["username"].(string)
+
+	if ok && username != "" {
+		req.Header.Set("X-Token-Username", username)
+		usr.Name = username
+	}
+
+	uid := payLoad["uid"]
+
+	if uid != nil {
+		switch uid.(type) {
+		case int:
+			req.Header.Set("X-Token-UID", strconv.Itoa(uid.(int)))
+			usr.UID = strconv.Itoa(uid.(int))
+			break
+		case string:
+			req.Header.Set("X-Token-UID", uid.(string))
+			usr.UID = uid.(string)
+			break
+		}
+	}
+
+	groups, ok := payLoad["groups"].([]string)
+	if ok && len(groups) > 0 {
+		req.Header.Set("X-Token-Groups", strings.Join(groups, ","))
+		usr.Groups = groups
+	}
+
+	// hard code, support jenkins auth plugin
+	if httpserver.Path(req.URL.Path).Matches("/kapis/jenkins.kubesphere.io") ||
+		httpserver.Path(req.URL.Path).Matches("job") ||
+		httpserver.Path(req.URL.Path).Matches("/kapis/devops.kubesphere.io/v1alpha2") {
+		req.SetBasicAuth(username, token.Raw)
+	}
+
+	context := request.WithUser(req.Context(), usr)
+
+	requestInfo, err := requestInfoFactory.NewRequestInfo(req)
+
+	if err == nil {
+		context = request.WithRequestInfo(context, requestInfo)
+	} else {
+		return nil, err
+	}
+
+	req = req.WithContext(context)
+
+	return req, nil
+}
+
+func (h Auth) Validate(uToken string) (*jwt.Token, error) {
+
+	if len(uToken) == 0 {
+		return nil, fmt.Errorf("token length is zero")
+	}
+
+	token, err := jwt.Parse(uToken, h.ProvideKey)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return token, nil
+}
+
+func (h Auth) HandleUnauthorized(w http.ResponseWriter, err error) int {
+	message := fmt.Sprintf("Unauthorized,%v", err)
+	w.Header().Add("WWW-Authenticate", message)
+	log.Println(message)
+	return http.StatusUnauthorized
+}
+
+func (h Auth) ExtractToken(r *http.Request) (string, error) {
+
+	jwtHeader := strings.Split(r.Header.Get("Authorization"), " ")
+
+	if jwtHeader[0] == "Bearer" && len(jwtHeader) == 2 {
+		return jwtHeader[1], nil
+	}
+
+	jwtCookie, err := r.Cookie("token")
+
+	if err == nil {
+		return jwtCookie.Value, nil
+	}
+
+	jwtQuery := r.URL.Query().Get("token")
+
+	if jwtQuery != "" {
+		return jwtQuery, nil
+	}
+
+	return "", fmt.Errorf("no token found")
+}
+
+func (h Auth) ProvideKey(token *jwt.Token) (interface{}, error) {
+	if _, ok := token.Method.(*jwt.SigningMethodHMAC); ok {
+		return h.Rule.Secret, nil
+	} else {
+		return nil, fmt.Errorf("expect token signed with HMAC but got %v", token.Header["alg"])
+	}
+}

pkg/apigateway/caddy-plugin/authenticate/auto_load.go

@@ -0,0 +1,110 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package authenticate
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/mholt/caddy"
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+)
+
+func init() {
+	caddy.RegisterPlugin("authenticate", caddy.Plugin{
+		ServerType: "http",
+		Action:     Setup,
+	})
+}
+
+func Setup(c *caddy.Controller) error {
+
+	rule, err := parse(c)
+
+	if err != nil {
+		return err
+	}
+
+	c.OnStartup(func() error {
+		fmt.Println("Authenticate middleware is initiated")
+		return nil
+	})
+
+	httpserver.GetConfig(c).AddMiddleware(func(next httpserver.Handler) httpserver.Handler {
+		return &Auth{Next: next, Rule: rule}
+	})
+
+	return nil
+}
+func parse(c *caddy.Controller) (Rule, error) {
+
+	rule := Rule{ExceptedPath: make([]string, 0)}
+
+	if c.Next() {
+		args := c.RemainingArgs()
+		switch len(args) {
+		case 0:
+			for c.NextBlock() {
+				switch c.Val() {
+				case "path":
+					if !c.NextArg() {
+						return rule, c.ArgErr()
+					}
+
+					rule.Path = c.Val()
+
+					if c.NextArg() {
+						return rule, c.ArgErr()
+					}
+				case "secret":
+					if !c.NextArg() {
+						return rule, c.ArgErr()
+					}
+
+					rule.Secret = []byte(c.Val())
+
+					if c.NextArg() {
+						return rule, c.ArgErr()
+					}
+				case "except":
+					if !c.NextArg() {
+						return rule, c.ArgErr()
+					}
+
+					rule.ExceptedPath = strings.Split(c.Val(), ",")
+
+					for i := 0; i < len(rule.ExceptedPath); i++ {
+						rule.ExceptedPath[i] = strings.TrimSpace(rule.ExceptedPath[i])
+					}
+
+					if c.NextArg() {
+						return rule, c.ArgErr()
+					}
+				}
+			}
+		default:
+			return rule, c.ArgErr()
+		}
+	}
+
+	if c.Next() {
+		return rule, c.ArgErr()
+	}
+
+	return rule, nil
+}

pkg/apigateway/caddy-plugin/authentication/authentication.go

@@ -0,0 +1,305 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package authentication
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"k8s.io/apiserver/pkg/endpoints/request"
+	"kubesphere.io/kubesphere/pkg/utils/k8sutil"
+	"log"
+	"net/http"
+	"strings"
+
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"k8s.io/api/rbac/v1"
+	k8serr "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"kubesphere.io/kubesphere/pkg/informers"
+	"kubesphere.io/kubesphere/pkg/utils/sliceutil"
+)
+
+type Authentication struct {
+	Rule Rule
+	Next httpserver.Handler
+}
+
+type Rule struct {
+	Path         string
+	ExceptedPath []string
+}
+
+func (c Authentication) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
+
+	if httpserver.Path(r.URL.Path).Matches(c.Rule.Path) {
+
+		for _, path := range c.Rule.ExceptedPath {
+			if httpserver.Path(r.URL.Path).Matches(path) {
+				return c.Next.ServeHTTP(w, r)
+			}
+		}
+
+		attrs, err := getAuthorizerAttributes(r.Context())
+
+		// without authenticate, no requestInfo found in the context
+		if err != nil {
+			return c.Next.ServeHTTP(w, r)
+		}
+
+		permitted, err := permissionValidate(attrs)
+
+		if err != nil {
+			return http.StatusInternalServerError, err
+		}
+
+		if !permitted {
+			err = k8serr.NewForbidden(schema.GroupResource{Group: attrs.GetAPIGroup(), Resource: attrs.GetResource()}, attrs.GetName(), fmt.Errorf("permission undefined"))
+			return handleForbidden(w, err), nil
+		}
+	}
+
+	return c.Next.ServeHTTP(w, r)
+
+}
+
+func handleForbidden(w http.ResponseWriter, err error) int {
+	message := fmt.Sprintf("Forbidden,%s", err.Error())
+	w.Header().Add("WWW-Authenticate", message)
+	log.Println(message)
+	return http.StatusForbidden
+}
+
+func permissionValidate(attrs authorizer.Attributes) (bool, error) {
+
+	if attrs.GetResource() == "users" && attrs.GetUser().GetName() == attrs.GetName() {
+		return true, nil
+	}
+
+	permitted, err := clusterRoleValidate(attrs)
+
+	if err != nil {
+		log.Println("lister error", err)
+		return false, err
+	}
+
+	if permitted {
+		return true, nil
+	}
+
+	if attrs.GetNamespace() != "" {
+		permitted, err = roleValidate(attrs)
+
+		if err != nil {
+			log.Println("lister error", err)
+			return false, err
+		}
+
+		if permitted {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
+func roleValidate(attrs authorizer.Attributes) (bool, error) {
+	roleBindingLister := informers.SharedInformerFactory().Rbac().V1().RoleBindings().Lister()
+	roleLister := informers.SharedInformerFactory().Rbac().V1().Roles().Lister()
+	roleBindings, err := roleBindingLister.RoleBindings(attrs.GetNamespace()).List(labels.Everything())
+
+	if err != nil {
+		return false, err
+	}
+
+	fullSource := attrs.GetResource()
+
+	if attrs.GetSubresource() != "" {
+		fullSource = fullSource + "/" + attrs.GetSubresource()
+	}
+
+	for _, roleBinding := range roleBindings {
+		if k8sutil.ContainsUser(roleBinding.Subjects, attrs.GetUser().GetName()) {
+			role, err := roleLister.Roles(attrs.GetNamespace()).Get(roleBinding.RoleRef.Name)
+
+			if err != nil {
+				if k8serr.IsNotFound(err) {
+					continue
+				}
+				return false, err
+			}
+
+			for _, rule := range role.Rules {
+				if ruleMatchesRequest(rule, attrs.GetAPIGroup(), "", attrs.GetResource(), attrs.GetSubresource(), attrs.GetName(), attrs.GetVerb()) {
+					return true, nil
+				}
+			}
+		}
+	}
+
+	return false, nil
+}
+
+func clusterRoleValidate(attrs authorizer.Attributes) (bool, error) {
+	clusterRoleBindingLister := informers.SharedInformerFactory().Rbac().V1().ClusterRoleBindings().Lister()
+	clusterRoleBindings, err := clusterRoleBindingLister.List(labels.Everything())
+	clusterRoleLister := informers.SharedInformerFactory().Rbac().V1().ClusterRoles().Lister()
+	if err != nil {
+		return false, err
+	}
+
+	for _, clusterRoleBinding := range clusterRoleBindings {
+
+		if k8sutil.ContainsUser(clusterRoleBinding.Subjects, attrs.GetUser().GetName()) {
+			clusterRole, err := clusterRoleLister.Get(clusterRoleBinding.RoleRef.Name)
+
+			if err != nil {
+				if k8serr.IsNotFound(err) {
+					continue
+				}
+				return false, err
+			}
+
+			for _, rule := range clusterRole.Rules {
+				if attrs.IsResourceRequest() {
+					if ruleMatchesRequest(rule, attrs.GetAPIGroup(), "", attrs.GetResource(), attrs.GetSubresource(), attrs.GetName(), attrs.GetVerb()) {
+						return true, nil
+					}
+				} else {
+					if ruleMatchesRequest(rule, "", attrs.GetPath(), "", "", "", attrs.GetVerb()) {
+						return true, nil
+					}
+				}
+			}
+
+		}
+	}
+
+	return false, nil
+}
+
+func ruleMatchesResources(rule v1.PolicyRule, apiGroup string, resource string, subresource string, resourceName string) bool {
+
+	if resource == "" {
+		return false
+	}
+
+	if !sliceutil.HasString(rule.APIGroups, apiGroup) && !sliceutil.HasString(rule.APIGroups, v1.ResourceAll) {
+		return false
+	}
+
+	if len(rule.ResourceNames) > 0 && !sliceutil.HasString(rule.ResourceNames, resourceName) {
+		return false
+	}
+
+	combinedResource := resource
+
+	if subresource != "" {
+		combinedResource = combinedResource + "/" + subresource
+	}
+
+	for _, res := range rule.Resources {
+
+		// match "*"
+		if res == v1.ResourceAll || res == combinedResource {
+			return true
+		}
+
+		// match "*/subresource"
+		if len(subresource) > 0 && strings.HasPrefix(res, "*/") && subresource == strings.TrimLeft(res, "*/") {
+			return true
+		}
+		// match "resource/*"
+		if strings.HasSuffix(res, "/*") && resource == strings.TrimRight(res, "/*") {
+			return true
+		}
+	}
+
+	return false
+}
+
+func ruleMatchesRequest(rule v1.PolicyRule, apiGroup string, nonResourceURL string, resource string, subresource string, resourceName string, verb string) bool {
+
+	if !sliceutil.HasString(rule.Verbs, verb) && !sliceutil.HasString(rule.Verbs, v1.VerbAll) {
+		return false
+	}
+
+	if nonResourceURL == "" {
+		return ruleMatchesResources(rule, apiGroup, resource, subresource, resourceName)
+	} else {
+		return ruleMatchesNonResource(rule, nonResourceURL)
+	}
+}
+
+func ruleMatchesNonResource(rule v1.PolicyRule, nonResourceURL string) bool {
+
+	if nonResourceURL == "" {
+		return false
+	}
+
+	for _, spec := range rule.NonResourceURLs {
+		if pathMatches(nonResourceURL, spec) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func pathMatches(path, spec string) bool {
+	if spec == "*" {
+		return true
+	}
+	if spec == path {
+		return true
+	}
+	if strings.HasSuffix(spec, "*") && strings.HasPrefix(path, strings.TrimRight(spec, "*")) {
+		return true
+	}
+	return false
+}
+
+func getAuthorizerAttributes(ctx context.Context) (authorizer.Attributes, error) {
+	attribs := authorizer.AttributesRecord{}
+
+	user, ok := request.UserFrom(ctx)
+	if ok {
+		attribs.User = user
+	}
+
+	requestInfo, found := request.RequestInfoFrom(ctx)
+	if !found {
+		return nil, errors.New("no RequestInfo found in the context")
+	}
+
+	// Start with common attributes that apply to resource and non-resource requests
+	attribs.ResourceRequest = requestInfo.IsResourceRequest
+	attribs.Path = requestInfo.Path
+	attribs.Verb = requestInfo.Verb
+
+	attribs.APIGroup = requestInfo.APIGroup
+	attribs.APIVersion = requestInfo.APIVersion
+	attribs.Resource = requestInfo.Resource
+	attribs.Subresource = requestInfo.Subresource
+	attribs.Namespace = requestInfo.Namespace
+	attribs.Name = requestInfo.Name
+
+	return &attribs, nil
+}

pkg/apigateway/caddy-plugin/authentication/auto_load.go

@@ -0,0 +1,123 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package authentication
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/mholt/caddy"
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+
+	"kubesphere.io/kubesphere/pkg/informers"
+)
+
+func init() {
+	caddy.RegisterPlugin("authentication", caddy.Plugin{
+		ServerType: "http",
+		Action:     Setup,
+	})
+}
+
+// Setup is called by Caddy to parse the config block
+func Setup(c *caddy.Controller) error {
+
+	rule, err := parse(c)
+
+	if err != nil {
+		return err
+	}
+	stopChan := make(chan struct{}, 0)
+	c.OnStartup(func() error {
+		informerFactory := informers.SharedInformerFactory()
+		informerFactory.Rbac().V1().Roles().Lister()
+		informerFactory.Rbac().V1().RoleBindings().Lister()
+		informerFactory.Rbac().V1().ClusterRoles().Lister()
+		informerFactory.Rbac().V1().ClusterRoleBindings().Lister()
+		informerFactory.Start(stopChan)
+		informerFactory.WaitForCacheSync(stopChan)
+		fmt.Println("Authentication middleware is initiated")
+		return nil
+	})
+
+	c.OnShutdown(func() error {
+		close(stopChan)
+		return nil
+	})
+
+	httpserver.GetConfig(c).AddMiddleware(func(next httpserver.Handler) httpserver.Handler {
+		return &Authentication{Next: next, Rule: rule}
+	})
+	return nil
+}
+
+func parse(c *caddy.Controller) (Rule, error) {
+
+	rule := Rule{ExceptedPath: make([]string, 0)}
+
+	if c.Next() {
+		args := c.RemainingArgs()
+		switch len(args) {
+		case 0:
+			for c.NextBlock() {
+				switch c.Val() {
+				case "path":
+					if !c.NextArg() {
+						return rule, c.ArgErr()
+					}
+
+					rule.Path = c.Val()
+
+					if c.NextArg() {
+						return rule, c.ArgErr()
+					}
+
+					break
+				case "except":
+					if !c.NextArg() {
+						return rule, c.ArgErr()
+					}
+
+					rule.ExceptedPath = strings.Split(c.Val(), ",")
+
+					for i := 0; i < len(rule.ExceptedPath); i++ {
+						rule.ExceptedPath[i] = strings.TrimSpace(rule.ExceptedPath[i])
+					}
+
+					if c.NextArg() {
+						return rule, c.ArgErr()
+					}
+					break
+				}
+			}
+		case 1:
+			rule.Path = args[0]
+			if c.NextBlock() {
+				return rule, c.ArgErr()
+			}
+		default:
+			return rule, c.ArgErr()
+		}
+	}
+
+	if c.Next() {
+		return rule, c.ArgErr()
+	}
+
+	return rule, nil
+}

pkg/apigateway/caddy-plugin/swagger/auto_load.go

@@ -0,0 +1,100 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package authenticate
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/mholt/caddy"
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+)
+
+func init() {
+	caddy.RegisterPlugin("swagger", caddy.Plugin{
+		ServerType: "http",
+		Action:     Setup,
+	})
+}
+
+func Setup(c *caddy.Controller) error {
+
+	handler, err := parse(c)
+
+	if err != nil {
+		return err
+	}
+
+	c.OnStartup(func() error {
+		fmt.Println("Swagger middleware is initiated")
+		return nil
+	})
+
+	httpserver.GetConfig(c).AddMiddleware(func(next httpserver.Handler) httpserver.Handler {
+		return &Swagger{Next: next, Handler: handler}
+	})
+
+	return nil
+}
+func parse(c *caddy.Controller) (Handler, error) {
+
+	handler := Handler{URL: "/swagger-ui", FilePath: "/var/static/swagger-ui"}
+
+	if c.Next() {
+		args := c.RemainingArgs()
+		switch len(args) {
+		case 0:
+			for c.NextBlock() {
+				switch c.Val() {
+				case "url":
+					if !c.NextArg() {
+						return handler, c.ArgErr()
+					}
+
+					handler.URL = c.Val()
+
+					if c.NextArg() {
+						return handler, c.ArgErr()
+					}
+				case "filePath":
+					if !c.NextArg() {
+						return handler, c.ArgErr()
+					}
+
+					handler.FilePath = c.Val()
+
+					if c.NextArg() {
+						return handler, c.ArgErr()
+					}
+				default:
+					return handler, c.ArgErr()
+				}
+			}
+		default:
+			return handler, c.ArgErr()
+		}
+	}
+
+	if c.Next() {
+		return handler, c.ArgErr()
+	}
+
+	handler.Handler = http.StripPrefix(handler.URL, http.FileServer(http.Dir(handler.FilePath)))
+
+	return handler, nil
+}

pkg/apigateway/caddy-plugin/swagger/swagger.go

@@ -0,0 +1,45 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package authenticate
+
+import (
+	"net/http"
+
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+)
+
+type Swagger struct {
+	Handler Handler
+	Next    httpserver.Handler
+}
+
+type Handler struct {
+	URL      string
+	FilePath string
+	Handler  http.Handler
+}
+
+func (h Swagger) ServeHTTP(resp http.ResponseWriter, req *http.Request) (int, error) {
+
+	if httpserver.Path(req.URL.Path).Matches(h.Handler.URL) {
+		h.Handler.Handler.ServeHTTP(resp, req)
+		return http.StatusOK, nil
+	}
+
+	return h.Next.ServeHTTP(resp, req)
+}

