Merge pull request #575 from FeynmanZhou/docs-2.0.2

fix mistaken release note link, update roadmap image to 2.0.2

.github/.stale.yaml

@@ -0,0 +1,16 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 30
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 14
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - frozen
+staleLabel: stale
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Any further update will
+  cause the issue/pull request to no longer be considered stale. Thank you for your contributions.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: >
+  This issue is being automatically closed due to inactivity.

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,42 @@
+---
+name: Bug report
+about: Create a report to help us improve
+---
+
+ 
+**General remarks**
+
+> Please delete this section including header before submitting
+> 也可以使用中文
+>
+> This form is to report bugs. For general usage questions refer to our Slack channel
+>        [KubeSphere-users](https://join.slack.com/t/kubesphere/shared_invite/enQtNTE3MDIxNzUxNzQ0LTdkNTc3OTdmNzdiODViZjViNTU5ZDY3M2I2MzY4MTI4OGZlOTJmMDg5ZTFiMDAwYzNlZDY5NjA0NzZlNDU5NmY)
+
+**Describe the bug(描述下问题)**
+A clear and concise description of what the bug is.
+
+For UI issues please also add a screenshot that shows the issue.
+
+**Versions used(KubeSphere/Kubernetes的版本)**
+KubeSphere:
+Kubernetes: (If KubeSphere installer used, you can skip this)
+
+
+**Environment(环境的硬件配置)**
+How many nodes and their hardware configuration: 
+
+For example:
+3 masters:  8cpu/8g
+3 nodes: 8cpu/16g
+
+(and other info are welcomed to help us debugging)
+
+**To Reproduce(复现步骤)**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior(预期行为)**
+A clear and concise description of what you expected to happen.

.gitignore

@@ -23,3 +23,4 @@ tmp/
 
 # OSX trash
 .DS_Store
+api.json

.travis.yml

@@ -1,32 +1,29 @@
-sudo: required
-
 services:
   - docker
 
 language: go
 
+git:
+  depth: false
+
 go:
-  - 1.10
-  - tip
+  - 1.12
 
 go_import_path: kubesphere.io/kubesphere
 
 before_install:
-  - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
-  - curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh
-  - sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
-  - sudo apt-get update
-  - sudo apt-get -y install docker-ce
-  - dep ensure -v
+  - go get -u github.com/golang/dep/cmd/dep
 
 before_script:
   - docker --version
+  - bash hack/install_kubebuilder.sh
 
 script:
-  - make fmt-check && make build
+  - make all 
 
 deploy:
+  skip_cleanup: true
   provider: script
-  script: bash install/scripts/docker_push
+  script: bash hack/docker_build.sh 
   on:
     branch: master

AUTHORS

@@ -1,13 +0,0 @@
-# This is the official list of KubeSphere authors for copyright purposes.
-# This file is distinct from the CONTRIBUTORS files.
-# See the latter for an explanation.
-
-# Names should be added to this file as one of
-#     Organization's name
-#     Individual's name <submission email address>
-#     Individual's name <submission email address> <email2> <emailN>
-# See CONTRIBUTORS for the meaning of multiple email addresses.
-
-# Please keep the list sorted.
-
-Yunify Inc.

CONTRIBUTORS

@@ -1,20 +0,0 @@
-# This is the official list of people who can contribute
-# (and typically have contributed) code to the KubeSphere repository.
-# The AUTHORS file lists the copyright holders; this file
-# lists people.  For example, Yunify employees are listed here
-# but not in AUTHORS, because Yunify holds the copyright.
-#
-# When adding J Random Contributor's name to this file,
-# either J's name or J's organization's name should be
-# added to the AUTHORS file.
-
-# Names should be added to this file like so:
-#     Individual's name <submission email address>
-#     Individual's name <submission email address> <email2> <emailN>
-#
-# An entry with multiple email addresses specifies that the
-# first address should be used in the submit logs.
-
-# Please keep the list sorted.
-
-Ray@qingcloud <ray@yunify.com>

Dockerfile

@@ -1,17 +0,0 @@
-# Copyright 2018 The KubeSphere Authors. All rights reserved.
-# Use of this source code is governed by a Apache license
-# that can be found in the LICENSE file.
-
-FROM kubesphere/kubesphere-builder as builder
-
-WORKDIR /go/src/kubesphere.io/kubesphere/
-COPY . .
-
-RUN go generate kubesphere.io/kubesphere/pkg/version && \
-	go install  kubesphere.io/kubesphere/cmd/...
-
-FROM alpine:3.6
-RUN apk add --update ca-certificates && update-ca-certificates
-COPY --from=builder /go/bin/* /usr/local/bin/
-
-CMD ["sh"]

Dockerfile.dev

@@ -1,10 +0,0 @@
-FROM alpine:3.6
-
-RUN apk add --update ca-certificates \
-    && update-ca-certificates \ 
-    && mkdir -p /etc/kubesphere/ingress-controller
-
-COPY ./bin/* /usr/local/bin/
-COPY ./install/ingress-controller /etc/kubesphere/ingress-controller
-
-CMD ["sh"]

Gopkg.toml

@@ -1,76 +1,78 @@
-# Gopkg.toml example
-#
-# Refer to https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md
-# for detailed Gopkg.toml documentation.
-#
-# required = ["github.com/user/thing/cmd/thing"]
-# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"]
-#
-# [[constraint]]
-#   name = "github.com/user/project"
-#   version = "1.0.0"
-#
-# [[constraint]]
-#   name = "github.com/user/project2"
-#   branch = "dev"
-#   source = "github.com/myfork/project2"
-#
-# [[override]]
-#   name = "github.com/x/y"
-#   version = "2.4.0"
-#
-# [prune]
-#   non-go = false
-#   go-tests = true
-#   unused-packages = true
-
-[[constraint]]
-  name = "github.com/coreos/etcd"
-  version = "3.3.7"
+required = [
+    "github.com/emicklei/go-restful",
+    "github.com/onsi/ginkgo", # for test framework
+    "github.com/onsi/gomega", # for test matchers
+    "k8s.io/gengo/examples/defaulter-gen/generators",
+    "k8s.io/gengo/examples/deepcopy-gen/generators",
+    "k8s.io/client-go/plugin/pkg/client/auth/gcp", # for development against gcp
+    "k8s.io/code-generator/cmd/client-gen",
+    "sigs.k8s.io/controller-tools/cmd/controller-gen", # for crd/rbac generation
+    "sigs.k8s.io/controller-runtime/pkg/client/config",
+    "sigs.k8s.io/controller-runtime/pkg/controller",
+    "sigs.k8s.io/controller-runtime/pkg/handler",
+    "sigs.k8s.io/controller-runtime/pkg/manager",
+    "sigs.k8s.io/controller-runtime/pkg/runtime/signals",
+    "sigs.k8s.io/controller-runtime/pkg/source",
+    "sigs.k8s.io/testing_frameworks/integration", # for integration testing
+    "github.com/kubesphere/s2ioperator/pkg/client/clientset/versioned",
+    "github.com/kubesphere/s2ioperator/pkg/client/informers/externalversions",
+    "github.com/kubesphere/s2ioperator/pkg/apis/devops/v1alpha1"
+]
 
 [[constraint]]
   name = "github.com/docker/docker"
   version = "v17.05.0-ce"
 
-[[constraint]]
-  name = "github.com/emicklei/go-restful"
-  version = "2.7.1"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/golang/glog"
-
-[[constraint]]
-  name = "github.com/spf13/pflag"
-  version = "1.0.1"
-
-[[constraint]]
-  name = "gopkg.in/igm/sockjs-go.v2"
-  version = "2.0.0"
-
-[[constraint]]
-  name = "gopkg.in/yaml.v2"
-  version = "2.2.1"
-
-[[constraint]]
+[[override]]
   name = "k8s.io/api"
-  version = "kubernetes-1.10.0"
+  version = "kubernetes-1.13.1"
 
-[[constraint]]
+[[override]]
   name = "k8s.io/apimachinery"
-  version = "kubernetes-1.10.0"
+  version = "kubernetes-1.13.1"
+
+[[override]]
+  name = "k8s.io/apiserver"
+  version = "kubernetes-1.13.1"
 
 [[constraint]]
+  name = "k8s.io/code-generator"
+  version = "kubernetes-1.13.1"
+
+[[override]]
   name = "k8s.io/client-go"
-  version = "7.0.0"
+  version = "kubernetes-1.13.1"
 
 [[constraint]]
   name = "k8s.io/kubernetes"
-  version = "1.10.4"
+  version = "1.13.1"
+
+[[constraint]]
+  name="sigs.k8s.io/controller-runtime"
+  version="v0.1.7"
+
+[[constraint]]
+  name="sigs.k8s.io/controller-tools"
+  version="v0.1.7"
+
+[[constraint]]
+  name="github.com/kubesphere/s2ioperator"
+  version="v0.0.8"
+
+[[override]]
+  name="github.com/bifurcation/mint"
+  revision="824af65410658916142a7600349144e1289f2110"
 
 [prune]
   go-tests = true
   unused-packages = true
+  non-go = true
+
+[[prune.project]]
+  name = "k8s.io/code-generator"
+  unused-packages = false
+  non-go = false
+
 
 # To use reference package:
 #   vendor/github.com/docker/docker/client/container_commit.go:17: undefined: reference.ParseNormalizedNamed
@@ -87,4 +89,47 @@
 #   vendor/github.com/docker/docker/registry/service_v2.go:11: cannot call non-function tlsconfig.ServerDefault (type tls.Config)
 [[override]]
   name = "github.com/docker/go-connections"
-  branch = "master"
+  version = "0.4.0"
+
+# For dependency below: Refer to issue https://github.com/golang/dep/issues/1799
+[[override]]
+  name = "gopkg.in/fsnotify.v1"
+  source = "https://github.com/fsnotify/fsnotify.git"
+  version = "v1.4.7"
+
+[[override]]
+  name = "github.com/russross/blackfriday"
+  version = "v1.5.2"
+
+# offical application controller doesn't limit observe scope to namespace
+# use our own version instead
+[[constraint]]
+  name = "sigs.k8s.io/application"
+  source = "https://github.com/kubesphere/application"
+  branch = "kubesphere"
+
+[[constraint]]
+  name = "github.com/kiali/kiali"
+  source = "https://github.com/kubesphere/kiali"
+  branch = "kubesphere"
+
+[[constraint]]
+  name = "github.com/kubernetes-sigs/application"
+  source = "https://github.com/kubesphere/application"
+  branch = "kubesphere"
+
+[[constraint]]
+  name = "github.com/knative/pkg"
+  revision = "cd278f2d3394c865fda66bca12459e879e0279b8"
+
+[[constraint]]
+  name = "gopkg.in/igm/sockjs-go.v2"
+  version = "2.0.0"
+
+[[constraint]]
+  name = "github.com/gocraft/dbr"
+  revision = "a0fd650918f6287ffe111d1c7b66bb755ff3be4a"
+
+[[constraint]]
+  name = "github.com/kubesphere/sonargo"
+  version = "0.0.2"

Makefile

@@ -2,103 +2,84 @@
 # Use of this source code is governed by a Apache license
 # that can be found in the LICENSE file.
 