pkg/apis/addtoscheme_servicemesh_v1alpha2.go

@@ -0,0 +1,35 @@
+/*
+Copyright 2019 The KubeSphere authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apis
+
+import (
+	"github.com/knative/pkg/apis/istio/v1alpha3"
+	"kubesphere.io/kubesphere/pkg/apis/servicemesh/v1alpha2"
+
+	"github.com/kubernetes-sigs/application/pkg/apis/app/v1beta1"
+)
+
+func init() {
+	// Register the types with the Scheme so the components can map objects to GroupVersionKinds and back
+	AddToSchemes = append(AddToSchemes, v1alpha2.SchemeBuilder.AddToScheme)
+
+	// Register networking.istio.io/v1alpha3
+	AddToSchemes = append(AddToSchemes, v1alpha3.SchemeBuilder.AddToScheme)
+
+	// Register application scheme
+	AddToSchemes = append(AddToSchemes, v1beta1.SchemeBuilder.AddToScheme)
+}

pkg/apis/addtoscheme_tenant_v1alpha1.go

@@ -0,0 +1,10 @@
+package apis
+
+import (
+	"kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha1"
+)
+
+func init() {
+	// Register the types with the Scheme so the components can map objects to GroupVersionKinds and back
+	AddToSchemes = append(AddToSchemes, v1alpha1.SchemeBuilder.AddToScheme)
+}

pkg/apis/apis.go

@@ -0,0 +1,30 @@
+/*
+Copyright 2019 The KubeSphere authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package apis contains KubeSphere API groups.
+package apis
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// AddToSchemes may be used to add all resources defined in the project to a Scheme
+var AddToSchemes runtime.SchemeBuilder
+
+// AddToScheme adds all Resources to the Scheme
+func AddToScheme(s *runtime.Scheme) error {
+	return AddToSchemes.AddToScheme(s)
+}

pkg/apis/devops/install/install.go

@@ -0,0 +1,34 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package install
+
+import (
+	"github.com/emicklei/go-restful"
+	urlruntime "k8s.io/apimachinery/pkg/util/runtime"
+	devopsv1alpha2 "kubesphere.io/kubesphere/pkg/apis/devops/v1alpha2"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+)
+
+func init() {
+	Install(runtime.Container)
+}
+
+func Install(container *restful.Container) {
+	urlruntime.Must(devopsv1alpha2.AddToContainer(container))
+}