-TRAG.Org:=kubesphere
-TRAG.Name:=ks-apiserver
-TRAG.Gopkg:=kubesphere.io/kubesphere
-TRAG.Version:=$(TRAG.Gopkg)/pkg/version
+# The binary to build 
+BIN ?= ks-apiserver
 
-DOCKER_TAGS=latest
-RUN_IN_DOCKER:=docker run -it --rm -v `pwd`:/go/src/$(TRAG.Gopkg) -v `pwd`/tmp/cache:/root/.cache/go-build  -w /go/src/$(TRAG.Gopkg) -e GOBIN=/go/src/$(TRAG.Gopkg)/tmp/bin -e USER_ID=`id -u` -e GROUP_ID=`id -g` kubesphere/kubesphere-builder
-GO_FMT:=goimports -l -w -e -local=kubesphere -srcdir=/go/src/$(TRAG.Gopkg)
-GO_FILES:=./cmd ./pkg
+IMG ?= kubespheredev/ks-apiserver
+OUTPUT_DIR=bin
 
-define get_diff_files
-    $(eval DIFF_FILES=$(shell git diff --name-only --diff-filter=ad | grep -E "^(test|cmd|pkg)/.+\.go"))
+define ALL_HELP_INFO
+# Build code.
+#
+# Args:
+#   WHAT: Directory names to build.  If any of these directories has a 'main'
+#     package, the build will produce executable files under $(OUT_DIR).
+#     If not specified, "everything" will be built.
+#   GOFLAGS: Extra flags to pass to 'go' when building.
+#   GOLDFLAGS: Extra linking flags passed to 'go' when building.
+#   GOGCFLAGS: Additional go compile flags passed to 'go' when building.
+#
+# Example:
+#   make
+#   make all
+#   make all WHAT=cmd/ks-apiserver
+#     Note: Use the -N -l options to disable compiler optimizations an inlining.
+#           Using these build options allows you to subsequently use source
+#           debugging tools like delve.
 endef
-define get_build_flags
-    $(eval SHORT_VERSION=$(shell git describe --tags --always --dirty="-dev"))
-    $(eval SHA1_VERSION=$(shell git show --quiet --pretty=format:%H))
-	$(eval DATE=$(shell date +'%Y-%m-%dT%H:%M:%S'))
-	$(eval BUILD_FLAG= -X $(TRAG.Version).ShortVersion="$(SHORT_VERSION)" \
-		-X $(TRAG.Version).GitSha1Version="$(SHA1_VERSION)" \
-		-X $(TRAG.Version).BuildDate="$(DATE)")
-endef
-
 .PHONY: all
-all: generate build
+all: test ks-apiserver ks-apigateway ks-iam controller-manager
 
-.PHONY: help
-help:
-# TODO: update help info to last version
-	@echo "TODO"
+# Build ks-apiserver binary
+ks-apiserver: test
+	hack/gobuild.sh cmd/ks-apiserver
 
-.PHONY: init-vendor
-init-vendor:
-	@if [[ ! -f "$$(which govendor)" ]]; then \
-		go get -u github.com/kardianos/govendor; \
-	fi
-	govendor init
-	govendor add +external
-	@echo "init-vendor done"
+# Build ks-apigateway binary
+ks-apigateway: test
+	hack/gobuild.sh cmd/ks-apigateway
 
-.PHONY: update-vendor
-update-vendor:
-	@if [[ ! -f "$$(which govendor)" ]]; then \
-		go get -u github.com/kardianos/govendor; \
-	fi
-	govendor update +external
-	govendor list
-	@echo "update-vendor done"
+# Build ks-iam binary
+ks-iam: test
+	hack/gobuild.sh cmd/ks-iam
 
-.PHONY: update-builder
-update-builder:
-	docker pull kubesphere/kubesphere-builder
-	@echo "update-builder done"
+# Build controller-manager binary
+controller-manager: test
+	hack/gobuild.sh cmd/controller-manager
 
-.PHONY: generate-in-local
-generate-in-local:
-	go generate ./pkg/version/
-
-.PHONY: generate
-generate:
-	$(RUN_IN_DOCKER) make generate-in-local
-	@echo "generate done"
-
-.PHONY: fmt-all
-fmt-all:
-	mkdir -p ./tmp/bin && cp -r ./install ./tmp/
-	$(RUN_IN_DOCKER) $(GO_FMT) $(GO_FILES)
-	@echo "fmt done"
-
-.PHONY: fmt
+# Run go fmt against code 
 fmt:
-	$(call get_diff_files)
-	$(if $(DIFF_FILES), \
-		$(RUN_IN_DOCKER) $(GO_FMT) ${DIFF_FILES}, \
-		$(info cannot find modified files from git) \
-	)
-	@echo "fmt done"
+	go fmt ./pkg/... ./cmd/...
 
-.PHONY: fmt-check
-fmt-check: fmt-all
-	$(call get_diff_files)
-	$(if $(DIFF_FILES), \
-		exit 2 \
-	)
+# Run go vet against code
+vet:
+	go vet ./pkg/... ./cmd/...
 
-.PHONY: build
-build: fmt
-	mkdir -p ./tmp/bin && cp -r ./install/ ./tmp/
-	$(call get_build_flags)
-	$(RUN_IN_DOCKER) time go install -ldflags '$(BUILD_FLAG)' $(TRAG.Gopkg)/cmd/...
-	mv ./tmp/bin/cmd ./tmp/bin/$(TRAG.Name)
-	@docker build -t $(TRAG.Org)/$(TRAG.Name) -f ./Dockerfile.dev ./tmp
-	@docker image prune -f 1>/dev/null 2>&1
-	@echo "build done"
+# Generate manifests e.g. CRD, RBAC etc.
+manifests:
+	go run vendor/sigs.k8s.io/controller-tools/cmd/controller-gen/main.go all
 
-.PHONY: release
-release:
-	@echo "TODO"
+deploy: manifests
+	kubectl apply -f config/crds
+	kustomize build config/default | kubectl apply -f -
+
+# Generate DeepCopy to implement runtime.Object
+deepcopy:
+	./vendor/k8s.io/code-generator/generate-groups.sh all kubesphere.io/kubesphere/pkg/client kubesphere.io/kubesphere/pkg/apis "servicemesh:v1alpha2 tenant:v1alpha1"
+
+# Generate code
+generate:
+ifndef GOPATH
+	$(error GOPATH not defined, please define GOPATH. Run "go help gopath" to learn more about GOPATH)
+endif
+	go generate ./pkg/... ./cmd/...
+
+# Build the docker image
+docker-build: all
+	docker build . -t ${IMG}
+
+# Run tests
+test: generate fmt vet
+	go test ./pkg/... ./cmd/... -coverprofile cover.out
 
 .PHONY: clean
 clean:

PROJECT

@@ -0,0 +1,3 @@
+version: "1"
+domain: kubesphere.io
+repo: kubesphere.io/kubesphere

README.md

@@ -2,37 +2,116 @@
 [![License](http://img.shields.io/badge/license-apache%20v2-blue.svg)](https://github.com/KubeSphere/KubeSphere/blob/master/LICENSE)
 [![Build Status](https://travis-ci.org/kubesphere/kubesphere.svg?branch=master)](https://travis-ci.org/kubesphere/kubesphere)
 
-----
-***KubeSphere*** is a distribution of [Kubernetes](https://kubernetes.io), aimed to provide quick setup, friendly and easily use, and powerful management features for Kubernetes clusters, which could help both personal and enterprise users, reduce their learning curve of Kubernetes, accelerate their transform process from other container platforms to Kubernetes.   
+![logo](docs/images/kubesphere-logo.png)
 
-**Features:**
- - Multiple IaaS platform support, including baremetal/KVM/QingCloud, and more will be supported in future release.  
- - Easy setup of Kubernetes standalone(only one master node) and cluster environment(including High Availability support).  
- - Powerful management console to help business users to manage and monitor the Kubernetes environment.  
- - Integrate with [OpenPitrix](https://github.com/openpitrix) to provide full life cycle of application management and be compatible of helm package.  
- - Support popular open source network solutions, including calico and flannel, also could use [qingcloud hostnic solution](https://github.com/yunify/hostnic-cni) if the Kubernetes is deployed on QingCloud platform.  
- - Support popular open source storage solutions, including Glusterfs and Cephfs, also could use [qingcloud storage solution](https://github.com/yunify/qingcloud-volume-provisioner) if the Kubernetes is deployed on QingCloud platform.  
- - CI/CD support.  
- - Service Mesh support.  
- - Multiple image registries support.  
- - Federation support.  
- - Integrate with QingCloud IAM.  
 ----
 
-## Motivation
+## What is KubeSphere
 
-The project originates from the requirement and pains we heard from our customers on public and private QingCloud platform, who have strong will to deploy Kubernetes in their IT system but struggle on completed setup process and long learning curve. With help of KubeSphere, their IT operators could setup Kubernetes environment quickly and use an easy management UI interface to mange their applications.
+[KubeSphere](https://kubesphere.io/) is an enterprise-grade multi-tenant container management platform that built on [Kubernetes](https://kubernetes.io). It provides an easy-to-use UI for users to create computing resources with a few clicks, which reduces the learning curve and empowers the DevOps teams. It greatly reduces the complexity of the daily work of development, testing, operation and maintenance, aiming to alleviate the pain points of Kubernetes' storage, network, security and ease of use, etc.
 
-Getting Started
----------------
-**TBD**
+> See this [document](https://docs.kubesphere.io/advanced-v2.0/zh-CN/introduction/intro/) that describes the KubeSphere landscape and details.
 
-## Design
+## Features
+
+KubeSphere Advanced Edition 2.0.2 provides an easy-to-use console with the awesome user experience that allows you to quickly get started with a container management platform. KubeSphere provides and supports following core features:
+
+
+- Workload management
+- Service mesh (Istio-based)
+- DevOps
+- Source to Image
+- Multi-tenant management
+- Multi-dimensional and Multi-tenant Monitoring, Logging, Alerting, Notification
+- Service and network management
+- Application template and repository
+- Infrastructure management, image registry management
+- Integrate Harbor and GitLab
+- LB controller for Kubernetes on bare metal ([Porter](https://github.com/kubesphere/porter)), [cloud LB plugin](https://github.com/yunify/qingcloud-cloud-controller-manager)
+- Support GPU node
+
+
+It also supports multiple open source storage and high-performance cloud storage as the persistent storage services, as well as supports multiple open source network plugins.
+
+> Note:
+> - See the [Screenshots](docs/screenshots.md) of KubeSphere to have a most intuitive understanding of KubeSphere dashboard and features.
+> - See this [document](https://docs.kubesphere.io/advanced-v2.0/zh-CN/introduction/features/) that elaborates on the KubeSphere features and services from a professional point of view.
+
+----
+
+## Latest Release
+
+KubeSphere Advanced Edition 2.0.2 was released on **July 9th, 2019**. See the [Release Notes For 2.0.2](https://docs.kubesphere.io/advanced-v2.0/zh-CN/release/release-v202/) to preview the updates.
+
+## Installation
+
+### Minimum Requirements
+
+- Operating Systems
+   - CentOS 7.5 (64 bit)
+   - Ubuntu 16.04/18.04 LTS (64 bit)
+   - Red Hat Enterprise Linux Server 7.4 (64 bit)
+   - Debian Stretch 9.5 (64 bit)
+- Hardware
+   - CPU：8 Core,  Memory：16 G, Disk Space：100 G
+
+### All-in-One
+
+[All-in-One](https://docs.kubesphere.io/advanced-v2.0/zh-CN/installation/all-in-one/): For those who are new to KubeSphere and looking for the fastest way to install and experience the dashboard. Execute following commands to download and install KubeSphere in a single node.
+
+```bash
+$ curl -L https://kubesphere.io/download/stable/advanced-2.0.2 > advanced-2.0.2.tar.gz && tar -zxf advanced-2.0.2.tar.gz && cd kubesphere-all-advanced-2.0.2/scripts
+$ ./install.sh
+```
+
+![all-in-one](https://pek3b.qingstor.com/kubesphere-docs/png/kubesphere-allinone.gif)
+
+Choose `"1) All-in-one"` to trigger the installation. Generally, you can install it directly without any configuration. For details please reference [All-in-One](https://docs.kubesphere.io/advanced-v2.0/zh-CN/installation/all-in-one/).
+
+### Multi-Node
+
+[Multi-Node](https://docs.kubesphere.io/advanced-v2.0/zh-CN/installation/multi-node/) is used for installing KubeSphere on multiple instances, supports for installing a highly available cluster in a formal environment. Multi-node installation requires pre-configuration steps, see [Multi-Node Guide](https://docs.kubesphere.io/advanced-v2.0/zh-CN/installation/multi-node/).
+
+
+## To start using KubeSphere
+
+### Quick Start
+
+The [Quick Start Guide](https://docs.kubesphere.io/advanced-v2.0/quick-start/admin-quick-start/) provides 12 quick-start tutorials to walk you through the process and common manipulation in KubeSphere, with a quick overview of the core features of KubeSphere that helps you to get familiar with it.
+
+
+![Dashboard](docs/images/dashboard.png)
+
+### Documentation
+
+- [KubeSphere Documentation (En/中) ](https://docs.kubesphere.io/)
+- [KubeSphere Documentation (PDF)](https://docs.kubesphere.io/KubeSphere-advanced-v2.0.pdf)
+
+
+## To start developing KubeSphere
+
+The [development guide](docs/development-guide.md) hosts all information about building KubeSphere from source, git workflow, how to contribute code and how to test.
+
+## RoadMap
+
+Currently, KubeSphere has released the following 4 major editions. The future releases will include Big data, AI, Multicluster, QingCloud SDN, etc.
+
+**Community Edition** => **Express Edition** => **Advanced Edition 1.0.0** => **Advanced Edition 2.0.x**
+
+![Roadmap](docs/images/roadmap-2.0.2-en.png)
+
+
+## Support, Discussion, and Community
+
+If you need any help with KubeSphere, please join us at [Slack channel](http://kubesphere.slack.com/).
+
+Please submit any KubeSphere bugs, issues, and feature requests to [KubeSphere GitHub Issue](https://github.com/kubesphere/kubesphere/issues).
 