pkg/apis/devops/v1alpha2/register.go

@@ -0,0 +1,801 @@
+/*
+
+  Copyright 2019 The KubeSphere Authors.
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+
+*/
+
+package v1alpha2
+
+import (
+	"github.com/emicklei/go-restful"
+	"github.com/emicklei/go-restful-openapi"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	devopsapi "kubesphere.io/kubesphere/pkg/apiserver/devops"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+	"kubesphere.io/kubesphere/pkg/models/devops"
+
+	"kubesphere.io/kubesphere/pkg/params"
+	"net/http"
+)
+
+const (
+	GroupName = "devops.kubesphere.io"
+	RespOK    = "ok"
+)
+
+var GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha2"}
+
+var (
+	WebServiceBuilder = runtime.NewContainerBuilder(addWebService)
+	AddToContainer    = WebServiceBuilder.AddToContainer
+)
+
+func addWebService(c *restful.Container) error {
+
+	webservice := runtime.NewWebService(GroupVersion)
+
+	tags := []string{"DevOps"}
+
+	webservice.Route(webservice.GET("/devops/{devops}").
+		To(devopsapi.GetDevOpsProjectHandler).
+		Doc("get devops project").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(webservice.PathParameter("devops", "devops project's Id")).
+		Returns(http.StatusOK, RespOK, devops.DevOpsProject{}).
+		Writes(devops.DevOpsProject{}))
+
+	webservice.Route(webservice.PATCH("/devops/{devops}").
+		To(devopsapi.UpdateProjectHandler).
+		Doc("get devops project").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(webservice.PathParameter("devops", "devops project's Id")).
+		Returns(http.StatusOK, RespOK, devops.DevOpsProject{}).
+		Writes(devops.DevOpsProject{}))
+
+	webservice.Route(webservice.GET("/devops/{devops}/defaultroles").
+		To(devopsapi.GetDevOpsProjectDefaultRoles).
+		Doc("get devops project defaultroles").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(webservice.PathParameter("devops", "devops project's Id")).
+		Returns(http.StatusOK, RespOK, []devops.Role{}).
+		Writes([]devops.Role{}))
+
+	webservice.Route(webservice.GET("/devops/{devops}/members").
+		To(devopsapi.GetDevOpsProjectMembersHandler).
+		Doc("get devops project members").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(webservice.PathParameter("devops", "devops project's Id")).
+		Param(webservice.QueryParameter(params.PagingParam, "page").
+			Required(false).
+			DataFormat("limit=%d,page=%d").
+			DefaultValue("limit=10,page=1")).
+		Param(webservice.QueryParameter(params.ConditionsParam, "query conditions").
+			Required(false).
+			DataFormat("key=%s,key~%s")).
+		Returns(http.StatusOK, RespOK, []devops.DevOpsProjectMembership{}).
+		Writes([]devops.DevOpsProjectMembership{}))
+
+	webservice.Route(webservice.GET("/devops/{devops}/members/{members}").
+		To(devopsapi.GetDevOpsProjectMemberHandler).
+		Doc("get devops project member").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(webservice.PathParameter("devops", "devops project's Id")).
+		Param(webservice.PathParameter("members", "member's username")).
+		Returns(http.StatusOK, RespOK, devops.DevOpsProjectMembership{}).
+		Writes(devops.DevOpsProjectMembership{}))
+
+	webservice.Route(webservice.POST("/devops/{devops}/members").
+		To(devopsapi.AddDevOpsProjectMemberHandler).
+		Doc("add devops project members").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(webservice.PathParameter("devops", "devops project's Id")).
+		Returns(http.StatusOK, RespOK, devops.DevOpsProjectMembership{}).
+		Writes(devops.DevOpsProjectMembership{}))
+
+	webservice.Route(webservice.PATCH("/devops/{devops}/members/{members}").
+		To(devopsapi.UpdateDevOpsProjectMemberHandler).
+		Doc("update devops project members").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(webservice.PathParameter("devops", "devops project's Id")).
+		Param(webservice.PathParameter("members", "member's username")).
+		Reads(devops.DevOpsProjectMembership{}).
+		Writes(devops.DevOpsProjectMembership{}))
+
+	webservice.Route(webservice.DELETE("/devops/{devops}/members/{members}").
+		To(devopsapi.DeleteDevOpsProjectMemberHandler).
+		Doc("delete devops project members").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(webservice.PathParameter("devops", "devops project's Id")).
+		Param(webservice.PathParameter("members", "member's username")).
+		Writes(devops.DevOpsProjectMembership{}))
+
+	webservice.Route(webservice.POST("/devops/{devops}/pipelines").
+		To(devopsapi.CreateDevOpsProjectPipelineHandler).
+		Doc("add devops project pipeline").
+		Param(webservice.PathParameter("devops", "devops project's Id")).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Returns(http.StatusOK, RespOK, devops.ProjectPipeline{}).
+		Writes(devops.ProjectPipeline{}).
+		Reads(devops.ProjectPipeline{}))
+
+	webservice.Route(webservice.PUT("/devops/{devops}/pipelines/{pipelines}").
+		To(devopsapi.UpdateDevOpsProjectPipelineHandler).
+		Doc("update devops project pipeline").
+		Param(webservice.PathParameter("devops", "devops project's Id")).
+		Param(webservice.PathParameter("pipelines", "pipeline name")).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Returns(http.StatusOK, RespOK, devops.ProjectPipeline{}).
+		Writes(devops.ProjectPipeline{}).
+		Reads(devops.ProjectPipeline{}))
+
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipelines}/config").
+		To(devopsapi.GetDevOpsProjectPipelineHandler).
+		Doc("get devops project pipeline config").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(webservice.PathParameter("devops", "devops project's Id")).
+		Param(webservice.PathParameter("pipelines", "pipeline name")).
+		Returns(http.StatusOK, RespOK, devops.ProjectPipeline{}).
+		Writes(devops.ProjectPipeline{}))
+
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipelines}/sonarStatus").
+		To(devopsapi.GetPipelineSonarStatusHandler).
+		Doc("get devops project pipeline sonarStatus").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(webservice.PathParameter("devops", "devops project's Id")).
+		Param(webservice.PathParameter("pipelines", "pipeline name")).
+		Returns(http.StatusOK, RespOK, []devops.SonarStatus{}).
+		Writes([]devops.SonarStatus{}))
+
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipelines}/branches/{branches}/sonarStatus").
+		To(devopsapi.GetMultiBranchesPipelineSonarStatusHandler).
+		Doc("get devops project pipeline sonarStatus").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(webservice.PathParameter("devops", "devops project's Id")).
+		Param(webservice.PathParameter("pipelines", "pipeline name")).
+		Param(webservice.PathParameter("branches", "branch name")).
+		Returns(http.StatusOK, RespOK, []devops.SonarStatus{}).
+		Writes([]devops.SonarStatus{}))
+
+	webservice.Route(webservice.DELETE("/devops/{devops}/pipelines/{pipelines}").
+		To(devopsapi.DeleteDevOpsProjectPipelineHandler).
+		Doc("delete devops project pipeline").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(webservice.PathParameter("devops", "devops project's Id")).
+		Param(webservice.PathParameter("pipelines", "pipeline name")))
+
+	webservice.Route(webservice.POST("/devops/{devops}/credentials").
+		To(devopsapi.CreateDevOpsProjectCredentialHandler).
+		Doc("add project credential pipeline").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(webservice.PathParameter("devops", "devops project's Id")).
+		Reads(devops.JenkinsCredential{}))
+
+	webservice.Route(webservice.PUT("/devops/{devops}/credentials/{credentials}").
+		To(devopsapi.UpdateDevOpsProjectCredentialHandler).
+		Doc("update project credential pipeline").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(webservice.PathParameter("devops", "devops project's Id")).
+		Param(webservice.PathParameter("credentials", "credential's Id")).
+		Reads(devops.JenkinsCredential{}))
+
+	webservice.Route(webservice.DELETE("/devops/{devops}/credentials/{credentials}").
+		To(devopsapi.DeleteDevOpsProjectCredentialHandler).
+		Doc("delete project credential pipeline").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(webservice.PathParameter("devops", "devops project's Id")).
+		Param(webservice.PathParameter("credentials", "credential's Id")))
+
+	webservice.Route(webservice.GET("/devops/{devops}/credentials/{credentials}").
+		To(devopsapi.GetDevOpsProjectCredentialHandler).
+		Doc("get project credential pipeline").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(webservice.PathParameter("devops", "devops project's Id")).
+		Param(webservice.PathParameter("credentials", "credential's Id")).
+		Param(webservice.QueryParameter("domain", "credential's domain")).
+		Param(webservice.QueryParameter("content", "get additional content")).
+		Returns(http.StatusOK, RespOK, devops.JenkinsCredential{}).
+		Reads(devops.JenkinsCredential{}))
+
+	webservice.Route(webservice.GET("/devops/{devops}/credentials").
+		To(devopsapi.GetDevOpsProjectCredentialsHandler).
+		Doc("get project credential pipeline").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(webservice.PathParameter("devops", "devops project's Id")).
+		Param(webservice.PathParameter("credentials", "credential's Id")).
+		Param(webservice.QueryParameter("domain", "credential's domain")).
+		Returns(http.StatusOK, RespOK, []devops.JenkinsCredential{}).
+		Reads([]devops.JenkinsCredential{}))
+
+	// match Jenkisn api "/blue/rest/organizations/jenkins/pipelines/{projectName}/{pipelineName}"
+	webservice.Route(webservice.GET("/devops/{projectName}/pipelines/{pipelineName}").
+		To(devopsapi.GetPipeline).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get DevOps Pipelines.").
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Returns(http.StatusOK, RespOK, devops.Pipeline{}).
+		Writes(devops.Pipeline{}))
+
+	// match Jenkisn api: "jenkins_api/blue/rest/search"
+	webservice.Route(webservice.GET("/devops/search").
+		To(devopsapi.SearchPipelines).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Search DevOps resource.").
+		Param(webservice.QueryParameter("q", "query pipelines").
+			Required(false).
+			DataFormat("q=%s")).
+		Param(webservice.QueryParameter("filter", "filter resource").
+			Required(false).
+			DataFormat("filter=%s")).
+		Param(webservice.QueryParameter("start", "start page").
+			Required(false).
+			DataFormat("start=%d")).
+		Param(webservice.QueryParameter("limit", "limit count").
+			Required(false).
+			DataFormat("limit=%d")).
+		Returns(http.StatusOK, RespOK, []devops.Pipeline{}).
+		Writes([]devops.Pipeline{}))
+
+	// match Jenkisn api "/blue/rest/organizations/jenkins/pipelines/{projectName}/{pipelineName}/runs/"
+	webservice.Route(webservice.GET("/devops/{projectName}/pipelines/{pipelineName}/runs").
+		To(devopsapi.SearchPipelineRuns).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Search DevOps Pipelines runs in branch.").
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.QueryParameter("start", "start page").
+			Required(false).
+			DataFormat("start=%d")).
+		Param(webservice.QueryParameter("limit", "limit count").
+			Required(false).
+			DataFormat("limit=%d")).
+		Param(webservice.QueryParameter("branch", "branch ").
+			Required(false).
+			DataFormat("branch=%s")).
+		Returns(http.StatusOK, RespOK, []devops.BranchPipelineRun{}).
+		Writes([]devops.BranchPipelineRun{}))
+
+	// match Jenkins api "/blue/rest/organizations/jenkins/pipelines/{projectName}/{pipelineName}/branches/{branchName}/runs/{runId}/"
+	webservice.Route(webservice.GET("/devops/{projectName}/pipelines/{pipelineName}/branches/{branchName}/runs/{runId}").
+		To(devopsapi.GetBranchPipelineRun).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get DevOps Pipelines run in branch.").
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("branchName", "pipeline branch name")).
+		Param(webservice.PathParameter("runId", "pipeline runs id")).
+		Param(webservice.QueryParameter("start", "start").
+			Required(false).
+			DataFormat("start=%d")).
+		Returns(http.StatusOK, RespOK, devops.BranchPipelineRun{}).
+		Writes(devops.BranchPipelineRun{}))
+
+	// match Jenkins api "/blue/rest/organizations/jenkins/pipelines/{projectName}/{pipelineName}/branches/{branchName}/runs/{runId}/nodes"
+	webservice.Route(webservice.GET("/devops/{projectName}/pipelines/{pipelineName}/branches/{branchName}/runs/{runId}/nodes").
+		To(devopsapi.GetPipelineRunNodesbyBranch).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get node on DevOps Pipelines run.").
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("branchName", "pipeline branch name")).
+		Param(webservice.PathParameter("runId", "pipeline runs id")).
+		Param(webservice.QueryParameter("limit", "limit").
+			Required(false).
+			DataFormat("limit=%d").
+			DefaultValue("limit=10000")).
+		Returns(http.StatusOK, RespOK, []devops.BranchPipelineRunNodes{}).
+		Writes([]devops.BranchPipelineRunNodes{}))
+
+	// match "/blue/rest/organizations/jenkins/pipelines/{projectName}/{pipelineName}/branches/{branchName}/runs/{runId}/nodes/{nodeId}/steps/{stepId}/log/?start=0"
+	webservice.Route(webservice.GET("/devops/{projectName}/pipelines/{pipelineName}/branches/{branchName}/runs/{runId}/nodes/{nodeId}/steps/{stepId}/log").
+		To(devopsapi.GetBranchStepLog).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get pipelines step log.").
+		Produces("text/plain; charset=utf-8").
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("branchName", "pipeline branch name")).
+		Param(webservice.PathParameter("runId", "pipeline runs id")).
+		Param(webservice.PathParameter("nodeId", "pipeline runs node id")).
+		Param(webservice.PathParameter("stepId", "pipeline runs step id")).
+		Param(webservice.QueryParameter("start", "start").
+			Required(true).
+			DataFormat("start=%d").
+			DefaultValue("start=0")))
+
+	// match "/blue/rest/organizations/jenkins/pipelines/{projectName}/{pipelineName}/runs/{runId}/nodes/{nodeId}/steps/{stepId}/log/?start=0"
+	webservice.Route(webservice.GET("/devops/{projectName}/pipelines/{pipelineName}/runs/{runId}/nodes/{nodeId}/steps/{stepId}/log").
+		To(devopsapi.GetStepLog).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get pipelines step log.").
+		Produces("text/plain; charset=utf-8").
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("runId", "pipeline runs id")).
+		Param(webservice.PathParameter("nodeId", "pipeline runs node id")).
+		Param(webservice.PathParameter("stepId", "pipeline runs step id")).
+		Param(webservice.QueryParameter("start", "start").
+			Required(true).
+			DataFormat("start=%d").
+			DefaultValue("start=0")))
+
+	// match "/blue/rest/organizations/jenkins/scm/github/validate/"
+	webservice.Route(webservice.PUT("/devops/scm/{scmId}/validate").
+		To(devopsapi.Validate).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Validate Github personal access token.").
+		Param(webservice.PathParameter("scmId", "SCM id")).
+		Returns(http.StatusOK, RespOK, devops.Validates{}).
+		Writes(devops.Validates{}))
+
+	// match "/blue/rest/organizations/jenkins/scm/{scmId}/organizations/?credentialId=github"
+	webservice.Route(webservice.GET("/devops/scm/{scmId}/organizations").
+		To(devopsapi.GetSCMOrg).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("List organizations of SCM").
+		Param(webservice.PathParameter("scmId", "SCM id")).
+		Param(webservice.QueryParameter("credentialId", "credential id for SCM").
+			Required(true).
+			DataFormat("credentialId=%s")).
+		Returns(http.StatusOK, RespOK, []devops.SCMOrg{}).
+		Writes([]devops.SCMOrg{}))
+
+	// match "/blue/rest/organizations/jenkins/scm/{scmId}/organizations/{organizationId}/repositories/?credentialId=&pageNumber&pageSize="
+	webservice.Route(webservice.GET("/devops/scm/{scmId}/organizations/{organizationId}/repositories").
+		To(devopsapi.GetOrgRepo).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get SCM repositories in an organization").
+		Param(webservice.PathParameter("scmId", "SCM id")).
+		Param(webservice.PathParameter("organizationId", "organization Id, such as github username")).
+		Param(webservice.QueryParameter("credentialId", "credential id for SCM").
+			Required(true).
+			DataFormat("credentialId=%s")).
+		Param(webservice.QueryParameter("pageNumber", "page number").
+			Required(true).
+			DataFormat("pageNumber=%d")).
+		Param(webservice.QueryParameter("pageSize", "page size").
+			Required(true).
+			DataFormat("pageSize=%d")).
+		Returns(http.StatusOK, RespOK, []devops.OrgRepo{}).
+		Writes([]devops.OrgRepo{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{projectName}/pipelines/{pipelineName}/branches/{branchName}/runs/{runId}/stop/
+	webservice.Route(webservice.PUT("/devops/{projectName}/pipelines/{pipelineName}/branches/{branchName}/runs/{runId}/stop").
+		To(devopsapi.StopBranchPipeline).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Stop pipeline in running").
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("branchName", "pipeline branch name")).
+		Param(webservice.PathParameter("runId", "pipeline runs id")).
+		Param(webservice.QueryParameter("blocking", "stop and between each retries will sleep").
+			Required(false).
+			DataFormat("blocking=%t").
+			DefaultValue("blocking=false")).
+		Param(webservice.QueryParameter("timeOutInSecs", "the time of stop and between each retries sleep").
+			Required(false).
+			DataFormat("timeOutInSecs=%d").
+			DefaultValue("timeOutInSecs=10")).
+		Returns(http.StatusOK, RespOK, devops.StopPipe{}).
+		Writes(devops.StopPipe{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{projectName}/pipelines/{pipelineName}/runs/{runId}/stop/
+	webservice.Route(webservice.PUT("/devops/{projectName}/pipelines/{pipelineName}/runs/{runId}/stop").
+		To(devopsapi.StopPipeline).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Stop pipeline in running").
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("runId", "pipeline runs id")).
+		Param(webservice.QueryParameter("blocking", "stop and between each retries will sleep").
+			Required(false).
+			DataFormat("blocking=%t").
+			DefaultValue("blocking=false")).
+		Param(webservice.QueryParameter("timeOutInSecs", "the time of stop and between each retries sleep").
+			Required(false).
+			DataFormat("timeOutInSecs=%d").
+			DefaultValue("timeOutInSecs=10")).
+		Returns(http.StatusOK, RespOK, devops.StopPipe{}).
+		Writes(devops.StopPipe{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{projectName}/pipelines/{pipelineName}/branches/{branchName}/runs/{runId}/Replay/
+	webservice.Route(webservice.POST("/devops/{projectName}/pipelines/{pipelineName}/branches/{branchName}/runs/{runId}/replay").
+		To(devopsapi.ReplayBranchPipeline).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Replay pipeline").
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("branchName", "pipeline branch name")).
+		Param(webservice.PathParameter("runId", "pipeline runs id")).
+		Returns(http.StatusOK, RespOK, devops.ReplayPipe{}).
+		Writes(devops.ReplayPipe{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{projectName}/pipelines/{pipelineName}/runs/{runId}/Replay/
+	webservice.Route(webservice.POST("/devops/{projectName}/pipelines/{pipelineName}/runs/{runId}/replay").
+		To(devopsapi.ReplayPipeline).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Replay pipeline").
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("runId", "pipeline runs id")).
+		Returns(http.StatusOK, RespOK, devops.ReplayPipe{}).
+		Writes(devops.ReplayPipe{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{projectName}/{pipelineName}/branches/{branchName}/runs/{runId}/log/?start=0
+	webservice.Route(webservice.GET("/devops/{projectName}/pipelines/{pipelineName}/branches/{branchName}/runs/{runId}/log").
+		To(devopsapi.GetBranchRunLog).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get Pipelines run log.").
+		Produces("text/plain; charset=utf-8").
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("branchName", "pipeline branch name")).
+		Param(webservice.PathParameter("runId", "pipeline runs id")).
+		Param(webservice.QueryParameter("start", "start").
+			Required(true).
+			DataFormat("start=%d").
+			DefaultValue("start=0")))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{projectName}/{pipelineName}/runs/{runId}/log/?start=0
+	webservice.Route(webservice.GET("/devops/{projectName}/pipelines/{pipelineName}/runs/{runId}/log").
+		To(devopsapi.GetRunLog).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get Pipelines run log.").
+		Produces("text/plain; charset=utf-8").
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("runId", "pipeline runs id")).
+		Param(webservice.QueryParameter("start", "start").
+			Required(true).
+			DataFormat("start=%d").
+			DefaultValue("start=0")))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{projectName}/{pipelineName}/branches/{branchName}/runs/{runId}/artifacts
+	webservice.Route(webservice.GET("/devops/{projectName}/pipelines/{pipelineName}/branches/{branchName}/runs/{runId}/artifacts").
+		To(devopsapi.GetBranchArtifacts).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get pipeline artifacts.").
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("branchName", "pipeline branch name")).
+		Param(webservice.PathParameter("runId", "pipeline runs id")).
+		Param(webservice.QueryParameter("start", "start page").
+			Required(false).
+			DataFormat("start=%d")).
+		Param(webservice.QueryParameter("limit", "limit count").
+			Required(false).
+			DataFormat("limit=%d")).
+		Returns(http.StatusOK, "The filed of \"Url\" in response can download artifacts", []devops.Artifacts{}).
+		Writes([]devops.Artifacts{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{projectName}/{pipelineName}/runs/{runId}/artifacts
+	webservice.Route(webservice.GET("/devops/{projectName}/pipelines/{pipelineName}/runs/{runId}/artifacts").
+		To(devopsapi.GetArtifacts).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get pipeline artifacts.").
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("runId", "pipeline runs id")).
+		Param(webservice.QueryParameter("start", "start page").
+			Required(false).
+			DataFormat("start=%d")).
+		Param(webservice.QueryParameter("limit", "limit count").
+			Required(false).
+			DataFormat("limit=%d")).
+		Returns(http.StatusOK, "The filed of \"Url\" in response can download artifacts", []devops.Artifacts{}).
+		Writes([]devops.Artifacts{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{projectName}/{pipelineName}/branches/?filter=&start&limit=
+	webservice.Route(webservice.GET("/devops/{projectName}/pipelines/{pipelineName}/branches").
+		To(devopsapi.GetPipeBranch).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get pipeline of branch.").
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.QueryParameter("filter", "filter remote").
+			Required(true).
+			DataFormat("filter=%s")).
+		Param(webservice.QueryParameter("start", "start").
+			Required(true).
+			DataFormat("start=%d")).
+		Param(webservice.QueryParameter("limit", "limit count").
+			Required(true).
+			DataFormat("limit=%d")).
+		Returns(http.StatusOK, RespOK, []devops.PipeBranch{}).
+		Writes([]devops.PipeBranch{}))
+
+	// /blue/rest/organizations/jenkins/pipelines/{projectName}/pipelines/{pipelineName}/branches/{branchName}/runs/{runId}/nodes/{nodeId}/steps/{stepId}
+	webservice.Route(webservice.POST("/devops/{projectName}/pipelines/{pipelineName}/branches/{branchName}/runs/{runId}/nodes/{nodeId}/steps/{stepId}").
+		To(devopsapi.CheckBranchPipeline).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Pauses pipeline execution and allows the user to interact and control the flow of the build.").
+		Reads(devops.CheckPlayload{}).
+		Produces("text/plain; charset=utf-8").
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("branchName", "pipeline branch name")).
+		Param(webservice.PathParameter("runId", "pipeline runs id")).
+		Param(webservice.PathParameter("nodeId", "pipeline node id")).
+		Param(webservice.PathParameter("stepId", "pipeline step id")))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{projectName}/pipelines/{pipelineName}/runs/{runId}/nodes/{nodeId}/steps/{stepId}
+	webservice.Route(webservice.POST("/devops/{projectName}/pipelines/{pipelineName}/runs/{runId}/nodes/{nodeId}/steps/{stepId}").
+		To(devopsapi.CheckPipeline).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Pauses pipeline execution and allows the user to interact and control the flow of the build.").
+		Reads(devops.CheckPlayload{}).
+		Produces("text/plain; charset=utf-8").
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("runId", "pipeline runs id")).
+		Param(webservice.PathParameter("nodeId", "pipeline node id")).
+		Param(webservice.PathParameter("stepId", "pipeline step id")))
+
+	// match /job/project-8QnvykoJw4wZ/job/test-1/indexing/consoleText
+	webservice.Route(webservice.GET("/devops/{projectName}/pipelines/{pipelineName}/console/log").
+		To(devopsapi.GetConsoleLog).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get index console log.").
+		Produces("text/plain; charset=utf-8").
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")))
+
+	// match /job/{projectName}/job/{pipelineName}/build?delay=0
+	webservice.Route(webservice.POST("/devops/{projectName}/pipelines/{pipelineName}/scan").
+		To(devopsapi.ScanBranch).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Start a build.").
+		Produces("text/html; charset=utf-8").
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.QueryParameter("delay", "delay time").
+			Required(true).
+			DataFormat("delay=%d")))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{projectName}/{pipelineName}/branches/{}/runs/
+	webservice.Route(webservice.POST("/devops/{projectName}/pipelines/{pipelineName}/branches/{branchName}/run").
+		To(devopsapi.RunBranchPipeline).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Run pipeline.").
+		Reads(devops.RunPayload{}).
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("branchName", "pipeline branch name")).
+		Returns(http.StatusOK, RespOK, devops.QueuedBlueRun{}).
+		Writes(devops.QueuedBlueRun{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{projectName}/{pipelineName}/runs/
+	webservice.Route(webservice.POST("/devops/{projectName}/pipelines/{pipelineName}/run").
+		To(devopsapi.RunPipeline).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Run pipeline.").
+		Reads(devops.RunPayload{}).
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Returns(http.StatusOK, RespOK, devops.QueuedBlueRun{}).
+		Writes(devops.QueuedBlueRun{}))
+
+	// match /pipeline_status/blue/rest/organizations/jenkins/pipelines/{projectName}/{pipelineName}/branches/{branchName}/runs/{runId}/nodes/?limit=
+	webservice.Route(webservice.GET("/devops/{projectName}/pipelines/{pipelineName}/branches/{branchName}/runs/{runId}/nodes/{nodeId}/steps/status").
+		To(devopsapi.GetBranchStepsStatus).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get pipeline steps status.").
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("branchName", "pipeline branch name")).
+		Param(webservice.PathParameter("runId", "pipeline run name")).
+		Param(webservice.PathParameter("nodeId", "pipeline node id")).
+		Param(webservice.QueryParameter("limit", "limit count").
+			Required(true).
+			DataFormat("limit=%d")).
+		Returns(http.StatusOK, RespOK, []devops.QueuedBlueRun{}).
+		Writes([]devops.QueuedBlueRun{}))
+
+	// match /pipeline_status/blue/rest/organizations/jenkins/pipelines/{projectName}/{pipelineName}/runs/{runId}/nodes/?limit=
+	webservice.Route(webservice.GET("/devops/{projectName}/pipelines/{pipelineName}/runs/{runId}/nodes/{nodeId}/steps/status").
+		To(devopsapi.GetStepsStatus).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get pipeline steps status.").
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("runId", "pipeline run name")).
+		Param(webservice.PathParameter("nodeId", "pipeline node id")).
+		Param(webservice.QueryParameter("limit", "limit count").
+			Required(true).
+			DataFormat("limit=%d")).
+		Returns(http.StatusOK, RespOK, []devops.QueuedBlueRun{}).
+		Writes([]devops.QueuedBlueRun{}))
+
+	// match /crumbIssuer/api/json/
+	webservice.Route(webservice.GET("/devops/crumbissuer").
+		To(devopsapi.GetCrumb).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get crumb").
+		Returns(http.StatusOK, RespOK, devops.Crumb{}).
+		Writes(devops.Crumb{}))
+
+	// match /job/init-job/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile
+	webservice.Route(webservice.POST("/devops/check/scriptcompile").
+		To(devopsapi.CheckScriptCompile).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Consumes("application/x-www-form-urlencoded", "charset=utf-8").
+		Produces("application/json", "charset=utf-8").
+		Doc("Check pipeline script compile.").
+		Reads(devops.ReqScript{}).
+		Returns(http.StatusOK, RespOK, devops.CheckScript{}).
+		Writes(devops.CheckScript{}))
+
+	// match /job/init-job/descriptorByName/hudson.triggers.TimerTrigger/checkSpec
+	webservice.Route(webservice.GET("/devops/check/cron").
+		To(devopsapi.CheckCron).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Produces("application/json", "charset=utf-8").
+		Doc("Check cron script compile.").
+		Param(webservice.QueryParameter("value", "cpec value").
+			Required(true).
+			DataFormat("value=%s")).
+		Returns(http.StatusOK, RespOK, []devops.QueuedBlueRun{}).
+		Returns(http.StatusOK, RespOK, devops.CheckCronRes{}).
+		Writes(devops.CheckCronRes{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{projectName}/{pipelineName}/runs/{runId}/
+	webservice.Route(webservice.GET("/devops/{projectName}/pipelines/{pipelineName}/runs/{runId}").
+		To(devopsapi.GetPipelineRun).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get run pipeline in project.").
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("runId", "pipeline run id")).
+		Returns(http.StatusOK, RespOK, devops.PipelineRun{}).
+		Writes(devops.PipelineRun{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{projectName}/pipelines/{pipelineName}/branches/{branchName}
+	webservice.Route(webservice.GET("/devops/{projectName}/pipelines/{pipelineName}/branches/{branchName}").
+		To(devopsapi.GetBranchPipeline).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get Pipeline run in branch.").
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("branchName", "pipeline branch name")).
+		Returns(http.StatusOK, RespOK, devops.BranchPipeline{}).
+		Writes(devops.BranchPipeline{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{projectName}/pipelines/{pipelineName}/runs/{runId}/nodes/?limit=10000
+	webservice.Route(webservice.GET("/devops/{projectName}/pipelines/{pipelineName}/runs/{runId}/nodes").
+		To(devopsapi.GetPipelineRunNodes).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get Pipeline run nodes.").
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("runId", "pipeline run id")).
+		Param(webservice.QueryParameter("limit", "limit count").
+			Required(false).
+			DataFormat("limit=%d")).
+		Returns(http.StatusOK, RespOK, []devops.PipelineRunNodes{}).
+		Writes([]devops.PipelineRunNodes{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/%s/%s/branches/%s/runs/%s/nodes/%s/steps/?limit=
+	webservice.Route(webservice.GET("/devops/{projectName}/pipelines/{pipelineName}/branches/{branchName}/runs/{runId}/nodes/{nodeId}/steps").
+		To(devopsapi.GetBranchNodeSteps).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get steps in node.").
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("branchName", "pipeline branch name")).
+		Param(webservice.PathParameter("runId", "pipeline run id")).
+		Param(webservice.PathParameter("nodeId", "pipeline node id")).
+		Param(webservice.QueryParameter("limit", "limit count").
+			Required(false).
+			DataFormat("limit=%d")).
+		Returns(http.StatusOK, RespOK, []devops.NodeSteps{}).
+		Writes([]devops.NodeSteps{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/%s/%s/runs/%s/nodes/%s/steps/?limit=
+	webservice.Route(webservice.GET("/devops/{projectName}/pipelines/{pipelineName}/runs/{runId}/nodes/{nodeId}/steps").
+		To(devopsapi.GetNodeSteps).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get steps in node.").
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("runId", "pipeline run id")).
+		Param(webservice.PathParameter("nodeId", "pipeline node id")).
+		Param(webservice.QueryParameter("limit", "limit count").
+			Required(false).
+			DataFormat("limit=%d")).
+		Returns(http.StatusOK, RespOK, []devops.NodeSteps{}).
+		Writes([]devops.NodeSteps{}))
+
+	// match /pipeline-model-converter/toJenkinsfile
+	webservice.Route(webservice.POST("/devops/tojenkinsfile").
+		To(devopsapi.ToJenkinsfile).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Consumes("application/x-www-form-urlencoded").
+		Produces("application/json", "charset=utf-8").
+		Doc("Json to Jenkinsfile.").
+		Reads(devops.ReqJson{}).
+		Returns(http.StatusOK, RespOK, devops.NodeSteps{}).
+		Writes(devops.ResJenkinsfile{}))
+
+	// match /pipeline-model-converter/toJson
+	webservice.Route(webservice.POST("/devops/tojson").
+		To(devopsapi.ToJson).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Consumes("application/x-www-form-urlencoded").
+		Produces("application/json", "charset=utf-8").
+		Doc("Jenkinsfile to Json.").
+		Reads(devops.ReqJenkinsfile{}).
+		Returns(http.StatusOK, RespOK, devops.ResJson{}).
+		Writes(devops.ResJson{}))
+
+	// match /git/notifyCommit/?url=
+	webservice.Route(webservice.GET("/devops/notifycommit").
+		To(devopsapi.GetNotifyCommit).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get Notify Commit by GET HTTP method.").
+		Produces("text/plain; charset=utf-8").
+		Param(webservice.QueryParameter("url", "the url for webhook to push.").
+			Required(true).
+			DataFormat("url=%s")))
+
+	// Gitlab or some other scm managers can only use HTTP method. match /git/notifyCommit/?url=
+	webservice.Route(webservice.POST("/devops/notifycommit").
+		To(devopsapi.GetNotifyCommit).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get Notify Commit by POST HTTP method.").
+		Consumes("application/json").
+		Produces("text/plain; charset=utf-8").
+		Param(webservice.QueryParameter("url", "the url for webhook to push.").
+			Required(true).
+			DataFormat("url=%s")))
+
+	webservice.Route(webservice.POST("/devops/github/webhook").
+		To(devopsapi.GithubWebhook).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("receive webhook request."))
+
+	// in scm get all steps in nodes.
+	webservice.Route(webservice.GET("/devops/{projectName}/pipelines/{pipelineName}/branches/{branchName}/runs/{runId}/nodesdetail").
+		To(devopsapi.GetBranchNodesDetail).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get pipeline nodes stages detail").
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("branchName", "pipeline branch name")).
+		Param(webservice.PathParameter("runId", "pipeline runs id")).
+		Param(webservice.QueryParameter("limit", "limit count").
+			Required(true).
+			DataFormat("limit=%d")).
+		Returns(http.StatusOK, RespOK, []devops.NodesDetail{}).
+		Writes(devops.NodesDetail{}))
+
+	// out of scm get all steps in nodes.
+	webservice.Route(webservice.GET("/devops/{projectName}/pipelines/{pipelineName}/runs/{runId}/nodesdetail").
+		To(devopsapi.GetNodesDetail).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get pipeline nodes stages detail").
+		Param(webservice.PathParameter("pipelineName", "pipeline name")).
+		Param(webservice.PathParameter("projectName", "devops project name")).
+		Param(webservice.PathParameter("branchName", "pipeline branch name")).
+		Param(webservice.PathParameter("runId", "pipeline runs id")).
+		Param(webservice.QueryParameter("limit", "limit count").
+			Required(true).
+			DataFormat("limit=%d")).
+		Returns(http.StatusOK, RespOK, []devops.NodesDetail{}).
+		Writes(devops.NodesDetail{}))
+
+	c.Add(webservice)
+
+	return nil
+}