 ## Contributing to the project
 
-All [members](docs/members.md) of the KubeSphere community must abide by [Code of Conduct](code-of-conduct.md). Only by respecting each other can we develop a productive, collaborative community.
+All members of the KubeSphere community must abide by [Code of Conduct](docs/code-of-conduct.md). Only by respecting each other can we develop a productive, collaborative community.
+
+How to submit a pull request to KubeSphere? See [Pull Request Instruction](docs/pull-requests.md).
 
-You can then check out how to [setup for development](docs/development.md).
 
 

build/builder-docker/.ash_history

@@ -1,3 +0,0 @@
-ls /go/bin
-go version
-exit

build/builder-docker/Dockerfile

@@ -1,19 +0,0 @@
-# Copyright 2018 The KubeSphere Authors. All rights reserved.
-# Use of this source code is governed by a Apache license
-# that can be found in the LICENSE file.
-
-FROM golang:1.10.2-alpine3.7 as builder
-
-RUN apk add --no-cache git curl openssl
-
-RUN go get github.com/tools/godep
-#RUN go get github.com/emicklei/go-restful
-#RUN go get github.com/golang/glog
-#RUN go get github.com/spf13/pflag
-RUN go get golang.org/x/tools/cmd/goimports
-
-FROM golang:1.10.2-alpine3.7
-
-RUN apk add --no-cache git make curl openssl jq rsync godep
-
-COPY --from=builder /go/bin /go/bin

build/builder-docker/Makefile

@@ -1,17 +0,0 @@
-# Copyright 2018 The KubeSphere Authors. All rights reserved.
-# Use of this source code is governed by a Apache license
-# that can be found in the LICENSE file.
-
-default:
-	docker build -t kubesphere/kubesphere-builder .
-	@echo "ok"
-
-pull:
-	docker pull kubesphere/kubesphere-builder
-	@echo "ok"
-
-run:
-	docker run --rm -it -v `pwd`:/root kubesphere/kubesphere-builder
-
-clean:
-	@echo "ok"

build/ks-apigateway/Dockerfile

@@ -0,0 +1,20 @@
+# Copyright 2018 The KubeSphere Authors. All rights reserved.
+# Use of this source code is governed by a Apache license
+# that can be found in the LICENSE file.
+
+# Copyright 2018 The KubeSphere Authors. All rights reserved.
+# Use of this source code is governed by a Apache license
+# that can be found in the LICENSE file.
+
+FROM golang:1.12 as ks-apigateway-builder
+
+COPY / /go/src/kubesphere.io/kubesphere
+WORKDIR /go/src/kubesphere.io/kubesphere
+RUN CGO_ENABLED=0 GO111MODULE=off GOOS=linux GOARCH=amd64 go build -i -ldflags '-w -s' -o ks-apigateway cmd/ks-apigateway/apiserver.go && \
+    go run tools/cmd/doc-gen/main.go --output=install/swagger-ui/api.json
+
+FROM alpine:3.9
+RUN apk add --update ca-certificates && update-ca-certificates
+COPY --from=ks-apigateway-builder /go/src/kubesphere.io/kubesphere/ks-apigateway /usr/local/bin/
+COPY --from=ks-apigateway-builder /go/src/kubesphere.io/kubesphere/install/swagger-ui /var/static/swagger-ui
+CMD ["sh"]

build/ks-apiserver/Dockerfile

@@ -0,0 +1,18 @@
+# Copyright 2018 The KubeSphere Authors. All rights reserved.
+# Use of this source code is governed by a Apache license
+# that can be found in the LICENSE file.
+
+# Copyright 2018 The KubeSphere Authors. All rights reserved.
+# Use of this source code is governed by a Apache license
+# that can be found in the LICENSE file.
+FROM golang:1.12 as ks-apiserver-builder
+
+COPY / /go/src/kubesphere.io/kubesphere
+
+WORKDIR /go/src/kubesphere.io/kubesphere
+RUN CGO_ENABLED=0 GO111MODULE=off GOOS=linux GOARCH=amd64 go build -i -ldflags '-w -s' -o ks-apiserver cmd/ks-apiserver/apiserver.go
+
+FROM alpine:3.9
+RUN apk add --update ca-certificates && update-ca-certificates
+COPY --from=ks-apiserver-builder /go/src/kubesphere.io/kubesphere/ks-apiserver /usr/local/bin/
+CMD ["sh"]

build/ks-controller-manager/Dockerfile

@@ -0,0 +1,18 @@
+# Copyright 2018 The KubeSphere Authors. All rights reserved.
+# Use of this source code is governed by a Apache license
+# that can be found in the LICENSE file.
+
+# Copyright 2018 The KubeSphere Authors. All rights reserved.
+# Use of this source code is governed by a Apache license
+# that can be found in the LICENSE file.
+FROM golang:1.12 as controller-manager-builder
+
+COPY / /go/src/kubesphere.io/kubesphere
+WORKDIR /go/src/kubesphere.io/kubesphere
+
+RUN GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build --ldflags "-extldflags -static" -o controller-manager ./cmd/controller-manager/
+
+FROM alpine:3.7
+RUN apk add --update ca-certificates && update-ca-certificates
+COPY --from=controller-manager-builder /go/src/kubesphere.io/kubesphere/controller-manager /usr/local/bin/
+CMD controller-manager

build/ks-iam/Dockerfile

@@ -0,0 +1,18 @@
+# Copyright 2018 The KubeSphere Authors. All rights reserved.
+# Use of this source code is governed by a Apache license
+# that can be found in the LICENSE file.
+
+# Copyright 2018 The KubeSphere Authors. All rights reserved.
+# Use of this source code is governed by a Apache license
+# that can be found in the LICENSE file.
+FROM golang:1.12 as ks-iam-builder
+
+COPY / /go/src/kubesphere.io/kubesphere
+
+WORKDIR /go/src/kubesphere.io/kubesphere
+RUN CGO_ENABLED=0 GO111MODULE=off GOOS=linux GOARCH=amd64 go build -i -ldflags '-w -s' -o ks-iam cmd/ks-iam/apiserver.go
+
+FROM alpine:3.9
+RUN apk add --update ca-certificates && update-ca-certificates
+COPY --from=ks-iam-builder /go/src/kubesphere.io/kubesphere/ks-iam /usr/local/bin/
+CMD ["sh"]

cmd/controller-manager/app/controllers.go

@@ -0,0 +1,126 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package app
+
+import (
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	"kubesphere.io/kubesphere/pkg/controller/application"
+	"kubesphere.io/kubesphere/pkg/controller/destinationrule"
+	"kubesphere.io/kubesphere/pkg/controller/job"
+
+	//"kubesphere.io/kubesphere/pkg/controller/job"
+	"kubesphere.io/kubesphere/pkg/controller/virtualservice"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"time"
+
+	logf "sigs.k8s.io/controller-runtime/pkg/runtime/log"
+
+	istioclientset "github.com/knative/pkg/client/clientset/versioned"
+	istioinformers "github.com/knative/pkg/client/informers/externalversions"
+	applicationclientset "github.com/kubernetes-sigs/application/pkg/client/clientset/versioned"
+	applicationinformers "github.com/kubernetes-sigs/application/pkg/client/informers/externalversions"
+	servicemeshclientset "kubesphere.io/kubesphere/pkg/client/clientset/versioned"
+	servicemeshinformers "kubesphere.io/kubesphere/pkg/client/informers/externalversions"
+)
+
+const defaultResync = 600 * time.Second
+
+var log = logf.Log.WithName("controller-manager")
+
+func AddControllers(mgr manager.Manager, cfg *rest.Config, stopCh <-chan struct{}) error {
+
+	kubeClient, err := kubernetes.NewForConfig(cfg)
+	if err != nil {
+		log.Error(err, "building kubernetes client failed")
+	}
+
+	istioclient, err := istioclientset.NewForConfig(cfg)
+	if err != nil {
+		log.Error(err, "create istio client failed")
+		return err
+	}
+
+	applicationClient, err := applicationclientset.NewForConfig(cfg)
+	if err != nil {
+		log.Error(err, "create application client failed")
+		return err
+	}
+
+	informerFactory := informers.NewSharedInformerFactory(kubeClient, defaultResync)
+	istioInformer := istioinformers.NewSharedInformerFactory(istioclient, defaultResync)
+	applicationInformer := applicationinformers.NewSharedInformerFactory(applicationClient, defaultResync)
+
+	servicemeshclient, err := servicemeshclientset.NewForConfig(cfg)
+	if err != nil {
+		log.Error(err, "create servicemesh client failed")
+		return err
+	}
+
+	servicemeshInformer := servicemeshinformers.NewSharedInformerFactory(servicemeshclient, defaultResync)
+
+	vsController := virtualservice.NewVirtualServiceController(informerFactory.Core().V1().Services(),
+		istioInformer.Networking().V1alpha3().VirtualServices(),
+		istioInformer.Networking().V1alpha3().DestinationRules(),
+		servicemeshInformer.Servicemesh().V1alpha2().Strategies(),
+		kubeClient,
+		istioclient,
+		servicemeshclient)
+
+	drController := destinationrule.NewDestinationRuleController(informerFactory.Apps().V1().Deployments(),
+		istioInformer.Networking().V1alpha3().DestinationRules(),
+		informerFactory.Core().V1().Services(),
+		servicemeshInformer.Servicemesh().V1alpha2().ServicePolicies(),
+		kubeClient,
+		istioclient,
+		servicemeshclient)
+
+	apController := application.NewApplicationController(informerFactory.Core().V1().Services(),
+		informerFactory.Apps().V1().Deployments(),
+		informerFactory.Apps().V1().StatefulSets(),
+		servicemeshInformer.Servicemesh().V1alpha2().Strategies(),
+		servicemeshInformer.Servicemesh().V1alpha2().ServicePolicies(),
+		applicationInformer.App().V1beta1().Applications(),
+		kubeClient,
+		applicationClient)
+
+	jobController := job.NewJobController(informerFactory.Batch().V1().Jobs(), kubeClient)
+
+	servicemeshInformer.Start(stopCh)
+	istioInformer.Start(stopCh)
+	informerFactory.Start(stopCh)
+	applicationInformer.Start(stopCh)
+
+	controllers := map[string]manager.Runnable{
+		"virtualservice-controller":  vsController,
+		"destinationrule-controller": drController,
+		"application-controller":     apController,
+		"job-controller":             jobController,
+	}
+
+	for name, ctrl := range controllers {
+		err = mgr.Add(ctrl)
+		if err != nil {
+			log.Error(err, "add controller to manager failed", "name", name)
+			return err
+		}
+	}
+
+	return nil
+}

cmd/controller-manager/app/helper.go

@@ -0,0 +1,38 @@
+package app
+
+import (
+	"fmt"
+	"k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/klog"
+	"net/http"
+	"time"
+)
+
+// WaitForAPIServer waits for the API Server's /healthz endpoint to report "ok" with timeout.
+func WaitForAPIServer(client clientset.Interface, timeout time.Duration) error {
+	var lastErr error
+
+	err := wait.PollImmediate(time.Second, timeout, func() (bool, error) {
+		healthStatus := 0
+		result := client.Discovery().RESTClient().Get().AbsPath("/healthz").Do().StatusCode(&healthStatus)
+		if result.Error() != nil {
+			lastErr = fmt.Errorf("failed to get apiserver /healthz status: %v", result.Error())
+			return false, nil
+		}
+		if healthStatus != http.StatusOK {
+			content, _ := result.Raw()
+			lastErr = fmt.Errorf("APIServer isn't healthy: %v", string(content))
+			klog.Warningf("APIServer isn't healthy yet: %v. Waiting a little while.", string(content))
+			return false, nil
+		}
+
+		return true, nil
+	})
+
+	if err != nil {
+		return fmt.Errorf("%v: %v", err, lastErr)
+	}
+
+	return nil
+}

cmd/controller-manager/controller-manager.go

@@ -0,0 +1,89 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package main
+
+import (
+	"flag"
+	"k8s.io/client-go/tools/clientcmd"
+	"kubesphere.io/kubesphere/cmd/controller-manager/app"
+	"kubesphere.io/kubesphere/pkg/apis"
+	"kubesphere.io/kubesphere/pkg/controller"
+	"os"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	logf "sigs.k8s.io/controller-runtime/pkg/runtime/log"
+	"sigs.k8s.io/controller-runtime/pkg/runtime/signals"
+)
+
+var (
+	masterURL   string
+	kubeconfig  string
+	metricsAddr string
+)
+
+func init() {
+	flag.StringVar(&masterURL, "master-url", "", "only need if out of cluster")
+	flag.StringVar(&kubeconfig, "kubeconfig", "", "only need if out of cluster")
+	flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
+}
+
+func main() {
+	flag.Parse()
+
+	logf.SetLogger(logf.ZapLogger(false))
+	log := logf.Log.WithName("controller-manager")
+
+	cfg, err := clientcmd.BuildConfigFromFlags(masterURL, kubeconfig)
+	if err != nil {
+		log.Error(err, "failed to build kubeconfig")
+		os.Exit(1)
+	}
+
+	stopCh := signals.SetupSignalHandler()
+
+	log.Info("setting up manager")
+	mgr, err := manager.New(cfg, manager.Options{})
+	if err != nil {
+		log.Error(err, "unable to set up overall controller manager")
+		os.Exit(1)
+	}
+
+	log.Info("setting up scheme")
+	if err := apis.AddToScheme(mgr.GetScheme()); err != nil {
+		log.Error(err, "unable add APIs to scheme")
+		os.Exit(1)
+	}
+
+	log.Info("Setting up controllers")
+	if err := controller.AddToManager(mgr); err != nil {
+		log.Error(err, "unable to register controllers to the manager")
+		os.Exit(1)
+	}
+
+	if err := app.AddControllers(mgr, cfg, stopCh); err != nil {
+		log.Error(err, "unable to register controllers to the manager")
+		os.Exit(1)
+	}
+
+	log.Info("Starting the Cmd.")
+	if err := mgr.Start(stopCh); err != nil {
+		log.Error(err, "unable to run the manager")
+		os.Exit(1)
+	}
+
+}

cmd/ks-apigateway/apiserver.go

@@ -0,0 +1,35 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package main
+
+import (
+	"github.com/mholt/caddy/caddy/caddymain"
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+
+	// Install apis
+	_ "kubesphere.io/kubesphere/pkg/apigateway/caddy-plugin/authenticate"
+	_ "kubesphere.io/kubesphere/pkg/apigateway/caddy-plugin/authentication"
+	_ "kubesphere.io/kubesphere/pkg/apigateway/caddy-plugin/swagger"
+)
+
+func main() {
+	httpserver.RegisterDevDirective("authenticate", "jwt")
+	httpserver.RegisterDevDirective("authentication", "jwt")
+	httpserver.RegisterDevDirective("swagger", "jwt")
+	caddymain.Run()
+}

cmd/ks-apiserver/apiserver.go

@@ -0,0 +1,41 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package main
+
+import (
+	"kubesphere.io/kubesphere/cmd/ks-apiserver/app"
+	"log"
+	// Install apis
+	_ "kubesphere.io/kubesphere/pkg/apis/devops/install"
+	_ "kubesphere.io/kubesphere/pkg/apis/logging/install"
+	_ "kubesphere.io/kubesphere/pkg/apis/monitoring/install"
+	_ "kubesphere.io/kubesphere/pkg/apis/operations/install"
+	_ "kubesphere.io/kubesphere/pkg/apis/resources/install"
+	_ "kubesphere.io/kubesphere/pkg/apis/servicemesh/metrics/install"
+	_ "kubesphere.io/kubesphere/pkg/apis/tenant/install"
+	_ "kubesphere.io/kubesphere/pkg/apis/terminal/install"
+)
+
+func main() {
+
+	cmd := app.NewAPIServerCommand()
+
+	if err := cmd.Execute(); err != nil {
+		log.Fatalln(err)
+	}
+}

cmd/ks-apiserver/app/options/options.go

@@ -0,0 +1,45 @@
+package options
+
+import (
+	"github.com/spf13/pflag"
+	genericoptions "kubesphere.io/kubesphere/pkg/options"
+)
+
+type ServerRunOptions struct {
+	GenericServerRunOptions *genericoptions.ServerRunOptions
+
+	// istio pilot discovery service url
+	IstioPilotServiceURL string
+
+	// jaeger query service url
+	JaegerQueryServiceUrl string
+
+	// prometheus service url for servicemesh metrics
+	ServicemeshPrometheusServiceUrl string
+
+	// openpitrix api gateway service url
+	OpenPitrixServer string
+
+	// openpitrix service token
+	OpenPitrixProxyToken string
+}
+
+func NewServerRunOptions() *ServerRunOptions {
+
+	s := ServerRunOptions{
+		GenericServerRunOptions: genericoptions.NewServerRunOptions(),
+		IstioPilotServiceURL:    "http://istio-pilot.istio-system.svc:8080/version",
+		JaegerQueryServiceUrl:   "http://jaeger-query.istio-system.svc:16686/jaeger",
+	}
+
+	return &s
+}
+
+func (s *ServerRunOptions) AddFlags(fs *pflag.FlagSet) {
+
+	s.GenericServerRunOptions.AddFlags(fs)
+
+	fs.StringVar(&s.IstioPilotServiceURL, "istio-pilot-service-url", "http://istio-pilot.istio-system.svc:8080/version", "istio pilot discovery service url")
+	fs.StringVar(&s.JaegerQueryServiceUrl, "jaeger-query-service-url", "http://jaeger-query.istio-system.svc:16686/jaeger", "jaeger query service url")
+	fs.StringVar(&s.ServicemeshPrometheusServiceUrl, "servicemesh-prometheus-service-url", "http://prometheus-k8s-system.kubesphere-monitoring-system.svc:9090", "prometheus service for servicemesh")
+}

cmd/ks-apiserver/app/server.go

@@ -0,0 +1,198 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package app
+
+import (
+	goflag "flag"
+	"fmt"
+	"github.com/golang/glog"
+	"github.com/json-iterator/go"
+	kconfig "github.com/kiali/kiali/config"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	"kubesphere.io/kubesphere/cmd/ks-apiserver/app/options"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+	"kubesphere.io/kubesphere/pkg/apiserver/servicemesh/tracing"
+	"kubesphere.io/kubesphere/pkg/filter"
+	"kubesphere.io/kubesphere/pkg/informers"
+	"kubesphere.io/kubesphere/pkg/models/devops"
+	logging "kubesphere.io/kubesphere/pkg/models/log"
+	"kubesphere.io/kubesphere/pkg/server"
+	"kubesphere.io/kubesphere/pkg/signals"
+	"kubesphere.io/kubesphere/pkg/simple/client/admin_jenkins"
+	"kubesphere.io/kubesphere/pkg/simple/client/devops_mysql"
+	"log"
+	"net/http"
+)
+
+var jsonIter = jsoniter.ConfigCompatibleWithStandardLibrary
+
+func NewAPIServerCommand() *cobra.Command {
+	s := options.NewServerRunOptions()
+
+	cmd := &cobra.Command{
+		Use: "ks-apiserver",
+		Long: `The KubeSphere API server validates and configures data
+for the api objects. The API Server services REST operations and provides the frontend to the
+cluster's shared state through which all other components interact.`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return Run(s)
+		},
+	}
+
+	s.AddFlags(cmd.Flags())
+	cmd.Flags().AddGoFlagSet(goflag.CommandLine)
+	glog.CopyStandardLogTo("INFO")
+
+	return cmd
+}
+
+func Run(s *options.ServerRunOptions) error {
+
+	pflag.VisitAll(func(flag *pflag.Flag) {
+		log.Printf("FLAG: --%s=%q", flag.Name, flag.Value)
+	})
+
+	var err error
+
+	waitForResourceSync()
+
+	container := runtime.Container
+	container.DoNotRecover(false)
+	container.Filter(filter.Logging)
+	container.RecoverHandler(server.LogStackOnRecover)
+	for _, webservice := range container.RegisteredWebServices() {
+		for _, route := range webservice.Routes() {
+			log.Println(route.Method, route.Path)
+		}
+	}
+
+	initializeAdminJenkins()
+	initializeDevOpsDatabase()
+	initializeESClientConfig()
+	initializeServicemeshConfig(s)
+
+	if s.GenericServerRunOptions.InsecurePort != 0 {
+		log.Printf("Server listening on %d.", s.GenericServerRunOptions.InsecurePort)
+		err = http.ListenAndServe(fmt.Sprintf("%s:%d", s.GenericServerRunOptions.BindAddress, s.GenericServerRunOptions.InsecurePort), container)
+	}
+
+	if s.GenericServerRunOptions.SecurePort != 0 && len(s.GenericServerRunOptions.TlsCertFile) > 0 && len(s.GenericServerRunOptions.TlsPrivateKey) > 0 {
+		log.Printf("Server listening on %d.", s.GenericServerRunOptions.SecurePort)
+		err = http.ListenAndServeTLS(fmt.Sprintf("%s:%d", s.GenericServerRunOptions.BindAddress, s.GenericServerRunOptions.SecurePort), s.GenericServerRunOptions.TlsCertFile, s.GenericServerRunOptions.TlsPrivateKey, container)
+	}
+
+	return err
+}
+
+func initializeAdminJenkins() {
+	devops.JenkinsInit()
+	admin_jenkins.Client()
+}
+
+func initializeDevOpsDatabase() {
+	devops_mysql.OpenDatabase()
+}
+
+func initializeServicemeshConfig(s *options.ServerRunOptions) {
+	// Initialize kiali config
+	config := kconfig.NewConfig()
+
+	tracing.JaegerQueryUrl = s.JaegerQueryServiceUrl
+
+	// Exclude system namespaces
+	config.API.Namespaces.Exclude = []string{"istio-system", "kubesphere*", "kube*"}
+	config.InCluster = true
+
+	// Set default prometheus service url
+	config.ExternalServices.PrometheusServiceURL = s.ServicemeshPrometheusServiceUrl
+	config.ExternalServices.PrometheusCustomMetricsURL = config.ExternalServices.PrometheusServiceURL
+
+	// Set istio pilot discovery service url
+	config.ExternalServices.Istio.UrlServiceVersion = s.IstioPilotServiceURL
+
+	kconfig.Set(config)
+}
+
+func initializeESClientConfig() {
+
+	// List all outputs
+	outputs, err := logging.GetFluentbitOutputFromConfigMap()
+	if err != nil {
+		glog.Errorln(err)
+		return
+	}
+
+	// Iterate the outputs to get elasticsearch configs
+	for _, output := range outputs {
+		if configs := logging.ParseEsOutputParams(output.Parameters); configs != nil {
+			configs.WriteESConfigs()
+			return
+		}
+	}
+}
+
+func waitForResourceSync() {
+	stopChan := signals.SetupSignalHandler()
+
+	informerFactory := informers.SharedInformerFactory()
+	informerFactory.Rbac().V1().Roles().Lister()
+	informerFactory.Rbac().V1().RoleBindings().Lister()
+	informerFactory.Rbac().V1().ClusterRoles().Lister()
+	informerFactory.Rbac().V1().ClusterRoleBindings().Lister()
+
+	informerFactory.Storage().V1().StorageClasses().Lister()
+
+	informerFactory.Core().V1().Namespaces().Lister()
+	informerFactory.Core().V1().Nodes().Lister()
+	informerFactory.Core().V1().ResourceQuotas().Lister()
+	informerFactory.Core().V1().Pods().Lister()
+	informerFactory.Core().V1().Services().Lister()
+	informerFactory.Core().V1().PersistentVolumeClaims().Lister()
+	informerFactory.Core().V1().Secrets().Lister()
+	informerFactory.Core().V1().ConfigMaps().Lister()
+
+	informerFactory.Apps().V1().ControllerRevisions().Lister()
+	informerFactory.Apps().V1().StatefulSets().Lister()
+	informerFactory.Apps().V1().Deployments().Lister()
+	informerFactory.Apps().V1().DaemonSets().Lister()
+	informerFactory.Apps().V1().ReplicaSets().Lister()
+
+	informerFactory.Batch().V1().Jobs().Lister()
+	informerFactory.Batch().V1beta1().CronJobs().Lister()
+	informerFactory.Extensions().V1beta1().Ingresses().Lister()
+
+	informerFactory.Start(stopChan)
+	informerFactory.WaitForCacheSync(stopChan)
+
+	s2iInformerFactory := informers.S2iSharedInformerFactory()
+	s2iInformerFactory.Devops().V1alpha1().S2iBuilderTemplates().Lister()
+	s2iInformerFactory.Devops().V1alpha1().S2iRuns().Lister()
+	s2iInformerFactory.Devops().V1alpha1().S2iBuilders().Lister()
+
+	s2iInformerFactory.Start(stopChan)
+	s2iInformerFactory.WaitForCacheSync(stopChan)
+
+	ksInformerFactory := informers.KsSharedInformerFactory()
+	ksInformerFactory.Tenant().V1alpha1().Workspaces().Lister()
+
+	ksInformerFactory.Start(stopChan)
+	ksInformerFactory.WaitForCacheSync(stopChan)
+
+	log.Println("resources sync success")
+}