pkg/apis/iam/install/install.go

@@ -0,0 +1,33 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package install
+
+import (
+	"github.com/emicklei/go-restful"
+	urlruntime "k8s.io/apimachinery/pkg/util/runtime"
+	iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+)
+
+func init() {
+	Install(runtime.Container)
+}
+
+func Install(container *restful.Container) {
+	urlruntime.Must(iamv1alpha2.AddToContainer(container))
+}

pkg/apis/iam/v1alpha2/register.go

@@ -0,0 +1,263 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package v1alpha2
+
+import (
+	"github.com/emicklei/go-restful"
+	"github.com/emicklei/go-restful-openapi"
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"kubesphere.io/kubesphere/pkg/apiserver/iam"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+	"kubesphere.io/kubesphere/pkg/errors"
+	"kubesphere.io/kubesphere/pkg/models"
+	"kubesphere.io/kubesphere/pkg/models/iam/policy"
+	"net/http"
+)
+
+const GroupName = "iam.kubesphere.io"
+
+var GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha2"}
+
+var (
+	WebServiceBuilder = runtime.NewContainerBuilder(addWebService)
+	AddToContainer    = WebServiceBuilder.AddToContainer
+)
+
+func addWebService(c *restful.Container) error {
+	tags := []string{"IAM"}
+	ws := runtime.NewWebService(GroupVersion)
+
+	ok := "ok"
+	pageableUserList := struct {
+		Items      []models.User `json:"items"`
+		TotalCount int           `json:"total_count"`
+	}{}
+
+	ws.Route(ws.POST("/authenticate").
+		To(iam.TokenReviewHandler).
+		Doc("TokenReview attempts to authenticate a token to a known user. Note: TokenReview requests may be cached by the webhook token authenticator plugin in the kube-apiserver.").
+		Reads(iam.TokenReview{}).
+		Returns(http.StatusOK, ok, iam.TokenReview{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.POST("/login").
+		To(iam.LoginHandler).
+		Doc("KubeSphere APIs support token-based authentication via the Authtoken request header. The POST Login API is used to retrieve the authentication token. After the authentication token is obtained, it must be inserted into the Authtoken header for all requests.").
+		Reads(iam.LoginRequest{}).
+		Returns(http.StatusOK, ok, models.Token{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/users/{username}").
+		To(iam.DescribeUser).
+		Doc("Describes the specified user.").
+		Param(ws.PathParameter("username", "username")).
+		Returns(http.StatusOK, ok, models.User{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.POST("/users").
+		To(iam.CreateUser).
+		Doc("Create a user account.").
+		Reads(models.User{}).
+		Returns(http.StatusOK, ok, errors.Error{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.DELETE("/users/{name}").
+		To(iam.DeleteUser).
+		Doc("Remove a specified user.").
+		Param(ws.PathParameter("name", "username")).
+		Returns(http.StatusOK, ok, errors.Error{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.PUT("/users/{name}").
+		To(iam.UpdateUser).
+		Doc("Updates information about the specified user.").
+		Param(ws.PathParameter("name", "username")).
+		Reads(models.User{}).
+		Returns(http.StatusOK, ok, errors.Error{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/users/{name}/log").
+		To(iam.UserLoginLog).
+		Doc("This method is used to retrieve the \"login logs\" for the specified user.").
+		Param(ws.PathParameter("name", "username")).
+		Returns(http.StatusOK, ok, struct {
+			LoginTime string `json:"login_time"`
+			LoginIP   string `json:"login_ip"`
+		}{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/users").
+		To(iam.ListUsers).
+		Doc("List all users.").
+		Returns(http.StatusOK, ok, pageableUserList).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/groups").
+		To(iam.ListGroups).
+		Doc("List all user groups.").
+		Returns(http.StatusOK, ok, []models.Group{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/groups/{path}").
+		To(iam.DescribeGroup).
+		Doc("Describes the specified user group.").
+		Param(ws.PathParameter("path", "user group path separated by colon.")).
+		Returns(http.StatusOK, ok, models.Group{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/groups/{path}/users").
+		To(iam.ListGroupUsers).
+		Doc("List all users in the specified user group.").
+		Param(ws.PathParameter("path", "user group path separated by colon.")).
+		Returns(http.StatusOK, ok, []models.User{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.POST("/groups").
+		To(iam.CreateGroup).
+		Doc("Create a user group.").
+		Reads(models.Group{}).
+		Returns(http.StatusOK, ok, models.Group{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.DELETE("/groups/{path}").
+		To(iam.DeleteGroup).
+		Doc("Delete a user group.").
+		Param(ws.PathParameter("path", "user group path separated by colon.")).
+		Returns(http.StatusOK, ok, errors.Error{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.PUT("/groups/{path}").
+		To(iam.UpdateGroup).
+		Doc("Updates information about the user group.").
+		Param(ws.PathParameter("path", "user group path separated by colon.")).
+		Reads(models.Group{}).
+		Returns(http.StatusOK, ok, models.Group{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/users/{username}/roles").
+		To(iam.ListUserRoles).
+		Doc("This method is used to retrieve all the roles that are assigned to the user.").
+		Param(ws.PathParameter("username", "username")).
+		Returns(http.StatusOK, ok, iam.RoleList{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/namespaces/{namespace}/roles").
+		To(iam.ListRoles).
+		Doc("This method is used to retrieve the roles that are assigned to the user in the specified namespace.").
+		Param(ws.PathParameter("namespace", "kubernetes namespace")).
+		Returns(http.StatusOK, ok, struct {
+			Items      []rbacv1.Role `json:"items"`
+			TotalCount int           `json:"total_count"`
+		}{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/clusterroles").
+		To(iam.ListClusterRoles).
+		Doc("List all cluster roles.").
+		Returns(http.StatusOK, ok, struct {
+			Items      []rbacv1.ClusterRole `json:"items"`
+			TotalCount int                  `json:"total_count"`
+		}{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/namespaces/{namespace}/roles/{role}/users").
+		To(iam.ListRoleUsers).
+		Doc("This method is used to retrieve the users that are bind the role in the specified namespace.").
+		Param(ws.PathParameter("namespace", "kubernetes namespace")).
+		Param(ws.PathParameter("role", "role name")).
+		Returns(http.StatusOK, ok, []models.User{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/namespaces/{namespace}/users").
+		To(iam.ListNamespaceUsers).
+		Doc("List all users in the specified namespace").
+		Param(ws.PathParameter("namespace", "kubernetes namespace")).
+		Returns(http.StatusOK, ok, []models.User{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/clusterroles/{clusterrole}/users").
+		To(iam.ListClusterRoleUsers).
+		Doc("List all users that are bind the cluster role.").
+		Param(ws.PathParameter("clusterrole", "cluster role name")).
+		Returns(http.StatusOK, ok, pageableUserList).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/clusterroles/{clusterrole}/rules").
+		To(iam.ListClusterRoleRules).
+		Doc("List all policy rules of the specified cluster role.").
+		Param(ws.PathParameter("clusterrole", "cluster role name")).
+		Returns(http.StatusOK, ok, []models.SimpleRule{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/namespaces/{namespace}/roles/{role}/rules").
+		To(iam.ListRoleRules).
+		Doc("List all policy rules of the specified role.").
+		Param(ws.PathParameter("namespace", "kubernetes namespace")).
+		Param(ws.PathParameter("role", "role name")).
+		Returns(http.StatusOK, ok, []models.SimpleRule{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/devops/{devops}/roles/{role}/rules").
+		To(iam.ListDevopsRoleRules).
+		Doc("List all policy rules of the specified role.").
+		Param(ws.PathParameter("devops", "devops project id")).
+		Param(ws.PathParameter("role", "devops role name")).
+		Returns(http.StatusOK, ok, []models.SimpleRule{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/rulesmapping/clusterroles").
+		To(iam.ClusterRulesMapping).
+		Doc("Get the mapping relationships between cluster roles and policy rules.").
+		Returns(http.StatusOK, ok, policy.ClusterRoleRuleMapping).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/rulesmapping/roles").
+		To(iam.RulesMapping).
+		Doc("Get the mapping relationships between namespaced roles and policy rules.").
+		Returns(http.StatusOK, ok, policy.RoleRuleMapping).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/workspaces/{workspace}/roles").
+		To(iam.ListWorkspaceRoles).
+		Doc("List all workspace roles.").
+		Param(ws.PathParameter("workspace", "workspace name")).
+		Returns(http.StatusOK, ok, struct {
+			Items      []rbacv1.ClusterRole `json:"items"`
+			TotalCount int                  `json:"total_count"`
+		}{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/workspaces/{workspace}/roles/{role}").
+		To(iam.DescribeWorkspaceRole).
+		Doc("Describes the workspace role.").
+		Param(ws.PathParameter("workspace", "workspace name")).
+		Param(ws.PathParameter("role", "workspace role name")).
+		Returns(http.StatusOK, ok, rbacv1.ClusterRole{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/workspaces/{workspace}/roles/{role}/rules").
+		To(iam.ListWorkspaceRoleRules).
+		Doc("List all policy rules of the specified workspace role.").
+		Param(ws.PathParameter("workspace", "workspace name")).
+		Param(ws.PathParameter("role", "workspace role name")).
+		Returns(http.StatusOK, ok, []models.SimpleRule{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/workspaces/{workspace}/members").
+		To(iam.ListWorkspaceUsers).
+		Doc("List all members in the specified workspace.").
+		Param(ws.PathParameter("workspace", "workspace name")).
+		Returns(http.StatusOK, ok, pageableUserList).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.POST("/workspaces/{workspace}/members").
+		To(iam.InviteUser).
+		Doc("Invite members to a workspace.").
+		Param(ws.PathParameter("workspace", "workspace name")).
+		Reads(models.User{}).
+		Returns(http.StatusOK, ok, errors.Error{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.DELETE("/workspaces/{workspace}/members/{username}").
+		To(iam.RemoveUser).
+		Doc("Remove members from workspace.").
+		Param(ws.PathParameter("workspace", "workspace name")).
+		Param(ws.PathParameter("name", "username")).
+		Returns(http.StatusOK, ok, errors.Error{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/workspaces/{workspace}/members/{username}").
+		To(iam.DescribeWorkspaceUser).
+		Doc("Describes the specified user.").
+		Param(ws.PathParameter("workspace", "workspace name")).
+		Param(ws.PathParameter("username", "username")).
+		Returns(http.StatusOK, ok, models.User{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	c.Add(ws)
+	return nil
+}

pkg/apis/logging/install/install.go

@@ -0,0 +1,33 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package install
+
+import (
+	"github.com/emicklei/go-restful"
+	urlruntime "k8s.io/apimachinery/pkg/util/runtime"
+	loggingv1alpha2 "kubesphere.io/kubesphere/pkg/apis/logging/v1alpha2"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+)
+
+func init() {
+	Install(runtime.Container)
+}
+
+func Install(container *restful.Container) {
+	urlruntime.Must(loggingv1alpha2.AddToContainer(container))
+}

pkg/apis/logging/v1alpha2/register.go

@@ -0,0 +1,217 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package v1alpha2
+
+import (
+	"github.com/emicklei/go-restful"
+	"github.com/emicklei/go-restful-openapi"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"kubesphere.io/kubesphere/pkg/apiserver/logging"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+	"kubesphere.io/kubesphere/pkg/filter"
+)
+
+const GroupName = "logging.kubesphere.io"
+
+var GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha2"}
+
+var (
+	WebServiceBuilder = runtime.NewContainerBuilder(addWebService)
+	AddToContainer    = WebServiceBuilder.AddToContainer
+)
+
+func addWebService(c *restful.Container) error {
+	ws := runtime.NewWebService(GroupVersion)
+	tags := []string{"Logging"}
+
+	ws.Route(ws.GET("/cluster").To(logging.LoggingQueryCluster).
+		Filter(filter.Logging).
+		Doc("cluster level log query").
+		Param(ws.QueryParameter("operation", "operation: query statistics").DataType("string").Required(true)).
+		Param(ws.QueryParameter("workspaces", "workspaces specify").DataType("string").Required(false)).
+		Param(ws.QueryParameter("workspace_query", "workspace query keywords").DataType("string").Required(false)).
+		Param(ws.QueryParameter("namespaces", "namespaces specify").DataType("string").Required(false)).
+		Param(ws.QueryParameter("namespace_query", "namespace query keywords").DataType("string").Required(false)).
+		Param(ws.QueryParameter("workloads", "workloads specify").DataType("string").Required(false)).
+		Param(ws.QueryParameter("workload_query", "workload query keywords").DataType("string").Required(false)).
+		Param(ws.QueryParameter("pods", "pods specify").DataType("string").Required(false)).
+		Param(ws.QueryParameter("pod_query", "pod query keywords").DataType("string").Required(false)).
+		Param(ws.QueryParameter("containers", "containers specify").DataType("string").Required(false)).
+		Param(ws.QueryParameter("container_query", "container query keywords").DataType("string").Required(false)).
+		Param(ws.QueryParameter("log_query", "log query keywords").DataType("string").Required(false)).
+		Param(ws.QueryParameter("interval", "interval of time histogram").DataType("string").Required(false)).
+		Param(ws.QueryParameter("start_time", "range start time").DataType("string").Required(false)).
+		Param(ws.QueryParameter("end_time", "range end time").DataType("string").Required(false)).
+		Param(ws.QueryParameter("sort", "sort method").DataType("string").Required(false)).
+		Param(ws.QueryParameter("from", "begin index of result returned").DataType("int").Required(true)).
+		Param(ws.QueryParameter("size", "size of result returned").DataType("int").Required(true)).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.GET("/workspaces/{workspace}").To(logging.LoggingQueryWorkspace).
+		Filter(filter.Logging).
+		Doc("workspace level log query").
+		Param(ws.PathParameter("workspace", "workspace specify").DataType("string").Required(true)).
+		Param(ws.QueryParameter("operation", "operation: query statistics").DataType("string").Required(true)).
+		Param(ws.QueryParameter("namespaces", "namespaces specify").DataType("string").Required(false)).
+		Param(ws.QueryParameter("namespace_query", "namespace query keywords").DataType("string").Required(false)).
+		Param(ws.QueryParameter("workloads", "workloads specify").DataType("string").Required(false)).
+		Param(ws.QueryParameter("workload_query", "workload query keywords").DataType("string").Required(false)).
+		Param(ws.QueryParameter("pods", "pods specify").DataType("string").Required(false)).
+		Param(ws.QueryParameter("pod_query", "pod query keywords").DataType("string").Required(false)).
+		Param(ws.QueryParameter("containers", "containers specify").DataType("string").Required(false)).
+		Param(ws.QueryParameter("container_query", "container query keywords").DataType("string").Required(false)).
+		Param(ws.QueryParameter("log_query", "log query keywords").DataType("string").Required(false)).
+		Param(ws.QueryParameter("interval", "interval of time histogram").DataType("string").Required(false)).
+		Param(ws.QueryParameter("start_time", "range start time").DataType("string").Required(false)).
+		Param(ws.QueryParameter("end_time", "range end time").DataType("string").Required(false)).
+		Param(ws.QueryParameter("sort", "sort method").DataType("string").Required(false)).
+		Param(ws.QueryParameter("from", "begin index of result returned").DataType("int").Required(true)).
+		Param(ws.QueryParameter("size", "size of result returned").DataType("int").Required(true)).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.GET("/namespaces/{namespace}").To(logging.LoggingQueryNamespace).
+		Filter(filter.Logging).
+		Doc("namespace level log query").
+		Param(ws.PathParameter("namespace", "namespace specify").DataType("string").Required(true)).
+		Param(ws.QueryParameter("operation", "operation: query statistics").DataType("string").Required(true)).
+		Param(ws.QueryParameter("workloads", "workloads specify").DataType("string").Required(false)).
+		Param(ws.QueryParameter("workload_query", "workload query keywords").DataType("string").Required(false)).
+		Param(ws.QueryParameter("pods", "pods specify").DataType("string").Required(false)).
+		Param(ws.QueryParameter("pod_query", "pod query keywords").DataType("string").Required(false)).
+		Param(ws.QueryParameter("containers", "containers specify").DataType("string").Required(false)).
+		Param(ws.QueryParameter("container_query", "container query keywords").DataType("string").Required(false)).
+		Param(ws.QueryParameter("log_query", "log query keywords").DataType("string").Required(false)).
+		Param(ws.QueryParameter("interval", "interval of time histogram").DataType("string").Required(false)).
+		Param(ws.QueryParameter("start_time", "range start time").DataType("string").Required(false)).
+		Param(ws.QueryParameter("end_time", "range end time").DataType("string").Required(false)).
+		Param(ws.QueryParameter("sort", "sort method").DataType("string").Required(false)).
+		Param(ws.QueryParameter("from", "begin index of result returned").DataType("int").Required(true)).
+		Param(ws.QueryParameter("size", "size of result returned").DataType("int").Required(true)).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.GET("/namespaces/{namespace}/workloads/{workload}").To(logging.LoggingQueryWorkload).
+		Filter(filter.Logging).
+		Doc("workload level log query").
+		Param(ws.PathParameter("namespace", "namespace specify").DataType("string").Required(true)).
+		Param(ws.PathParameter("workload", "workload specify").DataType("string").Required(true)).
+		Param(ws.QueryParameter("operation", "operation: query statistics").DataType("string").Required(true)).
+		Param(ws.QueryParameter("pods", "pods specify").DataType("string").Required(false)).
+		Param(ws.QueryParameter("pod_query", "pod query keywords").DataType("string").Required(false)).
+		Param(ws.QueryParameter("containers", "containers specify").DataType("string").Required(false)).
+		Param(ws.QueryParameter("container_query", "container query keywords").DataType("string").Required(false)).
+		Param(ws.QueryParameter("log_query", "log query keywords").DataType("string").Required(false)).
+		Param(ws.QueryParameter("interval", "interval of time histogram").DataType("string").Required(false)).
+		Param(ws.QueryParameter("start_time", "range start time").DataType("string").Required(false)).
+		Param(ws.QueryParameter("end_time", "range end time").DataType("string").Required(false)).
+		Param(ws.QueryParameter("sort", "sort method").DataType("string").Required(false)).
+		Param(ws.QueryParameter("from", "begin index of result returned").DataType("int").Required(true)).
+		Param(ws.QueryParameter("size", "size of result returned").DataType("int").Required(true)).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.GET("/namespaces/{namespace}/pods/{pod}").To(logging.LoggingQueryPod).
+		Filter(filter.Logging).
+		Doc("pod level log query").
+		Param(ws.PathParameter("namespace", "namespace specify").DataType("string").Required(true)).
+		Param(ws.PathParameter("pod", "pod specify").DataType("string").Required(true)).
+		Param(ws.QueryParameter("operation", "operation: query statistics").DataType("string").Required(true)).
+		Param(ws.QueryParameter("containers", "containers specify").DataType("string").Required(false)).
+		Param(ws.QueryParameter("container_query", "container query keywords").DataType("string").Required(false)).
+		Param(ws.QueryParameter("log_query", "log query keywords").DataType("string").Required(false)).
+		Param(ws.QueryParameter("interval", "interval of time histogram").DataType("string").Required(false)).
+		Param(ws.QueryParameter("start_time", "range start time").DataType("string").Required(false)).
+		Param(ws.QueryParameter("end_time", "range end time").DataType("string").Required(false)).
+		Param(ws.QueryParameter("sort", "sort method").DataType("string").Required(false)).
+		Param(ws.QueryParameter("from", "begin index of result returned").DataType("int").Required(true)).
+		Param(ws.QueryParameter("size", "size of result returned").DataType("int").Required(true)).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.GET("/namespaces/{namespace}/pods/{pod}/containers/{container}").To(logging.LoggingQueryContainer).
+		Filter(filter.Logging).
+		Doc("container level log query").
+		Param(ws.PathParameter("namespace", "namespace specify").DataType("string").Required(true)).
+		Param(ws.PathParameter("pod", "pod specify").DataType("string").Required(true)).
+		Param(ws.PathParameter("container", "container specify").DataType("string").Required(true)).
+		Param(ws.QueryParameter("operation", "operation: query statistics").DataType("string").Required(true)).
+		Param(ws.QueryParameter("log_query", "log query keywords").DataType("string").Required(false)).
+		Param(ws.QueryParameter("interval", "interval of time histogram").DataType("string").Required(false)).
+		Param(ws.QueryParameter("start_time", "range start time").DataType("string").Required(false)).
+		Param(ws.QueryParameter("end_time", "range end time").DataType("string").Required(false)).
+		Param(ws.QueryParameter("sort", "sort method").DataType("string").Required(false)).
+		Param(ws.QueryParameter("from", "begin index of result returned").DataType("int").Required(true)).
+		Param(ws.QueryParameter("size", "size of result returned").DataType("int").Required(true)).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.GET("/fluentbit/filters").To(logging.LoggingQueryFluentbitFilters).
+		Filter(filter.Logging).
+		Doc("log fluent-bit filters query").
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.POST("/fluentbit/filters").To(logging.LoggingUpdateFluentbitFilters).
+		Filter(filter.Logging).
+		Doc("log fluent-bit filters update").
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.GET("/fluentbit/outputs").To(logging.LoggingQueryFluentbitOutputs).
+		Filter(filter.Logging).
+		Doc("log fluent-bit outputs query").
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.POST("/fluentbit/outputs").To(logging.LoggingInsertFluentbitOutput).
+		Filter(filter.Logging).
+		Doc("log fluent-bit outputs insert").
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.POST("/fluentbit/outputs/{output}").To(logging.LoggingUpdateFluentbitOutput).
+		Filter(filter.Logging).
+		Doc("log fluent-bit outputs update").
+		Param(ws.PathParameter("output", "output id").DataType("int").Required(true)).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.DELETE("/fluentbit/outputs/{output}").To(logging.LoggingDeleteFluentbitOutput).
+		Filter(filter.Logging).
+		Doc("log fluent-bit outputs delete").
+		Param(ws.PathParameter("output", "output id").DataType("int").Required(true)).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	c.Add(ws)
+	return nil
+}

pkg/apis/monitoring/install/install.go

@@ -0,0 +1,33 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package install
+
+import (
+	"github.com/emicklei/go-restful"
+	urlruntime "k8s.io/apimachinery/pkg/util/runtime"
+	monitoringv1alpha2 "kubesphere.io/kubesphere/pkg/apis/monitoring/v1alpha2"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+)
+
+func init() {
+	Install(runtime.Container)
+}
+
+func Install(container *restful.Container) {
+	urlruntime.Must(monitoringv1alpha2.AddToContainer(container))
+}

pkg/apis/monitoring/v1alpha2/register.go

@@ -0,0 +1,259 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package v1alpha2
+
+import (
+	"github.com/emicklei/go-restful"
+	"github.com/emicklei/go-restful-openapi"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"kubesphere.io/kubesphere/pkg/apiserver/monitoring"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+)
+
+const GroupName = "monitoring.kubesphere.io"
+
+var GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha2"}
+
+var (
+	WebServiceBuilder = runtime.NewContainerBuilder(addWebService)
+	AddToContainer    = WebServiceBuilder.AddToContainer
+)
+
+func addWebService(c *restful.Container) error {
+	ws := runtime.NewWebService(GroupVersion)
+
+	tags := []string{"Monitoring"}
+
+	ws.Route(ws.GET("/cluster").To(monitoring.MonitorCluster).
+		Doc("monitor cluster level metrics").
+		Param(ws.QueryParameter("metrics_filter", "metrics name cpu memory...in re2 regex").DataType("string").Required(false).DefaultValue("cluster_cpu_utilisation")).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.GET("/nodes").To(monitoring.MonitorNode).
+		Doc("monitor nodes level metrics").
+		Param(ws.QueryParameter("metrics_filter", "metrics name cpu memory...in re2 regex").DataType("string").Required(false).DefaultValue("node_cpu_utilisation")).
+		Param(ws.QueryParameter("resources_filter", "node re2 expression filter").DataType("string").Required(false).DefaultValue("")).
+		Param(ws.QueryParameter("sort_metric", "sort metric").DataType("string").Required(false)).
+		Param(ws.QueryParameter("sort_type", "ascending descending order").DataType("string").Required(false)).
+		Param(ws.QueryParameter("page", "page number").DataType("string").Required(false).DefaultValue("1")).
+		Param(ws.QueryParameter("limit", "metrics name cpu memory...in re2 regex").DataType("string").Required(false).DefaultValue("4")).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.GET("/nodes/{node}").To(monitoring.MonitorNode).
+		Doc("monitor specific node level metrics").
+		Param(ws.PathParameter("node", "specific node").DataType("string").Required(true).DefaultValue("")).
+		Param(ws.QueryParameter("metrics_name", "metrics name cpu memory...").DataType("string").Required(true).DefaultValue("node_cpu_utilisation")).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.GET("/namespaces").To(monitoring.MonitorNamespace).
+		Doc("monitor namespaces level metrics").
+		Param(ws.QueryParameter("resources_filter", "namespaces re2 expression filter").DataType("string").Required(false).DefaultValue("")).
+		Param(ws.QueryParameter("metrics_filter", "metrics name cpu memory...in re2 regex").DataType("string").Required(false).DefaultValue("namespace_memory_utilisation")).
+		Param(ws.QueryParameter("sort_metric", "sort metric").DataType("string").Required(false)).
+		Param(ws.QueryParameter("sort_type", "ascending descending order").DataType("string").Required(false)).
+		Param(ws.QueryParameter("page", "page number").DataType("string").Required(false).DefaultValue("1")).
+		Param(ws.QueryParameter("limit", "metrics name cpu memory...in re2 regex").DataType("string").Required(false).DefaultValue("4")).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.GET("/namespaces/{namespace}").To(monitoring.MonitorNamespace).
+		Doc("monitor specific namespace level metrics").
+		Param(ws.PathParameter("namespace", "specific namespace").DataType("string").Required(true).DefaultValue("monitoring")).
+		Param(ws.QueryParameter("metrics_name", "metrics name cpu memory...").DataType("string").Required(true).DefaultValue("namespace_memory_utilisation")).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.GET("/namespaces/{namespace}/pods").To(monitoring.MonitorPod).
+		Doc("monitor pods level metrics").
+		Param(ws.PathParameter("namespace", "specific namespace").DataType("string").Required(true).DefaultValue("monitoring")).
+		Param(ws.QueryParameter("metrics_filter", "metrics name cpu memory...in re2 regex").DataType("string").Required(false).DefaultValue("pod_memory_utilisation_wo_cache")).
+		Param(ws.QueryParameter("resources_filter", "pod re2 expression filter").DataType("string").Required(false).DefaultValue("")).
+		Param(ws.QueryParameter("sort_metric", "sort metric").DataType("string").Required(false)).
+		Param(ws.QueryParameter("sort_type", "ascending descending order").DataType("string").Required(false)).
+		Param(ws.QueryParameter("page", "page number").DataType("string").Required(false).DefaultValue("1")).
+		Param(ws.QueryParameter("limit", "metrics name cpu memory...in re2 regex").DataType("string").Required(false).DefaultValue("4")).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.GET("/namespaces/{namespace}/pods/{pod}").To(monitoring.MonitorPod).
+		Doc("monitor specific pod level metrics").
+		Param(ws.PathParameter("namespace", "specific namespace").DataType("string").Required(true).DefaultValue("monitoring")).
+		Param(ws.PathParameter("pod", "specific pod").DataType("string").Required(true).DefaultValue("")).
+		Param(ws.QueryParameter("metrics_name", "metrics name cpu memory...").DataType("string").Required(true).DefaultValue("pod_memory_utilisation_wo_cache")).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.GET("/nodes/{node}/pods").To(monitoring.MonitorPod).
+		Doc("monitor pods level metrics by nodeid").
+		Param(ws.PathParameter("node", "specific node").DataType("string").Required(true).DefaultValue("i-k89a62il")).
+		Param(ws.QueryParameter("metrics_filter", "metrics name cpu memory...in re2 regex").DataType("string").Required(false).DefaultValue("pod_memory_utilisation_wo_cache")).
+		Param(ws.QueryParameter("resources_filter", "pod re2 expression filter").DataType("string").Required(false).DefaultValue("openpitrix.*")).
+		Param(ws.QueryParameter("sort_metric", "sort metric").DataType("string").Required(false)).
+		Param(ws.QueryParameter("sort_type", "ascending descending order").DataType("string").Required(false)).
+		Param(ws.QueryParameter("page", "page number").DataType("string").Required(false).DefaultValue("1")).
+		Param(ws.QueryParameter("limit", "metrics name cpu memory...in re2 regex").DataType("string").Required(false).DefaultValue("4")).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.GET("/nodes/{node}/pods/{pod}").To(monitoring.MonitorPod).
+		Doc("monitor specific pod level metrics by nodeid").
+		Param(ws.PathParameter("node", "specific node").DataType("string").Required(true).DefaultValue("i-k89a62il")).
+		Param(ws.PathParameter("pod", "specific pod").DataType("string").Required(true).DefaultValue("")).
+		Param(ws.QueryParameter("metrics_name", "metrics name cpu memory...").DataType("string").Required(true).DefaultValue("pod_memory_utilisation_wo_cache")).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.GET("/nodes/{node}/pods/{pod}/containers").To(monitoring.MonitorContainer).
+		Doc("monitor specific pod level metrics by nodeid").
+		Param(ws.PathParameter("node", "specific node").DataType("string").Required(true)).
+		Param(ws.PathParameter("pod", "specific pod").DataType("string").Required(true)).
+		Param(ws.QueryParameter("resources_filter", "container re2 expression filter").DataType("string").Required(false).DefaultValue("")).
+		Param(ws.QueryParameter("metrics_filter", "metrics name cpu memory...").DataType("string").Required(false)).
+		Param(ws.QueryParameter("metrics_name", "metrics name cpu memory...").DataType("string").Required(true).DefaultValue("pod_memory_utilisation_wo_cache")).
+		Param(ws.QueryParameter("sort_metric", "sort metric").DataType("string").Required(false)).
+		Param(ws.QueryParameter("sort_type", "ascending descending order").DataType("string").Required(false)).
+		Param(ws.QueryParameter("page", "page number").DataType("string").Required(false).DefaultValue("1")).
+		Param(ws.QueryParameter("limit", "metrics name cpu memory...in re2 regex").DataType("string").Required(false).DefaultValue("4")).
+		Param(ws.QueryParameter("type", "rank, statistic").DataType("string").Required(false).DefaultValue("rank")).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.GET("/namespaces/{namespace}/pods/{pod}/containers").To(monitoring.MonitorContainer).
+		Doc("monitor containers level metrics").
+		Param(ws.PathParameter("namespace", "specific namespace").DataType("string").Required(true).DefaultValue("monitoring")).
+		Param(ws.PathParameter("pod", "specific pod").DataType("string").Required(true).DefaultValue("")).
+		Param(ws.QueryParameter("resources_filter", "container re2 expression filter").DataType("string").Required(false).DefaultValue("")).
+		Param(ws.QueryParameter("metrics_filter", "metrics name cpu memory...").DataType("string").Required(false)).
+		Param(ws.QueryParameter("metrics_name", "metrics name cpu memory...").DataType("string").Required(true).DefaultValue("container_memory_utilisation_wo_cache")).
+		Param(ws.QueryParameter("sort_metric", "sort metric").DataType("string").Required(false)).
+		Param(ws.QueryParameter("sort_type", "ascending descending order").DataType("string").Required(false)).
+		Param(ws.QueryParameter("page", "page number").DataType("string").Required(false).DefaultValue("1")).
+		Param(ws.QueryParameter("limit", "metrics name cpu memory...in re2 regex").DataType("string").Required(false).DefaultValue("4")).
+		Param(ws.QueryParameter("type", "rank, statistic").DataType("string").Required(false).DefaultValue("rank")).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.GET("/namespaces/{namespace}/pods/{pod}/containers/{container}").To(monitoring.MonitorContainer).
+		Doc("monitor specific container level metrics").
+		Param(ws.PathParameter("namespace", "specific namespace").DataType("string").Required(true).DefaultValue("monitoring")).
+		Param(ws.PathParameter("pod", "specific pod").DataType("string").Required(true).DefaultValue("")).
+		Param(ws.PathParameter("container", "specific container").DataType("string").Required(true).DefaultValue("")).
+		Param(ws.QueryParameter("metrics_name", "metrics name cpu memory...").DataType("string").Required(true).DefaultValue("container_memory_utilisation_wo_cache")).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	// Only use this api to monitor status of pods under the {workload}
+	// To monitor a specific workload, try the next two apis with "resources_filter"
+	ws.Route(ws.GET("/namespaces/{namespace}/workloads/{workload_kind}/{workload}").To(monitoring.MonitorWorkload).
+		Doc("monitor specific workload level metrics").
+		Param(ws.PathParameter("namespace", "namespace").DataType("string").Required(true).DefaultValue("kube-system")).
+		Param(ws.PathParameter("workload_kind", "workload kind").DataType("string").Required(true).DefaultValue("daemonset")).
+		Param(ws.PathParameter("workload", "workload name").DataType("string").Required(true).DefaultValue("")).
+		Param(ws.QueryParameter("metrics_filter", "metrics name cpu memory...").DataType("string").Required(false)).
+		Param(ws.QueryParameter("resources_filter", "pod re2 expression filter").DataType("string").Required(false).DefaultValue("openpitrix.*")).
+		Param(ws.QueryParameter("sort_metric", "sort metric").DataType("string").Required(false)).
+		Param(ws.QueryParameter("sort_type", "ascending descending order").DataType("string").Required(false)).
+		Param(ws.QueryParameter("page", "page number").DataType("string").Required(false).DefaultValue("1")).
+		Param(ws.QueryParameter("limit", "max metric items in a page").DataType("string").Required(false).DefaultValue("4")).
+		Param(ws.QueryParameter("type", "rank, statistic").DataType("string").Required(false).DefaultValue("rank")).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.GET("/namespaces/{namespace}/workloads/{workload_kind}").To(monitoring.MonitorWorkload).
+		Doc("monitor specific workload kind level metrics").
+		Param(ws.PathParameter("namespace", "namespace").DataType("string").Required(true).DefaultValue("kube-system")).
+		Param(ws.PathParameter("workload_kind", "workload kind").DataType("string").Required(true).DefaultValue("daemonset")).
+		Param(ws.QueryParameter("metrics_filter", "metrics name cpu memory...").DataType("string").Required(false)).
+		Param(ws.QueryParameter("resources_filter", "pod re2 expression filter").DataType("string").Required(false).DefaultValue("openpitrix.*")).
+		Param(ws.QueryParameter("sort_metric", "sort metric").DataType("string").Required(false)).
+		Param(ws.QueryParameter("sort_type", "ascending descending order").DataType("string").Required(false)).
+		Param(ws.QueryParameter("page", "page number").DataType("string").Required(false).DefaultValue("1")).
+		Param(ws.QueryParameter("limit", "max metric items in a page").DataType("string").Required(false).DefaultValue("4")).
+		Param(ws.QueryParameter("type", "rank, statistic").DataType("string").Required(false).DefaultValue("rank")).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.GET("/namespaces/{namespace}/workloads").To(monitoring.MonitorWorkload).
+		Doc("monitor all workload level metrics").
+		Param(ws.PathParameter("namespace", "namespace").DataType("string").Required(true).DefaultValue("kube-system")).
+		Param(ws.QueryParameter("metrics_filter", "metrics name cpu memory...").DataType("string").Required(false)).
+		Param(ws.QueryParameter("resources_filter", "pod re2 expression filter").DataType("string").Required(false).DefaultValue("")).
+		Param(ws.QueryParameter("sort_metric", "sort metric").DataType("string").Required(false)).
+		Param(ws.QueryParameter("sort_type", "ascending descending order").DataType("string").Required(false)).
+		Param(ws.QueryParameter("page", "page number").DataType("string").Required(false).DefaultValue("1")).
+		Param(ws.QueryParameter("limit", "metrics name cpu memory...in re2 regex").DataType("string").Required(false).DefaultValue("4")).
+		Param(ws.QueryParameter("type", "rank, statistic").DataType("string").Required(false).DefaultValue("rank")).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	// list all namespace in this workspace by selected metrics
+	ws.Route(ws.GET("/workspaces/{workspace}").To(monitoring.MonitorOneWorkspace).
+		Doc("monitor workspaces level metrics").
+		Param(ws.PathParameter("workspace", "workspace name").DataType("string").Required(true)).
+		Param(ws.QueryParameter("resources_filter", "namespaces filter").DataType("string").Required(false).DefaultValue("k.*")).
+		Param(ws.QueryParameter("metrics_filter", "metrics name cpu memory...in re2 regex").DataType("string").Required(false).DefaultValue("namespace_memory_utilisation_wo_cache")).
+		Param(ws.QueryParameter("sort_metric", "sort metric").DataType("string").Required(false)).
+		Param(ws.QueryParameter("sort_type", "ascending descending order").DataType("string").Required(false)).
+		Param(ws.QueryParameter("page", "page number").DataType("string").Required(false).DefaultValue("1")).
+		Param(ws.QueryParameter("limit", "metrics name cpu memory...in re2 regex").DataType("string").Required(false).DefaultValue("4")).
+		Param(ws.QueryParameter("type", "rank, statistic").DataType("string").Required(false).DefaultValue("rank")).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.GET("/workspaces").To(monitoring.MonitorAllWorkspaces).
+		Doc("monitor workspaces level metrics").
+		Param(ws.QueryParameter("metrics_filter", "metrics name cpu memory...in re2 regex").DataType("string").Required(false).DefaultValue("workspace_memory_utilisation")).
+		Param(ws.QueryParameter("resources_filter", "workspaces re2 expression filter").DataType("string").Required(false).DefaultValue(".*")).
+		Param(ws.QueryParameter("sort_metric", "sort metric").DataType("string").Required(false)).
+		Param(ws.QueryParameter("sort_type", "ascending descending order").DataType("string").Required(false)).
+		Param(ws.QueryParameter("page", "page number").DataType("string").Required(false).DefaultValue("1")).
+		Param(ws.QueryParameter("limit", "metrics name cpu memory...in re2 regex").DataType("string").Required(false).DefaultValue("4")).
+		Param(ws.QueryParameter("type", "rank, statistic").DataType("string").Required(false).DefaultValue("rank")).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	ws.Route(ws.GET("/components/{component}").To(monitoring.MonitorComponent).
+		Doc("monitor component level metrics").
+		Param(ws.QueryParameter("metrics_filter", "metrics names in re2 regex").DataType("string").Required(false).DefaultValue("")).
+		Metadata(restfulspec.KeyOpenAPITags, tags)).
+		Consumes(restful.MIME_JSON, restful.MIME_XML).
+		Produces(restful.MIME_JSON)
+
+	c.Add(ws)
+	return nil
+}