cmd/ks-iam/apiserver.go

@@ -0,0 +1,34 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package main
+
+import (
+	"kubesphere.io/kubesphere/cmd/ks-iam/app"
+	"log"
+	// Install apis
+	_ "kubesphere.io/kubesphere/pkg/apis/iam/install"
+)
+
+func main() {
+
+	cmd := app.NewAPIServerCommand()
+
+	if err := cmd.Execute(); err != nil {
+		log.Fatalln(err)
+	}
+}

cmd/ks-iam/app/options/options.go

@@ -0,0 +1,48 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package options
+
+import (
+	"github.com/spf13/pflag"
+	genericoptions "kubesphere.io/kubesphere/pkg/options"
+)
+
+type ServerRunOptions struct {
+	GenericServerRunOptions *genericoptions.ServerRunOptions
+	AdminEmail              string
+	AdminPassword           string
+	TokenExpireTime         string
+	JWTSecret               string
+	AuthRateLimit           string
+}
+
+func NewServerRunOptions() *ServerRunOptions {
+	s := &ServerRunOptions{
+		GenericServerRunOptions: genericoptions.NewServerRunOptions(),
+	}
+	return s
+}
+
+func (s *ServerRunOptions) AddFlags(fs *pflag.FlagSet) {
+	fs.StringVar(&s.AdminEmail, "admin-email", "admin@kubesphere.io", "default administrator's email")
+	fs.StringVar(&s.AdminPassword, "admin-password", "passw0rd", "default administrator's password")
+	fs.StringVar(&s.TokenExpireTime, "token-expire-time", "2h", "token expire time,valid time units are \"ns\",\"us\",\"ms\",\"s\",\"m\",\"h\"")
+	fs.StringVar(&s.JWTSecret, "jwt-secret", "", "jwt secret")
+	fs.StringVar(&s.AuthRateLimit, "auth-rate-limit", "5/30m", "specifies the maximum number of authentication attempts permitted and time interval,valid time units are \"s\",\"m\",\"h\"")
+	s.GenericServerRunOptions.AddFlags(fs)
+}

cmd/ks-iam/app/server.go

@@ -0,0 +1,137 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package app
+
+import (
+	goflag "flag"
+	"fmt"
+	"github.com/golang/glog"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	"kubesphere.io/kubesphere/cmd/ks-iam/app/options"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+	"kubesphere.io/kubesphere/pkg/filter"
+	"kubesphere.io/kubesphere/pkg/informers"
+	"kubesphere.io/kubesphere/pkg/models/iam"
+	"kubesphere.io/kubesphere/pkg/server"
+	"kubesphere.io/kubesphere/pkg/signals"
+	"kubesphere.io/kubesphere/pkg/simple/client/admin_jenkins"
+	"kubesphere.io/kubesphere/pkg/simple/client/devops_mysql"
+	"kubesphere.io/kubesphere/pkg/utils/jwtutil"
+	"log"
+	"net/http"
+	"time"
+)
+
+func NewAPIServerCommand() *cobra.Command {
+	s := options.NewServerRunOptions()
+
+	cmd := &cobra.Command{
+		Use: "ks-iam",
+		Long: `The KubeSphere API server validates and configures data
+for the api objects. The API Server services REST operations and provides the frontend to the
+cluster's shared state through which all other components interact.`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return Run(s)
+		},
+	}
+	s.AddFlags(cmd.Flags())
+	cmd.Flags().AddGoFlagSet(goflag.CommandLine)
+	glog.CopyStandardLogTo("INFO")
+
+	return cmd
+}
+
+func Run(s *options.ServerRunOptions) error {
+	pflag.VisitAll(func(flag *pflag.Flag) {
+		log.Printf("FLAG: --%s=%q", flag.Name, flag.Value)
+	})
+
+	var err error
+
+	expireTime, err := time.ParseDuration(s.TokenExpireTime)
+
+	if err != nil {
+		return err
+	}
+
+	waitForResourceSync()
+
+	initializeAdminJenkins()
+	initializeDevOpsDatabase()
+
+	err = iam.Init(s.AdminEmail, s.AdminPassword, expireTime, s.AuthRateLimit)
+	jwtutil.Setup(s.JWTSecret)
+
+	if err != nil {
+		return err
+	}
+
+	container := runtime.Container
+	container.Filter(filter.Logging)
+	container.DoNotRecover(false)
+	container.RecoverHandler(server.LogStackOnRecover)
+
+	for _, webservice := range container.RegisteredWebServices() {
+		for _, route := range webservice.Routes() {
+			log.Println(route.Method, route.Path)
+		}
+	}
+
+	if s.GenericServerRunOptions.InsecurePort != 0 {
+		log.Printf("Server listening on %d.", s.GenericServerRunOptions.InsecurePort)
+		err = http.ListenAndServe(fmt.Sprintf("%s:%d", s.GenericServerRunOptions.BindAddress, s.GenericServerRunOptions.InsecurePort), container)
+	}
+
+	if s.GenericServerRunOptions.SecurePort != 0 && len(s.GenericServerRunOptions.TlsCertFile) > 0 && len(s.GenericServerRunOptions.TlsPrivateKey) > 0 {
+		log.Printf("Server listening on %d.", s.GenericServerRunOptions.SecurePort)
+		err = http.ListenAndServeTLS(fmt.Sprintf("%s:%d", s.GenericServerRunOptions.BindAddress, s.GenericServerRunOptions.SecurePort), s.GenericServerRunOptions.TlsCertFile, s.GenericServerRunOptions.TlsPrivateKey, container)
+	}
+
+	return err
+}
+
+func waitForResourceSync() {
+	stopChan := signals.SetupSignalHandler()
+
+	informerFactory := informers.SharedInformerFactory()
+	informerFactory.Rbac().V1().Roles().Lister()
+	informerFactory.Rbac().V1().RoleBindings().Lister()
+	informerFactory.Rbac().V1().ClusterRoles().Lister()
+	informerFactory.Rbac().V1().ClusterRoleBindings().Lister()
+
+	informerFactory.Core().V1().Namespaces().Lister()
+
+	informerFactory.Start(stopChan)
+	informerFactory.WaitForCacheSync(stopChan)
+
+	ksInformerFactory := informers.KsSharedInformerFactory()
+	ksInformerFactory.Tenant().V1alpha1().Workspaces().Lister()
+
+	ksInformerFactory.Start(stopChan)
+	ksInformerFactory.WaitForCacheSync(stopChan)
+	log.Println("resources sync success")
+}
+
+func initializeAdminJenkins() {
+	admin_jenkins.Client()
+}
+
+func initializeDevOpsDatabase() {
+	devops_mysql.OpenDatabase()
+}

cmd/kubesphere.go

@@ -1,40 +0,0 @@
-/*
-Copyright 2018 The KubeSphere Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"github.com/spf13/pflag"
-
-	"kubesphere.io/kubesphere/pkg/app"
-	"kubesphere.io/kubesphere/pkg/logs"
-	"kubesphere.io/kubesphere/pkg/options"
-	"kubesphere.io/kubesphere/pkg/version"
-)
-
-func main() {
-
-	options.AddFlags(pflag.CommandLine)
-
-	pflag.Parse()
-	logs.InitLogs()
-
-	defer logs.FlushLogs()
-
-	version.PrintAndExitIfRequested()
-
-	app.Run()
-}

config/crds/app_v1beta1_application.yaml

@@ -0,0 +1,239 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: applications.app.k8s.io
+spec:
+  group: app.k8s.io
+  names:
+    kind: Application
+    plural: applications
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          type: string
+        kind:
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            assemblyPhase:
+              type: string
+            componentKinds:
+              items:
+                type: object
+              type: array
+            descriptor:
+              properties:
+                description:
+                  type: string
+                icons:
+                  items:
+                    properties:
+                      size:
+                        type: string
+                      src:
+                        type: string
+                      type:
+                        type: string
+                    required:
+                    - src
+                    type: object
+                  type: array
+                keywords:
+                  items:
+                    type: string
+                  type: array
+                links:
+                  items:
+                    properties:
+                      description:
+                        type: string
+                      url:
+                        type: string
+                    type: object
+                  type: array
+                maintainers:
+                  items:
+                    properties:
+                      email:
+                        type: string
+                      name:
+                        type: string
+                      url:
+                        type: string
+                    type: object
+                  type: array
+                notes:
+                  type: string
+                owners:
+                  items:
+                    properties:
+                      email:
+                        type: string
+                      name:
+                        type: string
+                      url:
+                        type: string
+                    type: object
+                  type: array
+                type:
+                  type: string
+                version:
+                  type: string
+              type: object
+            info:
+              items:
+                properties:
+                  name:
+                    type: string
+                  type:
+                    type: string
+                  value:
+                    type: string
+                  valueFrom:
+                    properties:
+                      configMapKeyRef:
+                        properties:
+                          apiVersion:
+                            type: string
+                          fieldPath:
+                            type: string
+                          key:
+                            type: string
+                          kind:
+                            type: string
+                          name:
+                            type: string
+                          namespace:
+                            type: string
+                          resourceVersion:
+                            type: string
+                          uid:
+                            type: string
+                        type: object
+                      ingressRef:
+                        properties:
+                          apiVersion:
+                            type: string
+                          fieldPath:
+                            type: string
+                          host:
+                            type: string
+                          kind:
+                            type: string
+                          name:
+                            type: string
+                          namespace:
+                            type: string
+                          path:
+                            type: string
+                          resourceVersion:
+                            type: string
+                          uid:
+                            type: string
+                        type: object
+                      secretKeyRef:
+                        properties:
+                          apiVersion:
+                            type: string
+                          fieldPath:
+                            type: string
+                          key:
+                            type: string
+                          kind:
+                            type: string
+                          name:
+                            type: string
+                          namespace:
+                            type: string
+                          resourceVersion:
+                            type: string
+                          uid:
+                            type: string
+                        type: object
+                      serviceRef:
+                        properties:
+                          apiVersion:
+                            type: string
+                          fieldPath:
+                            type: string
+                          kind:
+                            type: string
+                          name:
+                            type: string
+                          namespace:
+                            type: string
+                          path:
+                            type: string
+                          port:
+                            format: int32
+                            type: integer
+                          resourceVersion:
+                            type: string
+                          uid:
+                            type: string
+                        type: object
+                      type:
+                        type: string
+                    type: object
+                type: object
+              type: array
+            selector:
+              type: object
+          type: object
+        status:
+          properties:
+            components:
+              items:
+                properties:
+                  group:
+                    type: string
+                  kind:
+                    type: string
+                  link:
+                    type: string
+                  name:
+                    type: string
+                  status:
+                    type: string
+                type: object
+              type: array
+            conditions:
+              items:
+                properties:
+                  lastTransitionTime:
+                    format: date-time
+                    type: string
+                  lastUpdateTime:
+                    format: date-time
+                    type: string
+                  message:
+                    type: string
+                  reason:
+                    type: string
+                  status:
+                    type: string
+                  type:
+                    type: string
+                required:
+                - type
+                - status
+                type: object
+              type: array
+            observedGeneration:
+              format: int64
+              type: integer
+          type: object
+  version: v1beta1
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/istio_v1alpha3_destinationrule.yaml