pkg/apis/operations/install/install.go

@@ -0,0 +1,33 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package install
+
+import (
+	"github.com/emicklei/go-restful"
+	urlruntime "k8s.io/apimachinery/pkg/util/runtime"
+	operationsv1alpha2 "kubesphere.io/kubesphere/pkg/apis/operations/v1alpha2"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+)
+
+func init() {
+	Install(runtime.Container)
+}
+
+func Install(container *restful.Container) {
+	urlruntime.Must(operationsv1alpha2.AddToContainer(container))
+}

pkg/apis/operations/v1alpha2/register.go

@@ -0,0 +1,63 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package v1alpha2
+
+import (
+	"github.com/emicklei/go-restful"
+	"github.com/emicklei/go-restful-openapi"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"kubesphere.io/kubesphere/pkg/apiserver/operations"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+	"kubesphere.io/kubesphere/pkg/errors"
+)
+
+const GroupName = "operations.kubesphere.io"
+
+var GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha2"}
+
+var (
+	WebServiceBuilder = runtime.NewContainerBuilder(addWebService)
+	AddToContainer    = WebServiceBuilder.AddToContainer
+)
+
+func addWebService(c *restful.Container) error {
+
+	tags := []string{"Operations"}
+
+	webservice := runtime.NewWebService(GroupVersion)
+
+	webservice.Route(webservice.POST("/nodes/{node}/drainage").
+		To(operations.DrainNode).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("").
+		Param(webservice.PathParameter("node", "node name")).
+		Writes(errors.Error{}))
+
+	webservice.Route(webservice.POST("/namespaces/{namespace}/jobs/{job}").
+		To(operations.RerunJob).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Handle job operation").
+		Param(webservice.PathParameter("job", "job name")).
+		Param(webservice.PathParameter("namespace", "job's namespace")).
+		Param(webservice.QueryParameter("a", "action")).
+		Writes(""))
+
+	c.Add(webservice)
+
+	return nil
+}

pkg/apis/resources/install/install.go

@@ -0,0 +1,33 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package install
+
+import (
+	"github.com/emicklei/go-restful"
+	urlruntime "k8s.io/apimachinery/pkg/util/runtime"
+	resourcev1alpha2 "kubesphere.io/kubesphere/pkg/apis/resources/v1alpha2"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+)
+
+func init() {
+	Install(runtime.Container)
+}
+
+func Install(c *restful.Container) {
+	urlruntime.Must(resourcev1alpha2.AddToContainer(c))
+}

pkg/apis/resources/v1alpha2/register.go

@@ -0,0 +1,286 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package v1alpha2
+
+import (
+	"github.com/emicklei/go-restful"
+	"github.com/emicklei/go-restful-openapi"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"kubesphere.io/kubesphere/pkg/apiserver/components"
+	"kubesphere.io/kubesphere/pkg/apiserver/git"
+	"kubesphere.io/kubesphere/pkg/apiserver/quotas"
+	"kubesphere.io/kubesphere/pkg/apiserver/registries"
+	"kubesphere.io/kubesphere/pkg/apiserver/resources"
+	"kubesphere.io/kubesphere/pkg/apiserver/revisions"
+	"kubesphere.io/kubesphere/pkg/apiserver/routers"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+	"kubesphere.io/kubesphere/pkg/apiserver/workloadstatuses"
+	"kubesphere.io/kubesphere/pkg/errors"
+	"kubesphere.io/kubesphere/pkg/models"
+	"kubesphere.io/kubesphere/pkg/models/applications"
+	gitmodel "kubesphere.io/kubesphere/pkg/models/git"
+	"kubesphere.io/kubesphere/pkg/params"
+	"kubesphere.io/kubesphere/pkg/simple/client/openpitrix"
+)
+
+const GroupName = "resources.kubesphere.io"
+
+var GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha2"}
+
+var (
+	WebServiceBuilder = runtime.NewContainerBuilder(addWebService)
+	AddToContainer    = WebServiceBuilder.AddToContainer
+)
+
+func addWebService(c *restful.Container) error {
+
+	webservice := runtime.NewWebService(GroupVersion)
+
+	tags := []string{"Namespace resources"}
+
+	webservice.Route(webservice.GET("/namespaces/{namespace}/{resources}").
+		To(resources.ListResources).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Namespace level resource query").
+		Param(webservice.PathParameter("namespace", "which namespace")).
+		Param(webservice.PathParameter("resources", "namespace level resource type")).
+		Param(webservice.QueryParameter(params.ConditionsParam, "query conditions").
+			Required(false).
+			DataFormat("key=%s,key~%s")).
+		Param(webservice.QueryParameter(params.PagingParam, "page").
+			Required(false).
+			DataFormat("limit=%d,page=%d").
+			DefaultValue("limit=10,page=1")).
+		Writes(models.PageableResponse{}))
+
+	tags = []string{"Cluster resources"}
+
+	webservice.Route(webservice.GET("/{resources}").
+		To(resources.ListResources).
+		Writes(models.PageableResponse{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Cluster level resource query").
+		Param(webservice.PathParameter("resources", "cluster level resource type"))).
+		Param(webservice.QueryParameter(params.ConditionsParam, "query conditions").
+			Required(false).
+			DataFormat("key=value,key~value").
+			DefaultValue("")).
+		Param(webservice.QueryParameter(params.PagingParam, "page").
+			Required(false).
+			DataFormat("limit=%d,page=%d").
+			DefaultValue("limit=10,page=1"))
+
+	tags = []string{"Applications"}
+
+	webservice.Route(webservice.GET("/applications").
+		To(resources.ListApplication).
+		Writes(models.PageableResponse{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("List applications in cluster").
+		Param(webservice.QueryParameter(params.ConditionsParam, "query conditions").
+			Required(false).
+			DataFormat("key=value,key~value").
+			DefaultValue("")).
+		Param(webservice.QueryParameter("cluster_id", "cluster id")).
+		Param(webservice.QueryParameter("runtime_id", "runtime id")).
+		Param(webservice.QueryParameter(params.PagingParam, "page").
+			Required(false).
+			DataFormat("limit=%d,page=%d").
+			DefaultValue("limit=10,page=1")))
+
+	webservice.Route(webservice.GET("/namespaces/{namespace}/applications").
+		To(resources.ListNamespacedApplication).
+		Writes(models.PageableResponse{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("List applications").
+		Param(webservice.QueryParameter(params.ConditionsParam, "query conditions").
+			Required(false).
+			DataFormat("key=value,key~value").
+			DefaultValue("")).
+		Param(webservice.PathParameter("namespace", "namespace")).
+		Param(webservice.QueryParameter(params.PagingParam, "page").
+			Required(false).
+			DataFormat("limit=%d,page=%d").
+			DefaultValue("limit=10,page=1")))
+
+	webservice.Route(webservice.GET("/namespaces/{namespace}/applications/{cluster_id}").
+		To(resources.DescribeApplication).
+		Writes(applications.Application{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Describe application").
+		Param(webservice.PathParameter("namespace", "namespace name")).
+		Param(webservice.PathParameter("cluster_id", "openpitrix cluster id")))
+
+	webservice.Route(webservice.POST("/namespaces/{namespace}/applications").
+		To(resources.DeployApplication).
+		Doc("Deploy application").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Reads(openpitrix.CreateClusterRequest{}).
+		Param(webservice.PathParameter("namespace", "namespace name")))
+
+	webservice.Route(webservice.DELETE("/namespaces/{namespace}/applications/{cluster_id}").
+		To(resources.DeleteApplication).
+		Doc("Delete application").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(webservice.PathParameter("namespace", "namespace name")))
+
+	tags = []string{"User resources"}
+
+	webservice.Route(webservice.GET("/users/{username}/kubectl").
+		To(resources.GetKubectl).
+		Doc("get user's kubectl pod").
+		Param(webservice.PathParameter("username", "username")).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Writes(models.PodInfo{}))
+
+	webservice.Route(webservice.GET("/users/{username}/kubeconfig").
+		Produces("text/plain").
+		To(resources.GetKubeconfig).
+		Doc("get users' kubeconfig").
+		Param(webservice.PathParameter("username", "username")).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+
+	tags = []string{"Components"}
+
+	webservice.Route(webservice.GET("/components").
+		To(components.GetComponents).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("").
+		Writes(map[string]models.Component{}))
+	webservice.Route(webservice.GET("/components/{component}").
+		To(components.GetComponentStatus).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("").
+		Param(webservice.PathParameter("component", "component name")).
+		Writes(models.Component{}))
+	webservice.Route(webservice.GET("/health").
+		To(components.GetSystemHealthStatus).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("").
+		Writes(map[string]int{}))
+
+	tags = []string{"Quotas"}
+
+	webservice.Route(webservice.GET("/quotas").
+		To(quotas.GetClusterQuotas).
+		Deprecate().
+		Doc("get whole cluster's resource usage").
+		Writes(models.ResourceQuota{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+
+	webservice.Route(webservice.GET("/namespaces/{namespace}/quotas").
+		Doc("get specified namespace's resource quota and usage").
+		Param(webservice.PathParameter("namespace", "namespace's name")).
+		Writes(models.ResourceQuota{}).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		To(quotas.GetNamespaceQuotas))
+
+	tags = []string{"Registries"}
+
+	webservice.Route(webservice.POST("registries/verify").
+		To(registries.RegistryVerify).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("docker registry verify").
+		Writes(errors.Error{}))
+
+	tags = []string{"Git"}
+	webservice.Route(webservice.POST("/git/readverify").
+		To(
+			git.GitReadVerify).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("secret git read verify").
+		Reads(gitmodel.AuthInfo{}).
+		Writes(errors.Error{}),
+	)
+	tags = []string{"Revision"}
+
+	webservice.Route(webservice.GET("/namespaces/{namespace}/daemonsets/{daemonset}/revisions/{revision}").
+		To(revisions.GetDaemonSetRevision).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Handle daemonset operation").
+		Param(webservice.PathParameter("daemonset", "daemonset's name")).
+		Param(webservice.PathParameter("namespace", "daemonset's namespace")).
+		Param(webservice.PathParameter("revision", "daemonset's revision")).
+		Writes(appsv1.DaemonSet{}))
+	webservice.Route(webservice.GET("/namespaces/{namespace}/deployments/{deployment}/revisions/{revision}").
+		To(revisions.GetDeployRevision).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Handle deployment operation").
+		Param(webservice.PathParameter("deployment", "deployment's name")).
+		Param(webservice.PathParameter("namespace", "deployment's namespace")).
+		Param(webservice.PathParameter("revision", "deployment's revision")).
+		Writes(appsv1.ReplicaSet{}))
+	webservice.Route(webservice.GET("/namespaces/{namespace}/statefulsets/{statefulset}/revisions/{revision}").
+		To(revisions.GetStatefulSetRevision).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Handle statefulset operation").
+		Param(webservice.PathParameter("statefulset", "statefulset's name")).
+		Param(webservice.PathParameter("namespace", "statefulset's namespace")).
+		Param(webservice.PathParameter("revision", "statefulset's revision")).
+		Writes(appsv1.StatefulSet{}))
+
+	tags = []string{"Router"}
+
+	webservice.Route(webservice.GET("/routers").
+		To(routers.GetAllRouters).
+		Doc("List all routers").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Writes(corev1.Service{}))
+
+	webservice.Route(webservice.GET("/namespaces/{namespace}/router").
+		To(routers.GetRouter).
+		Doc("List router of a specified project").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(webservice.PathParameter("namespace", "name of the project")))
+
+	webservice.Route(webservice.DELETE("/namespaces/{namespace}/router").
+		To(routers.DeleteRouter).
+		Doc("List router of a specified project").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(webservice.PathParameter("namespace", "name of the project")))
+
+	webservice.Route(webservice.POST("/namespaces/{namespace}/router").
+		To(routers.CreateRouter).
+		Doc("Create a router for a specified project").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(webservice.PathParameter("namespace", "name of the project")))
+
+	webservice.Route(webservice.PUT("/namespaces/{namespace}/router").
+		To(routers.UpdateRouter).
+		Doc("Update a router for a specified project").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(webservice.PathParameter("namespace", "name of the project")))
+
+	tags = []string{"WorkloadStatus"}
+
+	webservice.Route(webservice.GET("/workloadstatuses").
+		Doc("get abnormal workloads' count of whole cluster").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		To(workloadstatuses.GetClusterResourceStatus))
+	webservice.Route(webservice.GET("/namespaces/{namespace}/workloadstatuses").
+		Doc("get abnormal workloads' count of specified namespace").
+		Param(webservice.PathParameter("namespace", "the name of namespace")).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		To(workloadstatuses.GetNamespacesResourceStatus))
+
+	c.Add(webservice)
+
+	return nil
+}

pkg/apis/servicemesh/group.go

@@ -0,0 +1,18 @@
+/*
+Copyright 2019 The KubeSphere authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package servicemesh contains servicemesh API versions
+package servicemesh

pkg/apis/servicemesh/metrics/install/install.go

@@ -0,0 +1,16 @@
+package install
+
+import (
+	"github.com/emicklei/go-restful"
+	urlruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"kubesphere.io/kubesphere/pkg/apis/servicemesh/metrics/v1alpha2"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+)
+
+func init() {
+	Install(runtime.Container)
+}
+
+func Install(c *restful.Container) {
+	urlruntime.Must(v1alpha2.AddToContainer(c))
+}

pkg/apis/servicemesh/metrics/v1alpha2/register.go

@@ -0,0 +1,194 @@
+package v1alpha2
+
+import (
+	"github.com/emicklei/go-restful"
+	"github.com/emicklei/go-restful-openapi"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+	"kubesphere.io/kubesphere/pkg/apiserver/servicemesh/metrics"
+	"kubesphere.io/kubesphere/pkg/apiserver/servicemesh/tracing"
+	"kubesphere.io/kubesphere/pkg/errors"
+)
+
+const GroupName = "servicemesh.kubesphere.io"
+
+var GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha2"}
+
+var (
+	WebServiceBuilder = runtime.NewContainerBuilder(addWebService)
+	AddToContainer    = WebServiceBuilder.AddToContainer
+)
+
+func addWebService(c *restful.Container) error {
+
+	tags := []string{"ServiceMesh"}
+
+	webservice := runtime.NewWebService(GroupVersion)
+
+	// Get service metrics
+	// GET /namespaces/{namespace}/services/{service}/metrics
+	webservice.Route(webservice.GET("/namespaces/{namespace}/services/{service}/metrics").
+		To(metrics.GetServiceMetrics).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get app metrics from a specific namespace").
+		Param(webservice.PathParameter("namespace", "name of the namespace")).
+		Param(webservice.PathParameter("service", "name of the service")).
+		Param(webservice.QueryParameter("filters[]", "type of metrics type, e.g. request_count, request_duration, request_error_count")).
+		Param(webservice.QueryParameter("queryTime", "from which UNIX time to extract metrics")).
+		Param(webservice.QueryParameter("duration", "metrics duration, in seconds")).
+		Param(webservice.QueryParameter("step", "metrics step")).
+		Param(webservice.QueryParameter("rateInterval", "metrics rate intervals, e.g. 20s")).
+		Param(webservice.QueryParameter("quantiles[]", "metrics quantiles, 0.5, 0.9, 0.99")).
+		Param(webservice.QueryParameter("byLabels[]", "by which labels to group node, e.g. source_workload, destination_service_name")).
+		Param(webservice.QueryParameter("requestProtocol", "request protocol, http/tcp")).
+		Param(webservice.QueryParameter("reporter", "destination")).
+		Writes(errors.Error{})).Produces(restful.MIME_JSON)
+
+	// Get app metrics
+	// Get /namespaces/{namespace}/apps/{app}/metrics
+	webservice.Route(webservice.GET("/namespaces/{namespace}/apps/{app}/metrics").
+		To(metrics.GetAppMetrics).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get app metrics from a specific namespace").
+		Param(webservice.PathParameter("namespace", "name of the namespace")).
+		Param(webservice.PathParameter("app", "name of the workload label app value")).
+		Param(webservice.QueryParameter("filters[]", "type of metrics type, e.g. request_count, request_duration, request_error_count")).
+		Param(webservice.QueryParameter("queryTime", "from which UNIX time to extract metrics")).
+		Param(webservice.QueryParameter("duration", "metrics duration, in seconds")).
+		Param(webservice.QueryParameter("step", "metrics step")).
+		Param(webservice.QueryParameter("rateInterval", "metrics rate intervals, e.g. 20s")).
+		Param(webservice.QueryParameter("quantiles[]", "metrics quantiles, 0.5, 0.9, 0.99")).
+		Param(webservice.QueryParameter("byLabels[]", "by which labels to group node, e.g. source_workload, destination_service_name")).
+		Param(webservice.QueryParameter("requestProtocol", "request protocol, http/tcp")).
+		Param(webservice.QueryParameter("reporter", "destination")).
+		Writes(errors.Error{})).Produces(restful.MIME_JSON)
+
+	// Get workload metrics
+	// Get /namespaces/{namespace}/workloads/{workload}/metrics
+	webservice.Route(webservice.GET("/namespaces/{namespace}/workloads/{workload}/metrics").
+		To(metrics.GetWorkloadMetrics).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get workload metrics from a specific namespace").
+		Param(webservice.PathParameter("namespace", "name of the namespace").Required(true)).
+		Param(webservice.PathParameter("workload", "name of the workload").Required(true)).
+		Param(webservice.QueryParameter("filters[]", "type of metrics type, e.g. request_count, request_duration, request_error_count")).
+		Param(webservice.QueryParameter("queryTime", "from which UNIX time to extract metrics")).
+		Param(webservice.QueryParameter("duration", "metrics duration, in seconds")).
+		Param(webservice.QueryParameter("step", "metrics step")).
+		Param(webservice.QueryParameter("rateInterval", "metrics rate intervals, e.g. 20s")).
+		Param(webservice.QueryParameter("quantiles[]", "metrics quantiles, 0.5, 0.9, 0.99")).
+		Param(webservice.QueryParameter("byLabels[]", "by which labels to group node, e.g. source_workload, destination_service_name")).
+		Param(webservice.QueryParameter("requestProtocol", "request protocol, http/tcp")).
+		Param(webservice.QueryParameter("reporter", "destination")).
+		Writes(errors.Error{})).Produces(restful.MIME_JSON)
+
+	// Get namespace metrics
+	// Get /namespaces/{namespace}/metrics
+	webservice.Route(webservice.GET("/namespaces/{namespace}/metrics").
+		To(metrics.GetNamespaceMetrics).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get workload metrics from a specific namespace").
+		Param(webservice.PathParameter("namespace", "name of the namespace").Required(true)).
+		Param(webservice.QueryParameter("filters[]", "type of metrics type, e.g. request_count, request_duration, request_error_count")).
+		Param(webservice.QueryParameter("queryTime", "from which UNIX time to extract metrics")).
+		Param(webservice.QueryParameter("duration", "metrics duration, in seconds")).
+		Param(webservice.QueryParameter("step", "metrics step")).
+		Param(webservice.QueryParameter("rateInterval", "metrics rate intervals, e.g. 20s")).
+		Param(webservice.QueryParameter("quantiles[]", "metrics quantiles, 0.5, 0.9, 0.99")).
+		Param(webservice.QueryParameter("byLabels[]", "by which labels to group node, e.g. source_workload, destination_service_name")).
+		Param(webservice.QueryParameter("requestProtocol", "request protocol, http/tcp")).
+		Param(webservice.QueryParameter("reporter", "destination")).
+		Writes(errors.Error{})).Produces(restful.MIME_JSON)
+
+	// Get namespace graph
+	// Get /namespaces/{namespace}/graph
+	webservice.Route(webservice.GET("/namespaces/{namespace}/graph").
+		To(metrics.GetNamespaceGraph).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get service graph for a specific namespace").
+		Param(webservice.PathParameter("namespace", "name of a namespace").Required(true)).
+		Param(webservice.QueryParameter("graphType", "type of the generated service graph, eg. ")).
+		Param(webservice.QueryParameter("groupBy", "group nodes by kind")).
+		Param(webservice.QueryParameter("queryTime", "from which time point, default now")).
+		Param(webservice.QueryParameter("injectServiceNodes", "whether to inject service ndoes")).
+		Writes(errors.Error{})).Produces(restful.MIME_JSON)
+
+	// Get namespaces graph, for multiple namespaces
+	// Get /namespaces/graph
+	webservice.Route(webservice.GET("/namespaces/{namespace}/graph").
+		To(metrics.GetNamespacesGraph).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get service graph for a specific namespace").
+		Param(webservice.PathParameter("namespace", "name of a namespace").Required(true)).
+		Param(webservice.QueryParameter("graphType", "type of the generated service graph, eg. ")).
+		Param(webservice.QueryParameter("groupBy", "group nodes by kind")).
+		Param(webservice.QueryParameter("queryTime", "from which time point, default now")).
+		Param(webservice.QueryParameter("injectServiceNodes", "whether to inject service ndoes")).
+		Param(webservice.QueryParameter("namespaces", "names of namespaces")).
+		Writes(errors.Error{})).Produces(restful.MIME_JSON)
+
+	// Get namespace health
+	webservice.Route(webservice.GET("/namespaces/{namespace}/health").
+		To(metrics.GetNamespaceHealth).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get workload health").
+		Param(webservice.PathParameter("namespace", "name of a namespace").Required(true)).
+		Param(webservice.PathParameter("type", "the type of health, app/service/workload, default app").DefaultValue("app")).
+		Param(webservice.QueryParameter("rateInterval", "the rate interval used for fetching error rate").DefaultValue("10m").Required(true)).
+		Param(webservice.QueryParameter("queryTime", "the time to use for query")).
+		Writes(errors.Error{})).Produces(restful.MIME_JSON)
+
+	// Get workloads health
+	webservice.Route(webservice.GET("/namespaces/{namespace}/workloads/{workload}/health").
+		To(metrics.GetWorkloadHealth).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get workload health").
+		Param(webservice.PathParameter("namespace", "name of a namespace").Required(true)).
+		Param(webservice.PathParameter("workload", "workload name").Required(true)).
+		Param(webservice.QueryParameter("rateInterval", "the rate interval used for fetching error rate").DefaultValue("10m").Required(true)).
+		Param(webservice.QueryParameter("queryTime", "the time to use for query")).
+		Writes(errors.Error{})).Produces(restful.MIME_JSON)
+
+	// Get app health
+	webservice.Route(webservice.GET("/namespaces/{namespace}/apps/{app}/health").
+		To(metrics.GetAppHealth).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get workload health").
+		Param(webservice.PathParameter("namespace", "name of a namespace").Required(true)).
+		Param(webservice.PathParameter("app", "app name").Required(true)).
+		Param(webservice.QueryParameter("rateInterval", "the rate interval used for fetching error rate").DefaultValue("10m").Required(true)).
+		Param(webservice.QueryParameter("queryTime", "the time to use for query")).
+		Writes(errors.Error{})).Produces(restful.MIME_JSON)
+
+	// Get service health
+	webservice.Route(webservice.GET("/namespaces/{namespace}/services/{service}/health").
+		To(metrics.GetServiceHealth).
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Doc("Get workload health").
+		Param(webservice.PathParameter("namespace", "name of a namespace").Required(true)).
+		Param(webservice.PathParameter("service", "service name").Required(true)).
+		Param(webservice.QueryParameter("rateInterval", "the rate interval used for fetching error rate").DefaultValue("10m").Required(true)).
+		Param(webservice.QueryParameter("queryTime", "the time to use for query")).
+		Writes(errors.Error{})).Produces(restful.MIME_JSON)
+
+	// Get service tracing
+	webservice.Route(webservice.GET("/namespaces/{namespace}/services/{service}/traces").
+		To(tracing.GetServiceTracing).
+		Doc("Get tracing of a service, should have servicemesh enabled first").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(webservice.PathParameter("namespace", "namespace of service").Required(true)).
+		Param(webservice.PathParameter("service", "name of service queried").Required(true)).
+		Param(webservice.QueryParameter("start", "start of time range want to query, in unix timestamp")).
+		Param(webservice.QueryParameter("end", "end of time range want to query, in unix timestamp")).
+		Param(webservice.QueryParameter("limit", "maximum tracing entries returned at one query, default 10").DefaultValue("10")).
+		Param(webservice.QueryParameter("loopback", "loopback of duration want to query, e.g. 30m/1h/2d")).
+		Param(webservice.QueryParameter("maxDuration", "maximum duration of tracing")).
+		Param(webservice.QueryParameter("minDuration", "minimum duration of tracing")).
+		Writes(errors.Error{}).
+		Consumes(restful.MIME_JSON).
+		Produces(restful.MIME_JSON))
+
+	c.Add(webservice)
+
+	return nil
+}

pkg/apis/servicemesh/v1alpha2/doc.go

@@ -0,0 +1,23 @@
+/*
+Copyright 2019 The KubeSphere authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha2 contains API Schema definitions for the servicemesh v1alpha2 API group
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package,register
+// +k8s:conversion-gen=kubesphere.io/kubesphere/pkg/apis/servicemesh
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=servicemesh.kubesphere.io
+package v1alpha2

pkg/apis/servicemesh/v1alpha2/register.go

@@ -0,0 +1,46 @@
+/*
+Copyright 2019 The KubeSphere authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// NOTE: Boilerplate only.  Ignore this file.
+
+// Package v1alpha2 contains API Schema definitions for the servicemesh v1alpha2 API group
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package,register
+// +k8s:conversion-gen=kubesphere.io/kubesphere/pkg/apis/servicemesh
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=servicemesh.kubesphere.io
+package v1alpha2
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/runtime/scheme"
+)
+
+var (
+	// SchemeGroupVersion is group version used to register these objects
+	SchemeGroupVersion = schema.GroupVersion{Group: "servicemesh.kubesphere.io", Version: "v1alpha2"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
+	SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion}
+
+	// AddToScheme is required by pkg/client/...
+	AddToScheme = SchemeBuilder.AddToScheme
+)
+
+// Resource is required by pkg/client/listers/...
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}

pkg/apis/servicemesh/v1alpha2/servicepolicy_types.go

@@ -0,0 +1,127 @@
+/*
+Copyright 2019 The KubeSphere authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	"github.com/knative/pkg/apis/istio/v1alpha3"
+	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+// ServicePolicySpec defines the desired state of ServicePolicy
+type ServicePolicySpec struct {
+
+	// Label selector for destination rules.
+	// +optional
+	Selector *metav1.LabelSelector `json:"selector,omitempty"`
+
+	// Template used to create a destination rule
+	// +optional
+	Template DestinationRuleSpecTemplate `json:"template,omitempty"`
+}
+
+type DestinationRuleSpecTemplate struct {
+
+	// Metadata of the virtual services created from this template
+	// +optional
+	metav1.ObjectMeta
+
+	// Spec indicates the behavior of a destination rule.
+	// +optional
+	Spec v1alpha3.DestinationRuleSpec `json:"spec,omitempty"`
+}
+
+type ServicePolicyConditionType string
+
+// These are valid conditions of a strategy.
+const (
+	// StrategyComplete means the strategy has been delivered to istio.
+	ServicePolicyComplete ServicePolicyConditionType = "Complete"
+
+	// StrategyFailed means the strategy has failed its delivery to istio.
+	ServicePolicyFailed ServicePolicyConditionType = "Failed"
+)
+
+// StrategyCondition describes current state of a strategy.
+type ServicePolicyCondition struct {
+	// Type of strategy condition, Complete or Failed.
+	Type ServicePolicyConditionType
+
+	// Status of the condition, one of True, False, Unknown
+	Status apiextensions.ConditionStatus
+
+	// Last time the condition was checked.
+	// +optional
+	LastProbeTime metav1.Time
+
+	// Last time the condition transit from one status to another
+	// +optional
+	LastTransitionTime metav1.Time
+
+	// reason for the condition's last transition
+	Reason string
+
+	// Human readable message indicating details about last transition.
+	// +optinal
+	Message string
+}
+
+// ServicePolicyStatus defines the observed state of ServicePolicy
+type ServicePolicyStatus struct {
+	// The latest available observations of an object's current state.
+	// +optional
+	Conditions []ServicePolicyCondition
+
+	// Represents time when the strategy was acknowledged by the controller.
+	// It is represented in RFC3339 form and is in UTC.
+	// +optional
+	StartTime *metav1.Time
+
+	// Represents time when the strategy was completed.
+	// It is represented in RFC3339 form and is in UTC.
+	// +optional
+	CompletionTime *metav1.Time
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ServicePolicy is the Schema for the servicepolicies API
+// +k8s:openapi-gen=true
+type ServicePolicy struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   ServicePolicySpec   `json:"spec,omitempty"`
+	Status ServicePolicyStatus `json:"status,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ServicePolicyList contains a list of ServicePolicy
+type ServicePolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ServicePolicy `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&ServicePolicy{}, &ServicePolicyList{})
+}

pkg/apis/servicemesh/v1alpha2/servicepolicy_types_test.go

@@ -0,0 +1,58 @@
+/*
+Copyright 2019 The KubeSphere authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	"testing"
+
+	"github.com/onsi/gomega"
+	"golang.org/x/net/context"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+func TestStorageServicePolicy(t *testing.T) {
+	key := types.NamespacedName{
+		Name:      "foo",
+		Namespace: "default",
+	}
+	created := &ServicePolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "foo",
+			Namespace: "default",
+		}}
+	g := gomega.NewGomegaWithT(t)
+
+	// Test Create
+	fetched := &ServicePolicy{}
+	g.Expect(c.Create(context.TODO(), created)).NotTo(gomega.HaveOccurred())
+
+	g.Expect(c.Get(context.TODO(), key, fetched)).NotTo(gomega.HaveOccurred())
+	g.Expect(fetched).To(gomega.Equal(created))
+
+	// Test Updating the Labels
+	updated := fetched.DeepCopy()
+	updated.Labels = map[string]string{"hello": "world"}
+	g.Expect(c.Update(context.TODO(), updated)).NotTo(gomega.HaveOccurred())
+
+	g.Expect(c.Get(context.TODO(), key, fetched)).NotTo(gomega.HaveOccurred())
+	g.Expect(fetched).To(gomega.Equal(updated))
+
+	// Test Delete
+	g.Expect(c.Delete(context.TODO(), fetched)).NotTo(gomega.HaveOccurred())
+	g.Expect(c.Get(context.TODO(), key, fetched)).To(gomega.HaveOccurred())
+}

pkg/apis/servicemesh/v1alpha2/strategy_types.go

@@ -0,0 +1,175 @@
+/*
+Copyright 2019 The KubeSphere authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	"github.com/knative/pkg/apis/istio/v1alpha3"
+	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+type StrategyType string
+
+const (
+	// Canary strategy type
+	CanaryType StrategyType = "Canary"
+
+	// BlueGreen strategy type
+	BlueGreenType StrategyType = "BlueGreen"
+
+	// Mirror strategy type
+	Mirror StrategyType = "Mirror"
+)
+
+type StrategyPolicy string
+
+const (
+	// apply strategy only until workload is ready
+	PolicyWaitForWorkloadReady StrategyPolicy = "WaitForWorkloadReady"
+
+	// apply strategy immediately no matter workload status is
+	PolicyImmediately StrategyPolicy = "Immediately"
+
+	// pause strategy
+	PolicyPause StrategyPolicy = "Paused"
+)
+
+// StrategySpec defines the desired state of Strategy
+type StrategySpec struct {
+	// Strategy type
+	Type StrategyType `json:"type,omitempty"`
+
+	// Principal version, the one as reference version
+	// label version value
+	// +optional
+	PrincipalVersion string `json:"principal,omitempty"`
+
+	// Governor version, the version takes control of all incoming traffic
+	// label version value
+	// +optional
+	GovernorVersion string `json:"governor,omitempty"`
+
+	// Label selector for virtual services.
+	// +optional
+	Selector *metav1.LabelSelector `json:"selector,omitempty"`
+
+	// Template describes the virtual service that will be created.
+	Template VirtualServiceTemplateSpec `json:"template,omitempty"`
+
+	// strategy policy, how the strategy will be applied
+	// by the strategy controller
+	StrategyPolicy StrategyPolicy `json:"strategyPolicy,omitempty"`
+}
+
+// VirtualServiceTemplateSpec
+type VirtualServiceTemplateSpec struct {
+
+	// Metadata of the virtual services created from this template
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec indicates the behavior of a virtual service.
+	// +optional
+	Spec v1alpha3.VirtualServiceSpec `json:"spec,omitempty"`
+}
+
+// StrategyStatus defines the observed state of Strategy
+type StrategyStatus struct {
+	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+
+	// The latest available observations of an object's current state.
+	// +optional
+	Conditions []StrategyCondition
+
+	// Represents time when the strategy was acknowledged by the controller.
+	// It is represented in RFC3339 form and is in UTC.
+	// +optional
+	StartTime *metav1.Time
+
+	// Represents time when the strategy was completed.
+	// It is represented in RFC3339 form and is in UTC.
+	// +optional
+	CompletionTime *metav1.Time
+}
+
+type StrategyConditionType string
+
+// These are valid conditions of a strategy.
+const (
+	// StrategyComplete means the strategy has been delivered to istio.
+	StrategyComplete StrategyConditionType = "Complete"
+
+	// StrategyFailed means the strategy has failed its delivery to istio.
+	StrategyFailed StrategyConditionType = "Failed"
+)
+
+// StrategyCondition describes current state of a strategy.
+type StrategyCondition struct {
+	// Type of strategy condition, Complete or Failed.
+	Type StrategyConditionType
+
+	// Status of the condition, one of True, False, Unknown
+	Status apiextensions.ConditionStatus
+
+	// Last time the condition was checked.
+	// +optional
+	LastProbeTime metav1.Time
+
+	// Last time the condition transit from one status to another
+	// +optional
+	LastTransitionTime metav1.Time
+
+	// reason for the condition's last transition
+	Reason string
+
+	// Human readable message indicating details about last transition.
+	// +optinal
+	Message string
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Strategy is the Schema for the strategies API
+// +kubebuilder:printcolumn:name="Type",type="string",JSONPath=".spec.type",description="type of strategy"
+// +kubebuilder:printcolumn:name="Hosts",type="string",JSONPath=".spec.template.spec.hosts",description="destination hosts"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
+// +k8s:openapi-gen=true
+type Strategy struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   StrategySpec   `json:"spec,omitempty"`
+	Status StrategyStatus `json:"status,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// StrategyList contains a list of Strategy
+type StrategyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Strategy `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&Strategy{}, &StrategyList{})
+}

pkg/apis/servicemesh/v1alpha2/strategy_types_test.go

@@ -0,0 +1,88 @@
+/*
+Copyright 2019 The KubeSphere authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	"github.com/knative/pkg/apis/istio/v1alpha3"
+	"io/ioutil"
+	"k8s.io/apimachinery/pkg/util/json"
+	"k8s.io/client-go/kubernetes/scheme"
+	"testing"
+
+	"github.com/onsi/gomega"
+	"golang.org/x/net/context"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+func TestStorageStrategy(t *testing.T) {
+	key := types.NamespacedName{
+		Name:      "foo",
+		Namespace: "default",
+	}
+	created := &Strategy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "foo",
+			Namespace: "default",
+		},
+		Spec: StrategySpec{
+			Template: VirtualServiceTemplateSpec{
+				Spec: v1alpha3.VirtualServiceSpec{
+					Hosts: []string{
+						"details",
+					},
+				},
+			},
+		},
+	}
+	g := gomega.NewGomegaWithT(t)
+
+	// Test Create
+	fetched := &Strategy{}
+	g.Expect(c.Create(context.TODO(), created)).NotTo(gomega.HaveOccurred())
+
+	g.Expect(c.Get(context.TODO(), key, fetched)).NotTo(gomega.HaveOccurred())
+	g.Expect(fetched).To(gomega.Equal(created))
+
+	// Test Updating the Labels
+	updated := fetched.DeepCopy()
+	updated.Labels = map[string]string{"hello": "world"}
+	g.Expect(c.Update(context.TODO(), updated)).NotTo(gomega.HaveOccurred())
+
+	g.Expect(c.Get(context.TODO(), key, fetched)).NotTo(gomega.HaveOccurred())
+	g.Expect(fetched).To(gomega.Equal(updated))
+
+	// Test Delete
+	g.Expect(c.Delete(context.TODO(), fetched)).NotTo(gomega.HaveOccurred())
+	g.Expect(c.Get(context.TODO(), key, fetched)).To(gomega.HaveOccurred())
+}
+
+func TestStrategyRead(t *testing.T) {
+
+	//g := gomega.NewGomegaWithT(t)
+
+	var str []byte
+	file, err := ioutil.ReadFile("/Users/zry/go/src/kubesphere.io/kubesphere/config/samples/servicemesh_v1alpha2_strategy.yaml")
+	if err == nil {
+		obj, _, _ := scheme.Codecs.UniversalDeserializer().Decode(file, nil, &Strategy{})
+		switch obj.(type) {
+		case *Strategy:
+			str, err = json.Marshal(obj)
+			t.Logf("Read strategy %s", str)
+		}
+	}
+}