@@ -0,0 +1,763 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: destinationrules.istio.kubesphere.io
+spec:
+  group: istio.kubesphere.io
+  names:
+    kind: DestinationRule
+    plural: destinationrules
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            host:
+              description: 'REQUIRED. The name of a service from the service registry.
+                Service names are looked up from the platform''s service registry
+                (e.g., Kubernetes services, Consul services, etc.) and from the hosts
+                declared by [ServiceEntries](#ServiceEntry). Rules defined for services
+                that do not exist in the service registry will be ignored.  *Note
+                for Kubernetes users*: When short names are used (e.g. "reviews" instead
+                of "reviews.default.svc.cluster.local"), Istio will interpret the
+                short name based on the namespace of the rule, not the service. A
+                rule in the "default" namespace containing a host "reviews will be
+                interpreted as "reviews.default.svc.cluster.local", irrespective of
+                the actual namespace associated with the reviews service. _To avoid
+                potential misconfigurations, it is recommended to always use fully
+                qualified domain names over short names._  Note that the host field
+                applies to both HTTP and TCP services.'
+              type: string
+            subsets:
+              description: One or more named sets that represent individual versions
+                of a service. Traffic policies can be overridden at subset level.
+              items:
+                properties:
+                  labels:
+                    description: REQUIRED. Labels apply a filter over the endpoints
+                      of a service in the service registry. See route rules for examples
+                      of usage.
+                    type: object
+                  name:
+                    description: REQUIRED. Name of the subset. The service name and
+                      the subset name can be used for traffic splitting in a route
+                      rule.
+                    type: string
+                  trafficPolicy:
+                    description: Traffic policies that apply to this subset. Subsets
+                      inherit the traffic policies specified at the DestinationRule
+                      level. Settings specified at the subset level will override
+                      the corresponding settings specified at the DestinationRule
+                      level.
+                    properties:
+                      connectionPool:
+                        description: Settings controlling the volume of connections
+                          to an upstream service
+                        properties:
+                          http:
+                            description: HTTP connection pool settings.
+                            properties:
+                              maxRequestsPerConnection:
+                                description: Maximum number of requests per connection
+                                  to a backend. Setting this parameter to 1 disables
+                                  keep alive.
+                                format: int32
+                                type: integer
+                              maxRetries:
+                                description: Maximum number of retries that can be
+                                  outstanding to all hosts in a cluster at a given
+                                  time. Defaults to 3.
+                                format: int32
+                                type: integer
+                            type: object
+                          tcp:
+                            description: Settings common to both HTTP and TCP upstream
+                              connections.
+                            properties:
+                              connectTimeout:
+                                description: TCP connection timeout.
+                                type: string
+                              maxConnections:
+                                description: Maximum number of HTTP1 /TCP connections
+                                  to a destination host.
+                                format: int32
+                                type: integer
+                            type: object
+                        type: object
+                      loadBalancer:
+                        description: Settings controlling the load balancer algorithms.
+                        properties:
+                          consistentHash:
+                            properties:
+                              httpCookie:
+                                description: Hash based on HTTP cookie.
+                                properties:
+                                  name:
+                                    description: REQUIRED. Name of the cookie.
+                                    type: string
+                                  path:
+                                    description: Path to set for the cookie.
+                                    type: string
+                                  ttl:
+                                    description: REQUIRED. Lifetime of the cookie.
+                                    type: string
+                                required:
+                                - name
+                                - ttl
+                                type: object
+                              httpHeaderName:
+                                description: 'It is required to specify exactly one
+                                  of the fields as hash key: HttpHeaderName, HttpCookie,
+                                  or UseSourceIP. Hash based on a specific HTTP header.'
+                                type: string
+                              minimumRingSize:
+                                description: The minimum number of virtual nodes to
+                                  use for the hash ring. Defaults to 1024. Larger
+                                  ring sizes result in more granular load distributions.
+                                  If the number of hosts in the load balancing pool
+                                  is larger than the ring size, each host will be
+                                  assigned a single virtual node.
+                                format: int64
+                                type: integer
+                              useSourceIp:
+                                description: Hash based on the source IP address.
+                                type: boolean
+                            type: object
+                          simple:
+                            description: 'It is required to specify exactly one of
+                              the fields: Simple or ConsistentHash'
+                            type: string
+                        type: object
+                      outlierDetection:
+                        description: Settings controlling eviction of unhealthy hosts
+                          from the load balancing pool
+                        properties:
+                          baseEjectionTime:
+                            description: 'Minimum ejection duration. A host will remain
+                              ejected for a period equal to the product of minimum
+                              ejection duration and the number of times the host has
+                              been ejected. This technique allows the system to automatically
+                              increase the ejection period for unhealthy upstream
+                              servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default
+                              is 30s.'
+                            type: string
+                          consecutiveErrors:
+                            description: Number of errors before a host is ejected
+                              from the connection pool. Defaults to 5. When the upstream
+                              host is accessed over HTTP, a 5xx return code qualifies
+                              as an error. When the upstream host is accessed over
+                              an opaque TCP connection, connect timeouts and connection
+                              error/failure events qualify as an error.
+                            format: int32
+                            type: integer
+                          interval:
+                            description: 'Time interval between ejection sweep analysis.
+                              format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
+                            type: string
+                          maxEjectionPercent:
+                            description: Maximum % of hosts in the load balancing
+                              pool for the upstream service that can be ejected. Defaults
+                              to 10%.
+                            format: int32
+                            type: integer
+                        type: object
+                      portLevelSettings:
+                        description: Traffic policies specific to individual ports.
+                          Note that port level settings will override the destination-level
+                          settings. Traffic settings specified at the destination-level
+                          will not be inherited when overridden by port-level settings,
+                          i.e. default values will be applied to fields omitted in
+                          port-level traffic policies.
+                        items:
+                          properties:
+                            connectionPool:
+                              description: Settings controlling the volume of connections
+                                to an upstream service
+                              properties:
+                                http:
+                                  description: HTTP connection pool settings.
+                                  properties:
+                                    maxRequestsPerConnection:
+                                      description: Maximum number of requests per
+                                        connection to a backend. Setting this parameter
+                                        to 1 disables keep alive.
+                                      format: int32
+                                      type: integer
+                                    maxRetries:
+                                      description: Maximum number of retries that
+                                        can be outstanding to all hosts in a cluster
+                                        at a given time. Defaults to 3.
+                                      format: int32
+                                      type: integer
+                                  type: object
+                                tcp:
+                                  description: Settings common to both HTTP and TCP
+                                    upstream connections.
+                                  properties:
+                                    connectTimeout:
+                                      description: TCP connection timeout.
+                                      type: string
+                                    maxConnections:
+                                      description: Maximum number of HTTP1 /TCP connections
+                                        to a destination host.
+                                      format: int32
+                                      type: integer
+                                  type: object
+                              type: object
+                            loadBalancer:
+                              description: Settings controlling the load balancer
+                                algorithms.
+                              properties:
+                                consistentHash:
+                                  properties:
+                                    httpCookie:
+                                      description: Hash based on HTTP cookie.
+                                      properties:
+                                        name:
+                                          description: REQUIRED. Name of the cookie.
+                                          type: string
+                                        path:
+                                          description: Path to set for the cookie.
+                                          type: string
+                                        ttl:
+                                          description: REQUIRED. Lifetime of the cookie.
+                                          type: string
+                                      required:
+                                      - name
+                                      - ttl
+                                      type: object
+                                    httpHeaderName:
+                                      description: 'It is required to specify exactly
+                                        one of the fields as hash key: HttpHeaderName,
+                                        HttpCookie, or UseSourceIP. Hash based on
+                                        a specific HTTP header.'
+                                      type: string
+                                    minimumRingSize:
+                                      description: The minimum number of virtual nodes
+                                        to use for the hash ring. Defaults to 1024.
+                                        Larger ring sizes result in more granular
+                                        load distributions. If the number of hosts
+                                        in the load balancing pool is larger than
+                                        the ring size, each host will be assigned
+                                        a single virtual node.
+                                      format: int64
+                                      type: integer
+                                    useSourceIp:
+                                      description: Hash based on the source IP address.
+                                      type: boolean
+                                  type: object
+                                simple:
+                                  description: 'It is required to specify exactly
+                                    one of the fields: Simple or ConsistentHash'
+                                  type: string
+                              type: object
+                            outlierDetection:
+                              description: Settings controlling eviction of unhealthy
+                                hosts from the load balancing pool
+                              properties:
+                                baseEjectionTime:
+                                  description: 'Minimum ejection duration. A host
+                                    will remain ejected for a period equal to the
+                                    product of minimum ejection duration and the number
+                                    of times the host has been ejected. This technique
+                                    allows the system to automatically increase the
+                                    ejection period for unhealthy upstream servers.
+                                    format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is
+                                    30s.'
+                                  type: string
+                                consecutiveErrors:
+                                  description: Number of errors before a host is ejected
+                                    from the connection pool. Defaults to 5. When
+                                    the upstream host is accessed over HTTP, a 5xx
+                                    return code qualifies as an error. When the upstream
+                                    host is accessed over an opaque TCP connection,
+                                    connect timeouts and connection error/failure
+                                    events qualify as an error.
+                                  format: int32
+                                  type: integer
+                                interval:
+                                  description: 'Time interval between ejection sweep
+                                    analysis. format: 1h/1m/1s/1ms. MUST BE >=1ms.
+                                    Default is 10s.'
+                                  type: string
+                                maxEjectionPercent:
+                                  description: Maximum % of hosts in the load balancing
+                                    pool for the upstream service that can be ejected.
+                                    Defaults to 10%.
+                                  format: int32
+                                  type: integer
+                              type: object
+                            port:
+                              description: Specifies the port name or number of a
+                                port on the destination service on which this policy
+                                is being applied.  Names must comply with DNS label
+                                syntax (rfc1035) and therefore cannot collide with
+                                numbers. If there are multiple ports on a service
+                                with the same protocol the names should be of the
+                                form <protocol-name>-<DNS label>.
+                              properties:
+                                name:
+                                  description: Valid port name
+                                  type: string
+                                number:
+                                  description: Valid port number
+                                  format: int32
+                                  type: integer
+                              type: object
+                            tls:
+                              description: TLS related settings for connections to
+                                the upstream service.
+                              properties:
+                                caCertificates:
+                                  description: 'OPTIONAL: The path to the file containing
+                                    certificate authority certificates to use in verifying
+                                    a presented server certificate. If omitted, the
+                                    proxy will not verify the server''s certificate.
+                                    Should be empty if mode is `ISTIO_MUTUAL`.'
+                                  type: string
+                                clientCertificate:
+                                  description: REQUIRED if mode is `MUTUAL`. The path
+                                    to the file holding the client-side TLS certificate
+                                    to use. Should be empty if mode is `ISTIO_MUTUAL`.
+                                  type: string
+                                mode:
+                                  description: 'REQUIRED: Indicates whether connections
+                                    to this port should be secured using TLS. The
+                                    value of this field determines how TLS is enforced.'
+                                  type: string
+                                privateKey:
+                                  description: REQUIRED if mode is `MUTUAL`. The path
+                                    to the file holding the client's private key.
+                                    Should be empty if mode is `ISTIO_MUTUAL`.
+                                  type: string
+                                sni:
+                                  description: SNI string to present to the server
+                                    during TLS handshake. Should be empty if mode
+                                    is `ISTIO_MUTUAL`.
+                                  type: string
+                                subjectAltNames:
+                                  description: A list of alternate names to verify
+                                    the subject identity in the certificate. If specified,
+                                    the proxy will verify that the server certificate's
+                                    subject alt name matches one of the specified
+                                    values. Should be empty if mode is `ISTIO_MUTUAL`.
+                                  items:
+                                    type: string
+                                  type: array
+                              required:
+                              - mode
+                              type: object
+                          required:
+                          - port
+                          type: object
+                        type: array
+                      tls:
+                        description: TLS related settings for connections to the upstream
+                          service.
+                        properties:
+                          caCertificates:
+                            description: 'OPTIONAL: The path to the file containing
+                              certificate authority certificates to use in verifying
+                              a presented server certificate. If omitted, the proxy
+                              will not verify the server''s certificate. Should be
+                              empty if mode is `ISTIO_MUTUAL`.'
+                            type: string
+                          clientCertificate:
+                            description: REQUIRED if mode is `MUTUAL`. The path to
+                              the file holding the client-side TLS certificate to
+                              use. Should be empty if mode is `ISTIO_MUTUAL`.
+                            type: string
+                          mode:
+                            description: 'REQUIRED: Indicates whether connections
+                              to this port should be secured using TLS. The value
+                              of this field determines how TLS is enforced.'
+                            type: string
+                          privateKey:
+                            description: REQUIRED if mode is `MUTUAL`. The path to
+                              the file holding the client's private key. Should be
+                              empty if mode is `ISTIO_MUTUAL`.
+                            type: string
+                          sni:
+                            description: SNI string to present to the server during
+                              TLS handshake. Should be empty if mode is `ISTIO_MUTUAL`.
+                            type: string
+                          subjectAltNames:
+                            description: A list of alternate names to verify the subject
+                              identity in the certificate. If specified, the proxy
+                              will verify that the server certificate's subject alt
+                              name matches one of the specified values. Should be
+                              empty if mode is `ISTIO_MUTUAL`.
+                            items:
+                              type: string
+                            type: array
+                        required:
+                        - mode
+                        type: object
+                    type: object
+                required:
+                - name
+                - labels
+                type: object
+              type: array
+            trafficPolicy:
+              description: Traffic policies to apply (load balancing policy, connection
+                pool sizes, outlier detection).
+              properties:
+                connectionPool:
+                  description: Settings controlling the volume of connections to an
+                    upstream service
+                  properties:
+                    http:
+                      description: HTTP connection pool settings.
+                      properties:
+                        maxRequestsPerConnection:
+                          description: Maximum number of requests per connection to
+                            a backend. Setting this parameter to 1 disables keep alive.
+                          format: int32
+                          type: integer
+                        maxRetries:
+                          description: Maximum number of retries that can be outstanding
+                            to all hosts in a cluster at a given time. Defaults to
+                            3.
+                          format: int32
+                          type: integer
+                      type: object
+                    tcp:
+                      description: Settings common to both HTTP and TCP upstream connections.
+                      properties:
+                        connectTimeout:
+                          description: TCP connection timeout.
+                          type: string
+                        maxConnections:
+                          description: Maximum number of HTTP1 /TCP connections to
+                            a destination host.
+                          format: int32
+                          type: integer
+                      type: object
+                  type: object
+                loadBalancer:
+                  description: Settings controlling the load balancer algorithms.
+                  properties:
+                    consistentHash:
+                      properties:
+                        httpCookie:
+                          description: Hash based on HTTP cookie.
+                          properties:
+                            name:
+                              description: REQUIRED. Name of the cookie.
+                              type: string
+                            path:
+                              description: Path to set for the cookie.
+                              type: string
+                            ttl:
+                              description: REQUIRED. Lifetime of the cookie.
+                              type: string
+                          required:
+                          - name
+                          - ttl
+                          type: object
+                        httpHeaderName:
+                          description: 'It is required to specify exactly one of the
+                            fields as hash key: HttpHeaderName, HttpCookie, or UseSourceIP.
+                            Hash based on a specific HTTP header.'
+                          type: string
+                        minimumRingSize:
+                          description: The minimum number of virtual nodes to use
+                            for the hash ring. Defaults to 1024. Larger ring sizes
+                            result in more granular load distributions. If the number
+                            of hosts in the load balancing pool is larger than the
+                            ring size, each host will be assigned a single virtual
+                            node.
+                          format: int64
+                          type: integer
+                        useSourceIp:
+                          description: Hash based on the source IP address.
+                          type: boolean
+                      type: object
+                    simple:
+                      description: 'It is required to specify exactly one of the fields:
+                        Simple or ConsistentHash'
+                      type: string
+                  type: object
+                outlierDetection:
+                  description: Settings controlling eviction of unhealthy hosts from
+                    the load balancing pool
+                  properties:
+                    baseEjectionTime:
+                      description: 'Minimum ejection duration. A host will remain
+                        ejected for a period equal to the product of minimum ejection
+                        duration and the number of times the host has been ejected.
+                        This technique allows the system to automatically increase
+                        the ejection period for unhealthy upstream servers. format:
+                        1h/1m/1s/1ms. MUST BE >=1ms. Default is 30s.'
+                      type: string
+                    consecutiveErrors:
+                      description: Number of errors before a host is ejected from
+                        the connection pool. Defaults to 5. When the upstream host
+                        is accessed over HTTP, a 5xx return code qualifies as an error.
+                        When the upstream host is accessed over an opaque TCP connection,
+                        connect timeouts and connection error/failure events qualify
+                        as an error.
+                      format: int32
+                      type: integer
+                    interval:
+                      description: 'Time interval between ejection sweep analysis.
+                        format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
+                      type: string
+                    maxEjectionPercent:
+                      description: Maximum % of hosts in the load balancing pool for
+                        the upstream service that can be ejected. Defaults to 10%.
+                      format: int32
+                      type: integer
+                  type: object
+                portLevelSettings:
+                  description: Traffic policies specific to individual ports. Note
+                    that port level settings will override the destination-level settings.
+                    Traffic settings specified at the destination-level will not be
+                    inherited when overridden by port-level settings, i.e. default
+                    values will be applied to fields omitted in port-level traffic
+                    policies.
+                  items:
+                    properties:
+                      connectionPool:
+                        description: Settings controlling the volume of connections
+                          to an upstream service
+                        properties:
+                          http:
+                            description: HTTP connection pool settings.
+                            properties:
+                              maxRequestsPerConnection:
+                                description: Maximum number of requests per connection
+                                  to a backend. Setting this parameter to 1 disables
+                                  keep alive.
+                                format: int32
+                                type: integer
+                              maxRetries:
+                                description: Maximum number of retries that can be
+                                  outstanding to all hosts in a cluster at a given
+                                  time. Defaults to 3.
+                                format: int32
+                                type: integer
+                            type: object
+                          tcp:
+                            description: Settings common to both HTTP and TCP upstream
+                              connections.
+                            properties:
+                              connectTimeout:
+                                description: TCP connection timeout.
+                                type: string
+                              maxConnections:
+                                description: Maximum number of HTTP1 /TCP connections
+                                  to a destination host.
+                                format: int32
+                                type: integer
+                            type: object
+                        type: object
+                      loadBalancer:
+                        description: Settings controlling the load balancer algorithms.
+                        properties:
+                          consistentHash:
+                            properties:
+                              httpCookie:
+                                description: Hash based on HTTP cookie.
+                                properties:
+                                  name:
+                                    description: REQUIRED. Name of the cookie.
+                                    type: string
+                                  path:
+                                    description: Path to set for the cookie.
+                                    type: string
+                                  ttl:
+                                    description: REQUIRED. Lifetime of the cookie.
+                                    type: string
+                                required:
+                                - name
+                                - ttl
+                                type: object
+                              httpHeaderName:
+                                description: 'It is required to specify exactly one
+                                  of the fields as hash key: HttpHeaderName, HttpCookie,
+                                  or UseSourceIP. Hash based on a specific HTTP header.'
+                                type: string
+                              minimumRingSize:
+                                description: The minimum number of virtual nodes to
+                                  use for the hash ring. Defaults to 1024. Larger
+                                  ring sizes result in more granular load distributions.
+                                  If the number of hosts in the load balancing pool
+                                  is larger than the ring size, each host will be
+                                  assigned a single virtual node.
+                                format: int64
+                                type: integer
+                              useSourceIp:
+                                description: Hash based on the source IP address.
+                                type: boolean
+                            type: object
+                          simple:
+                            description: 'It is required to specify exactly one of
+                              the fields: Simple or ConsistentHash'
+                            type: string
+                        type: object
+                      outlierDetection:
+                        description: Settings controlling eviction of unhealthy hosts
+                          from the load balancing pool
+                        properties:
+                          baseEjectionTime:
+                            description: 'Minimum ejection duration. A host will remain
+                              ejected for a period equal to the product of minimum
+                              ejection duration and the number of times the host has
+                              been ejected. This technique allows the system to automatically
+                              increase the ejection period for unhealthy upstream
+                              servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default
+                              is 30s.'
+                            type: string
+                          consecutiveErrors:
+                            description: Number of errors before a host is ejected
+                              from the connection pool. Defaults to 5. When the upstream
+                              host is accessed over HTTP, a 5xx return code qualifies
+                              as an error. When the upstream host is accessed over
+                              an opaque TCP connection, connect timeouts and connection
+                              error/failure events qualify as an error.
+                            format: int32
+                            type: integer
+                          interval:
+                            description: 'Time interval between ejection sweep analysis.
+                              format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
+                            type: string
+                          maxEjectionPercent:
+                            description: Maximum % of hosts in the load balancing
+                              pool for the upstream service that can be ejected. Defaults
+                              to 10%.
+                            format: int32
+                            type: integer
+                        type: object
+                      port:
+                        description: Specifies the port name or number of a port on
+                          the destination service on which this policy is being applied.  Names
+                          must comply with DNS label syntax (rfc1035) and therefore
+                          cannot collide with numbers. If there are multiple ports
+                          on a service with the same protocol the names should be
+                          of the form <protocol-name>-<DNS label>.
+                        properties:
+                          name:
+                            description: Valid port name
+                            type: string
+                          number:
+                            description: Valid port number
+                            format: int32
+                            type: integer
+                        type: object
+                      tls:
+                        description: TLS related settings for connections to the upstream
+                          service.
+                        properties:
+                          caCertificates:
+                            description: 'OPTIONAL: The path to the file containing
+                              certificate authority certificates to use in verifying
+                              a presented server certificate. If omitted, the proxy
+                              will not verify the server''s certificate. Should be
+                              empty if mode is `ISTIO_MUTUAL`.'
+                            type: string
+                          clientCertificate:
+                            description: REQUIRED if mode is `MUTUAL`. The path to
+                              the file holding the client-side TLS certificate to
+                              use. Should be empty if mode is `ISTIO_MUTUAL`.
+                            type: string
+                          mode:
+                            description: 'REQUIRED: Indicates whether connections
+                              to this port should be secured using TLS. The value
+                              of this field determines how TLS is enforced.'
+                            type: string
+                          privateKey:
+                            description: REQUIRED if mode is `MUTUAL`. The path to
+                              the file holding the client's private key. Should be
+                              empty if mode is `ISTIO_MUTUAL`.
+                            type: string
+                          sni:
+                            description: SNI string to present to the server during
+                              TLS handshake. Should be empty if mode is `ISTIO_MUTUAL`.
+                            type: string
+                          subjectAltNames:
+                            description: A list of alternate names to verify the subject
+                              identity in the certificate. If specified, the proxy
+                              will verify that the server certificate's subject alt
+                              name matches one of the specified values. Should be
+                              empty if mode is `ISTIO_MUTUAL`.
+                            items:
+                              type: string
+                            type: array
+                        required:
+                        - mode
+                        type: object
+                    required:
+                    - port
+                    type: object
+                  type: array
+                tls:
+                  description: TLS related settings for connections to the upstream
+                    service.
+                  properties:
+                    caCertificates:
+                      description: 'OPTIONAL: The path to the file containing certificate
+                        authority certificates to use in verifying a presented server
+                        certificate. If omitted, the proxy will not verify the server''s
+                        certificate. Should be empty if mode is `ISTIO_MUTUAL`.'
+                      type: string
+                    clientCertificate:
+                      description: REQUIRED if mode is `MUTUAL`. The path to the file
+                        holding the client-side TLS certificate to use. Should be
+                        empty if mode is `ISTIO_MUTUAL`.
+                      type: string
+                    mode:
+                      description: 'REQUIRED: Indicates whether connections to this
+                        port should be secured using TLS. The value of this field
+                        determines how TLS is enforced.'
+                      type: string
+                    privateKey:
+                      description: REQUIRED if mode is `MUTUAL`. The path to the file
+                        holding the client's private key. Should be empty if mode
+                        is `ISTIO_MUTUAL`.
+                      type: string
+                    sni:
+                      description: SNI string to present to the server during TLS
+                        handshake. Should be empty if mode is `ISTIO_MUTUAL`.
+                      type: string
+                    subjectAltNames:
+                      description: A list of alternate names to verify the subject
+                        identity in the certificate. If specified, the proxy will
+                        verify that the server certificate's subject alt name matches
+                        one of the specified values. Should be empty if mode is `ISTIO_MUTUAL`.
+                      items:
+                        type: string
+                      type: array
+                  required:
+                  - mode
+                  type: object
+              type: object
+          required:
+          - host
+          type: object
+      required:
+      - spec
+  version: v1alpha3
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/istio_v1alpha3_gateway.yaml