pkg/apis/servicemesh/v1alpha2/v1alpha2_suite_test.go

@@ -0,0 +1,55 @@
+/*
+Copyright 2019 The KubeSphere authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	"log"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/envtest"
+)
+
+var cfg *rest.Config
+var c client.Client
+
+func TestMain(m *testing.M) {
+	t := &envtest.Environment{
+		CRDDirectoryPaths: []string{filepath.Join("..", "..", "..", "..", "config", "crds")},
+	}
+
+	err := SchemeBuilder.AddToScheme(scheme.Scheme)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if cfg, err = t.Start(); err != nil {
+		log.Fatal(err)
+	}
+
+	if c, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}); err != nil {
+		log.Fatal(err)
+	}
+
+	code := m.Run()
+	t.Stop()
+	os.Exit(code)
+}

pkg/apis/servicemesh/v1alpha2/zz_generated.deepcopy.go

@@ -0,0 +1,326 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha2
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DestinationRuleSpecTemplate) DeepCopyInto(out *DestinationRuleSpecTemplate) {
+	*out = *in
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationRuleSpecTemplate.
+func (in *DestinationRuleSpecTemplate) DeepCopy() *DestinationRuleSpecTemplate {
+	if in == nil {
+		return nil
+	}
+	out := new(DestinationRuleSpecTemplate)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServicePolicy) DeepCopyInto(out *ServicePolicy) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServicePolicy.
+func (in *ServicePolicy) DeepCopy() *ServicePolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(ServicePolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ServicePolicy) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServicePolicyCondition) DeepCopyInto(out *ServicePolicyCondition) {
+	*out = *in
+	in.LastProbeTime.DeepCopyInto(&out.LastProbeTime)
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServicePolicyCondition.
+func (in *ServicePolicyCondition) DeepCopy() *ServicePolicyCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(ServicePolicyCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServicePolicyList) DeepCopyInto(out *ServicePolicyList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ServicePolicy, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServicePolicyList.
+func (in *ServicePolicyList) DeepCopy() *ServicePolicyList {
+	if in == nil {
+		return nil
+	}
+	out := new(ServicePolicyList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ServicePolicyList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServicePolicySpec) DeepCopyInto(out *ServicePolicySpec) {
+	*out = *in
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		*out = new(v1.LabelSelector)
+		(*in).DeepCopyInto(*out)
+	}
+	in.Template.DeepCopyInto(&out.Template)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServicePolicySpec.
+func (in *ServicePolicySpec) DeepCopy() *ServicePolicySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ServicePolicySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServicePolicyStatus) DeepCopyInto(out *ServicePolicyStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]ServicePolicyCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StartTime != nil {
+		in, out := &in.StartTime, &out.StartTime
+		*out = (*in).DeepCopy()
+	}
+	if in.CompletionTime != nil {
+		in, out := &in.CompletionTime, &out.CompletionTime
+		*out = (*in).DeepCopy()
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServicePolicyStatus.
+func (in *ServicePolicyStatus) DeepCopy() *ServicePolicyStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ServicePolicyStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Strategy) DeepCopyInto(out *Strategy) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Strategy.
+func (in *Strategy) DeepCopy() *Strategy {
+	if in == nil {
+		return nil
+	}
+	out := new(Strategy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Strategy) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StrategyCondition) DeepCopyInto(out *StrategyCondition) {
+	*out = *in
+	in.LastProbeTime.DeepCopyInto(&out.LastProbeTime)
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StrategyCondition.
+func (in *StrategyCondition) DeepCopy() *StrategyCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(StrategyCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StrategyList) DeepCopyInto(out *StrategyList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Strategy, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StrategyList.
+func (in *StrategyList) DeepCopy() *StrategyList {
+	if in == nil {
+		return nil
+	}
+	out := new(StrategyList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *StrategyList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StrategySpec) DeepCopyInto(out *StrategySpec) {
+	*out = *in
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		*out = new(v1.LabelSelector)
+		(*in).DeepCopyInto(*out)
+	}
+	in.Template.DeepCopyInto(&out.Template)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StrategySpec.
+func (in *StrategySpec) DeepCopy() *StrategySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(StrategySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StrategyStatus) DeepCopyInto(out *StrategyStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]StrategyCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StartTime != nil {
+		in, out := &in.StartTime, &out.StartTime
+		*out = (*in).DeepCopy()
+	}
+	if in.CompletionTime != nil {
+		in, out := &in.CompletionTime, &out.CompletionTime
+		*out = (*in).DeepCopy()
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StrategyStatus.
+func (in *StrategyStatus) DeepCopy() *StrategyStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(StrategyStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VirtualServiceTemplateSpec) DeepCopyInto(out *VirtualServiceTemplateSpec) {
+	*out = *in
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VirtualServiceTemplateSpec.
+func (in *VirtualServiceTemplateSpec) DeepCopy() *VirtualServiceTemplateSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(VirtualServiceTemplateSpec)
+	in.DeepCopyInto(out)
+	return out
+}

pkg/apis/tenant/group.go

@@ -0,0 +1,20 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+// Package tenant contains tenant API versions
+package tenant

pkg/apis/tenant/install/install.go

@@ -0,0 +1,33 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package install
+
+import (
+	"github.com/emicklei/go-restful"
+	urlruntime "k8s.io/apimachinery/pkg/util/runtime"
+	tenantv1alpha2 "kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha2"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+)
+
+func init() {
+	Install(runtime.Container)
+}
+
+func Install(container *restful.Container) {
+	urlruntime.Must(tenantv1alpha2.AddToContainer(container))
+}

pkg/apis/tenant/v1alpha1/doc.go

@@ -0,0 +1,25 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+// Package v1alpha1 contains API Schema definitions for the tenant v1alpha1 API group
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package,register
+// +k8s:conversion-gen=kubesphere.io/kubesphere/pkg/apis/tenant
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=tenant.kubesphere.io
+package v1alpha1

pkg/apis/tenant/v1alpha1/register.go

@@ -0,0 +1,48 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+// NOTE: Boilerplate only.  Ignore this file.
+
+// Package v1alpha1 contains API Schema definitions for the tenant v1alpha1 API group
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package,register
+// +k8s:conversion-gen=kubesphere.io/kubesphere/pkg/apis/tenant
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=tenant.kubesphere.io
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/runtime/scheme"
+)
+
+var (
+	// SchemeGroupVersion is group version used to register these objects
+	SchemeGroupVersion = schema.GroupVersion{Group: "tenant.kubesphere.io", Version: "v1alpha1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
+	SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion}
+
+	// AddToScheme is required by pkg/client/...
+	AddToScheme = SchemeBuilder.AddToScheme
+)
+
+// Resource is required by pkg/client/listers/...
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}

pkg/apis/tenant/v1alpha1/v1alpha1_suite_test.go

@@ -0,0 +1,57 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package v1alpha1
+
+import (
+	"log"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/envtest"
+)
+
+var cfg *rest.Config
+var c client.Client
+
+func TestMain(m *testing.M) {
+	t := &envtest.Environment{
+		CRDDirectoryPaths: []string{filepath.Join("..", "..", "..", "..", "config", "crds")},
+	}
+
+	err := SchemeBuilder.AddToScheme(scheme.Scheme)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if cfg, err = t.Start(); err != nil {
+		log.Fatal(err)
+	}
+
+	if c, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}); err != nil {
+		log.Fatal(err)
+	}
+
+	code := m.Run()
+	t.Stop()
+	os.Exit(code)
+}

pkg/apis/tenant/v1alpha1/workspace_types.go

@@ -0,0 +1,64 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+// WorkspaceSpec defines the desired state of Workspace
+type WorkspaceSpec struct {
+	Manager string `json:"manager,omitempty"`
+}
+
+// WorkspaceStatus defines the observed state of Workspace
+type WorkspaceStatus struct {
+	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +genclient:nonNamespaced
+
+// Workspace is the Schema for the workspaces API
+// +k8s:openapi-gen=true
+type Workspace struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Spec              WorkspaceSpec   `json:"spec,omitempty"`
+	Status            WorkspaceStatus `json:"status,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +genclient:nonNamespaced
+
+// WorkspaceList contains a list of Workspace
+type WorkspaceList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Workspace `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&Workspace{}, &WorkspaceList{})
+}

pkg/apis/tenant/v1alpha1/workspace_types_test.go

@@ -0,0 +1,58 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package v1alpha1
+
+import (
+	"testing"
+
+	"github.com/onsi/gomega"
+	"golang.org/x/net/context"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+func TestStorageWorkspace(t *testing.T) {
+	key := types.NamespacedName{
+		Name: "foo",
+	}
+	created := &Workspace{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "foo",
+		}}
+	g := gomega.NewGomegaWithT(t)
+
+	// Test Create
+	fetched := &Workspace{}
+	g.Expect(c.Create(context.TODO(), created)).NotTo(gomega.HaveOccurred())
+
+	g.Expect(c.Get(context.TODO(), key, fetched)).NotTo(gomega.HaveOccurred())
+	g.Expect(fetched).To(gomega.Equal(created))
+
+	// Test Updating the Labels
+	updated := fetched.DeepCopy()
+	updated.Labels = map[string]string{"hello": "world"}
+	g.Expect(c.Update(context.TODO(), updated)).NotTo(gomega.HaveOccurred())
+
+	g.Expect(c.Get(context.TODO(), key, fetched)).NotTo(gomega.HaveOccurred())
+	g.Expect(fetched).To(gomega.Equal(updated))
+
+	// Test Delete
+	g.Expect(c.Delete(context.TODO(), fetched)).NotTo(gomega.HaveOccurred())
+	g.Expect(c.Get(context.TODO(), key, fetched)).To(gomega.HaveOccurred())
+}

pkg/apis/tenant/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,118 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Workspace) DeepCopyInto(out *Workspace) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Workspace.
+func (in *Workspace) DeepCopy() *Workspace {
+	if in == nil {
+		return nil
+	}
+	out := new(Workspace)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Workspace) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkspaceList) DeepCopyInto(out *WorkspaceList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Workspace, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkspaceList.
+func (in *WorkspaceList) DeepCopy() *WorkspaceList {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkspaceList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *WorkspaceList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkspaceSpec) DeepCopyInto(out *WorkspaceSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkspaceSpec.
+func (in *WorkspaceSpec) DeepCopy() *WorkspaceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkspaceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkspaceStatus) DeepCopyInto(out *WorkspaceStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkspaceStatus.
+func (in *WorkspaceStatus) DeepCopy() *WorkspaceStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkspaceStatus)
+	in.DeepCopyInto(out)
+	return out
+}

pkg/apis/tenant/v1alpha2/register.go

@@ -0,0 +1,115 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package v1alpha2
+
+import (
+	"github.com/emicklei/go-restful"
+	"github.com/emicklei/go-restful-openapi"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+	"kubesphere.io/kubesphere/pkg/apiserver/tenant"
+)
+
+const GroupName = "tenant.kubesphere.io"
+
+var GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha2"}
+
+var (
+	WebServiceBuilder = runtime.NewContainerBuilder(addWebService)
+	AddToContainer    = WebServiceBuilder.AddToContainer
+)
+
+func addWebService(c *restful.Container) error {
+	tags := []string{"Tenant"}
+	ws := runtime.NewWebService(GroupVersion)
+
+	ws.Route(ws.GET("/workspaces").
+		To(tenant.ListWorkspaces).
+		Doc("List workspace by user").
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/workspaces/{workspace}").
+		To(tenant.DescribeWorkspace).
+		Doc("Get workspace detail").
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/workspaces/{workspace}/rules").
+		To(tenant.ListWorkspaceRules).
+		Param(ws.PathParameter("workspace", "workspace name")).
+		Doc("List the rules for the current user").
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/namespaces/{namespace}/rules").
+		To(tenant.ListNamespaceRules).
+		Param(ws.PathParameter("namespace", "namespace")).
+		Doc("List the rules for the current user").
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/devops/{devops}/rules").
+		To(tenant.ListDevopsRules).
+		Param(ws.PathParameter("devops", "devops project id")).
+		Doc("List the rules for the current user").
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/workspaces/{workspace}/namespaces").
+		To(tenant.ListNamespaces).
+		Param(ws.PathParameter("workspace", "workspace name")).
+		Doc("List the namespaces for the current user").
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/workspaces/{workspace}/members/{username}/namespaces").
+		To(tenant.ListNamespaces).
+		Param(ws.PathParameter("workspace", "workspace name")).
+		Param(ws.PathParameter("username", "workspace member's username")).
+		Doc("List the namespaces for the workspace member").
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.POST("/workspaces/{workspace}/namespaces").
+		To(tenant.CreateNamespace).
+		Param(ws.PathParameter("workspace", "workspace name")).
+		Doc("Create namespace").
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.DELETE("/workspaces/{workspace}/namespaces/{namespace}").
+		To(tenant.DeleteNamespace).
+		Param(ws.PathParameter("workspace", "workspace name")).
+		Param(ws.PathParameter("namespace", "namespace")).
+		Doc("Delete namespace").
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+
+	ws.Route(ws.GET("/workspaces/{workspace}/devops").
+		To(tenant.ListDevopsProjects).
+		Param(ws.PathParameter("workspace", "workspace name")).
+		Doc("List devops projects for the current user").
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/workspaces/{workspace}/members/{username}/devops").
+		To(tenant.ListDevopsProjects).
+		Param(ws.PathParameter("workspace", "workspace name")).
+		Param(ws.PathParameter("username", "workspace member's username")).
+		Doc("List the devops projects for the workspace member").
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.POST("/workspaces/{workspace}/devops").
+		To(tenant.CreateDevopsProject).
+		Param(ws.PathParameter("workspace", "workspace name")).
+		Doc("Create devops project").
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.DELETE("/workspaces/{workspace}/devops/{id}").
+		To(tenant.DeleteDevopsProject).
+		Param(ws.PathParameter("workspace", "workspace name")).
+		Doc("Delete devops project").
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+	ws.Route(ws.GET("/logging").
+		To(tenant.LogQuery).
+		Doc("Query cluster-level logs in a multi-tenants environment").
+		Metadata(restfulspec.KeyOpenAPITags, tags))
+
+	c.Add(ws)
+	return nil
+}

pkg/apis/terminal/install/install.go

@@ -0,0 +1,33 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package install
+
+import (
+	"github.com/emicklei/go-restful"
+	urlruntime "k8s.io/apimachinery/pkg/util/runtime"
+	terminalv1alpha2 "kubesphere.io/kubesphere/pkg/apis/terminal/v1alpha2"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+)
+
+func init() {
+	Install(runtime.Container)
+}
+
+func Install(c *restful.Container) {
+	urlruntime.Must(terminalv1alpha2.AddToContainer(c))
+}

pkg/apis/terminal/v1alpha2/register.go

@@ -0,0 +1,56 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package v1alpha2
+
+import (
+	"github.com/emicklei/go-restful"
+	"github.com/emicklei/go-restful-openapi"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+	"kubesphere.io/kubesphere/pkg/apiserver/terminal"
+	"kubesphere.io/kubesphere/pkg/models"
+)
+
+const GroupName = "terminal.kubesphere.io"
+
+var GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha2"}
+
+var (
+	WebServiceBuilder = runtime.NewContainerBuilder(addWebService)
+	AddToContainer    = WebServiceBuilder.AddToContainer
+)
+
+func addWebService(c *restful.Container) error {
+
+	webservice := runtime.NewWebService(GroupVersion)
+
+	tags := []string{"Terminal"}
+
+	webservice.Route(webservice.GET("/namespaces/{namespace}/pods/{pod}").
+		To(terminal.CreateTerminalSession).
+		Doc("create terminal session").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Writes(models.PodInfo{}))
+
+	path := runtime.ApiRootPath + "/" + GroupVersion.String() + "/sockjs"
+	c.Handle(path+"/", terminal.NewTerminalHandler(path))
+
+	c.Add(webservice)
+
+	return nil
+}

pkg/apis/v1alpha/components/components_handler.go

@@ -1,87 +0,0 @@
-/*
-Copyright 2018 The KubeSphere Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package components
-
-import (
-	"net/http"
-
-	"github.com/golang/glog"
-
-	"github.com/emicklei/go-restful"
-
-	"kubesphere.io/kubesphere/pkg/constants"
-	"kubesphere.io/kubesphere/pkg/filter/route"
-	"kubesphere.io/kubesphere/pkg/models"
-)
-
-func Register(ws *restful.WebService, subPath string) {
-	ws.Route(ws.GET(subPath).To(handleGetComponents).Filter(route.RouteLogging)).
-		Consumes(restful.MIME_JSON, restful.MIME_XML).
-		Produces(restful.MIME_JSON)
-	ws.Route(ws.GET(subPath+"/{namespace}/{componentName}").To(handleGetComponentStatus).
-		Filter(route.RouteLogging)).
-		Consumes(restful.MIME_JSON, restful.MIME_XML).
-		Produces(restful.MIME_JSON)
-	ws.Route(ws.GET("/health").To(handleGetSystemHealthStatus).Filter(route.RouteLogging)).
-		Consumes(restful.MIME_JSON, restful.MIME_XML).
-		Produces(restful.MIME_JSON)
-}
-
-func handleGetSystemHealthStatus(request *restful.Request, response *restful.Response) {
-
-	if status, err := models.GetSystemHealthStatus(); err != nil {
-		err = response.WriteHeaderAndEntity(http.StatusInternalServerError, constants.MessageResponse{Message: err.Error()})
-		if err != nil {
-			glog.Errorln(err)
-		}
-	} else {
-		err = response.WriteAsJson(status)
-		if err != nil {
-			glog.Errorln(err)
-		}
-	}
-}
-
-// get a specific component status
-func handleGetComponentStatus(request *restful.Request, response *restful.Response) {
-	namespace := request.PathParameter("namespace")
-	componentName := request.PathParameter("componentName")
-
-	if component, err := models.GetComponentStatus(namespace, componentName); err != nil {
-		err = response.WriteHeaderAndEntity(http.StatusInternalServerError, constants.MessageResponse{Message: err.Error()})
-		if err != nil {
-			glog.Errorln(err)
-		}
-	} else {
-		if err = response.WriteAsJson(component); err != nil {
-			glog.Errorln(err)
-		}
-	}
-}
-
-// get all components
-func handleGetComponents(request *restful.Request, response *restful.Response) {
-
-	result, err := models.GetAllComponentsStatus()
-
-	if err != nil {
-		response.WriteHeaderAndEntity(http.StatusInternalServerError, constants.MessageResponse{Message: err.Error()})
-	} else {
-		response.WriteAsJson(result)
-	}
-
-}