@@ -0,0 +1,129 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: gateways.istio.kubesphere.io
+spec:
+  group: istio.kubesphere.io
+  names:
+    kind: Gateway
+    plural: gateways
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            selector:
+              description: One or more labels that indicate a specific set of pods/VMs
+                on which this gateway configuration should be applied. If no selectors
+                are provided, the gateway will be implemented by the default istio-ingress
+                controller.
+              type: object
+            servers:
+              description: 'REQUIRED: A list of server specifications.'
+              items:
+                properties:
+                  hosts:
+                    description: A list of hosts exposed by this gateway. While typically
+                      applicable to HTTP services, it can also be used for TCP services
+                      using TLS with SNI. Standard DNS wildcard prefix syntax is permitted.  A
+                      VirtualService that is bound to a gateway must having a matching
+                      host in its default destination. Specifically one of the VirtualService
+                      destination hosts is a strict suffix of a gateway host or a
+                      gateway host is a suffix of one of the VirtualService hosts.
+                    items:
+                      type: string
+                    type: array
+                  port:
+                    description: 'REQUIRED: The Port on which the proxy should listen
+                      for incoming connections'
+                    properties:
+                      name:
+                        description: Label assigned to the port.
+                        type: string
+                      number:
+                        description: 'REQUIRED: A valid non-negative integer port
+                          number.'
+                        format: int64
+                        type: integer
+                      protocol:
+                        description: 'REQUIRED: The protocol exposed on the port.
+                          MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP.'
+                        type: string
+                    required:
+                    - number
+                    - protocol
+                    type: object
+                  tls:
+                    description: Set of TLS related options that govern the server's
+                      behavior. Use these options to control if all http requests
+                      should be redirected to https, and the TLS modes to use.
+                    properties:
+                      caCertificates:
+                        description: REQUIRED if mode is "MUTUAL". The path to a file
+                          containing certificate authority certificates to use in
+                          verifying a presented client side certificate.
+                        type: string
+                      httpsRedirect:
+                        description: If set to true, the load balancer will send a
+                          302 redirect for all http connections, asking the clients
+                          to use HTTPS.
+                        type: boolean
+                      mode:
+                        description: 'Optional: Indicates whether connections to this
+                          port should be secured using TLS. The value of this field
+                          determines how TLS is enforced.'
+                        type: string
+                      privateKey:
+                        description: REQUIRED if mode is "SIMPLE" or "MUTUAL". The
+                          path to the file holding the server's private key.
+                        type: string
+                      serverCertificate:
+                        description: REQUIRED if mode is "SIMPLE" or "MUTUAL". The
+                          path to the file holding the server-side TLS certificate
+                          to use.
+                        type: string
+                      subjectAltNames:
+                        description: A list of alternate names to verify the subject
+                          identity in the certificate presented by the client.
+                        items:
+                          type: string
+                        type: array
+                    required:
+                    - httpsRedirect
+                    - serverCertificate
+                    - privateKey
+                    - caCertificates
+                    - subjectAltNames
+                    type: object
+                required:
+                - port
+                type: object
+              type: array
+          required:
+          - servers
+          type: object
+      required:
+      - spec
+  version: v1alpha3
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/istio_v1alpha3_virtualservice.yaml

@@ -0,0 +1,695 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: virtualservices.istio.kubesphere.io
+spec:
+  group: istio.kubesphere.io
+  names:
+    kind: VirtualService
+    plural: virtualservices
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            gateways:
+              description: The names of gateways and sidecars that should apply these
+                routes. A single VirtualService is used for sidecars inside the mesh
+                as well as for one or more gateways. The selection condition imposed
+                by this field can be overridden using the source field in the match
+                conditions of HTTP/TCP routes. The reserved word "mesh" is used to
+                imply all the sidecars in the mesh. When this field is omitted, the
+                default gateway ("mesh") will be used, which would apply the rule
+                to all sidecars in the mesh. If a list of gateway names is provided,
+                the rules will apply only to the gateways. To apply the rules to both
+                gateways and sidecars, specify "mesh" as one of the gateway names.
+              items:
+                type: string
+              type: array
+            hosts:
+              description: REQUIRED. The destination address for traffic captured
+                by this virtual service. Could be a DNS name with wildcard prefix
+                or a CIDR prefix. Depending on the platform, short-names can also
+                be used instead of a FQDN (i.e. has no dots in the name). In such
+                a scenario, the FQDN of the host would be derived based on the underlying
+                platform.  For example on Kubernetes, when hosts contains a short
+                name, Istio will interpret the short name based on the namespace of
+                the rule. Thus, when a client namespace applies a rule in the "default"
+                namespace containing a name "reviews, Istio will setup routes to the
+                "reviews.default.svc.cluster.local" service. However, if a different
+                name such as "reviews.sales.svc.cluster.local" is used, it would be
+                treated as a FQDN during virtual host matching. In Consul, a plain
+                service name would be resolved to the FQDN "reviews.service.consul".  Note
+                that the hosts field applies to both HTTP and TCP services. Service
+                inside the mesh, i.e., those found in the service registry, must always
+                be referred to using their alphanumeric names. IP addresses or CIDR
+                prefixes are allowed only for services defined via the Gateway.
+              items:
+                type: string
+              type: array
+            http:
+              description: An ordered list of route rules for HTTP traffic. The first
+                rule matching an incoming request is used.
+              items:
+                properties:
+                  appendHeaders:
+                    description: Additional HTTP headers to add before forwarding
+                      a request to the destination service.
+                    type: object
+                  corsPolicy:
+                    description: Cross-Origin Resource Sharing policy
+                    properties:
+                      allowCredentials:
+                        description: Indicates whether the caller is allowed to send
+                          the actual request (not the preflight) using credentials.
+                          Translates to Access-Control-Allow-Credentials header.
+                        type: boolean
+                      allowHeaders:
+                        description: List of HTTP headers that can be used when requesting
+                          the resource. Serialized to Access-Control-Allow-Methods
+                          header.
+                        items:
+                          type: string
+                        type: array
+                      allowMethods:
+                        description: List of HTTP methods allowed to access the resource.
+                          The content will be serialized into the Access-Control-Allow-Methods
+                          header.
+                        items:
+                          type: string
+                        type: array
+                      allowOrigin:
+                        description: The list of origins that are allowed to perform
+                          CORS requests. The content will be serialized into the Access-Control-Allow-Origin
+                          header. Wildcard * will allow all origins.
+                        items:
+                          type: string
+                        type: array
+                      exposeHeaders:
+                        description: A white list of HTTP headers that the browsers
+                          are allowed to access. Serialized into Access-Control-Expose-Headers
+                          header.
+                        items:
+                          type: string
+                        type: array
+                      maxAge:
+                        description: Specifies how long the the results of a preflight
+                          request can be cached. Translates to the Access-Control-Max-Age
+                          header.
+                        type: string
+                    type: object
+                  fault:
+                    description: Fault injection policy to apply on HTTP traffic.
+                    properties:
+                      abort:
+                        description: Abort Http request attempts and return error
+                          codes back to downstream service, giving the impression
+                          that the upstream service is faulty.
+                        properties:
+                          httpStatus:
+                            description: REQUIRED. HTTP status code to use to abort
+                              the Http request.
+                            format: int64
+                            type: integer
+                          percent:
+                            description: Percentage of requests to be aborted with
+                              the error code provided (0-100).
+                            format: int64
+                            type: integer
+                        required:
+                        - httpStatus
+                        type: object
+                      delay:
+                        description: Delay requests before forwarding, emulating various
+                          failures such as network issues, overloaded upstream service,
+                          etc.
+                        properties:
+                          exponentialDelay:
+                            description: (-- Add a delay (based on an exponential
+                              function) before forwarding the request. mean delay
+                              needed to derive the exponential delay values --)
+                            type: string
+                          fixedDelay:
+                            description: 'REQUIRED. Add a fixed delay before forwarding
+                              the request. Format: 1h/1m/1s/1ms. MUST be >=1ms.'
+                            type: string
+                          percent:
+                            description: Percentage of requests on which the delay
+                              will be injected (0-100).
+                            format: int64
+                            type: integer
+                        required:
+                        - fixedDelay
+                        type: object
+                    type: object
+                  match:
+                    description: Match conditions to be satisfied for the rule to
+                      be activated. All conditions inside a single match block have
+                      AND semantics, while the list of match blocks have OR semantics.
+                      The rule is matched if any one of the match blocks succeed.
+                    items:
+                      properties:
+                        authority:
+                          description: 'HTTP Authority values are case-sensitive and
+                            formatted as follows:  - `exact: "value"` for exact string
+                            match  - `prefix: "value"` for prefix-based match  - `regex:
+                            "value"` for ECMAscript style regex-based match'
+                          properties:
+                            exact:
+                              description: exact string match
+                              type: string
+                            prefix:
+                              description: prefix-based match
+                              type: string
+                            regex:
+                              description: ECMAscript style regex-based match
+                              type: string
+                            suffix:
+                              description: suffix-based match.
+                              type: string
+                          type: object
+                        gateways:
+                          description: Names of gateways where the rule should be
+                            applied to. Gateway names at the top of the VirtualService
+                            (if any) are overridden. The gateway match is independent
+                            of sourceLabels.
+                          items:
+                            type: string
+                          type: array
+                        headers:
+                          description: 'The header keys must be lowercase and use
+                            hyphen as the separator, e.g. _x-request-id_.  Header
+                            values are case-sensitive and formatted as follows:  -
+                            `exact: "value"` for exact string match  - `prefix: "value"`
+                            for prefix-based match  - `regex: "value"` for ECMAscript
+                            style regex-based match  **Note:** The keys `uri`, `scheme`,
+                            `method`, and `authority` will be ignored.'
+                          type: object
+                        method:
+                          description: 'HTTP Method values are case-sensitive and
+                            formatted as follows:  - `exact: "value"` for exact string
+                            match  - `prefix: "value"` for prefix-based match  - `regex:
+                            "value"` for ECMAscript style regex-based match'
+                          properties:
+                            exact:
+                              description: exact string match
+                              type: string
+                            prefix:
+                              description: prefix-based match
+                              type: string
+                            regex:
+                              description: ECMAscript style regex-based match
+                              type: string
+                            suffix:
+                              description: suffix-based match.
+                              type: string
+                          type: object
+                        port:
+                          description: Specifies the ports on the host that is being
+                            addressed. Many services only expose a single port or
+                            label ports with the protocols they support, in these
+                            cases it is not required to explicitly select the port.
+                          format: int32
+                          type: integer
+                        scheme:
+                          description: 'URI Scheme values are case-sensitive and formatted
+                            as follows:  - `exact: "value"` for exact string match  -
+                            `prefix: "value"` for prefix-based match  - `regex: "value"`
+                            for ECMAscript style regex-based match'
+                          properties:
+                            exact:
+                              description: exact string match
+                              type: string
+                            prefix:
+                              description: prefix-based match
+                              type: string
+                            regex:
+                              description: ECMAscript style regex-based match
+                              type: string
+                            suffix:
+                              description: suffix-based match.
+                              type: string
+                          type: object
+                        sourceLabels:
+                          description: One or more labels that constrain the applicability
+                            of a rule to workloads with the given labels. If the VirtualService
+                            has a list of gateways specified at the top, it should
+                            include the reserved gateway `mesh` in order for this
+                            field to be applicable.
+                          type: object
+                        uri:
+                          description: 'URI to match values are case-sensitive and
+                            formatted as follows:  - `exact: "value"` for exact string
+                            match  - `prefix: "value"` for prefix-based match  - `regex:
+                            "value"` for ECMAscript style regex-based match'
+                          properties:
+                            exact:
+                              description: exact string match
+                              type: string
+                            prefix:
+                              description: prefix-based match
+                              type: string
+                            regex:
+                              description: ECMAscript style regex-based match
+                              type: string
+                            suffix:
+                              description: suffix-based match.
+                              type: string
+                          type: object
+                      type: object
+                    type: array
+                  mirror:
+                    description: Mirror HTTP traffic to a another destination in addition
+                      to forwarding the requests to the intended destination. Mirrored
+                      traffic is on a best effort basis where the sidecar/gateway
+                      will not wait for the mirrored cluster to respond before returning
+                      the response from the original destination.  Statistics will
+                      be generated for the mirrored destination.
+                    properties:
+                      host:
+                        description: 'REQUIRED. The name of a service from the service
+                          registry. Service names are looked up from the platform''s
+                          service registry (e.g., Kubernetes services, Consul services,
+                          etc.) and from the hosts declared by [ServiceEntry](#ServiceEntry).
+                          Traffic forwarded to destinations that are not found in
+                          either of the two, will be dropped.  *Note for Kubernetes
+                          users*: When short names are used (e.g. "reviews" instead
+                          of "reviews.default.svc.cluster.local"), Istio will interpret
+                          the short name based on the namespace of the rule, not the
+                          service. A rule in the "default" namespace containing a
+                          host "reviews will be interpreted as "reviews.default.svc.cluster.local",
+                          irrespective of the actual namespace associated with the
+                          reviews service. _To avoid potential misconfigurations,
+                          it is recommended to always use fully qualified domain names
+                          over short names._'
+                        type: string
+                      port:
+                        description: Specifies the port on the host that is being
+                          addressed. If a service exposes only a single port it is
+                          not required to explicitly select the port.
+                        properties:
+                          name:
+                            description: Valid port name
+                            type: string
+                          number:
+                            description: Valid port number
+                            format: int32
+                            type: integer
+                        type: object
+                      subset:
+                        description: The name of a subset within the service. Applicable
+                          only to services within the mesh. The subset must be defined
+                          in a corresponding DestinationRule.
+                        type: string
+                    required:
+                    - host
+                    type: object
+                  redirect:
+                    description: A http rule can either redirect or forward (default)
+                      traffic. If traffic passthrough option is specified in the rule,
+                      route/redirect will be ignored. The redirect primitive can be
+                      used to send a HTTP 302 redirect to a different URI or Authority.
+                    properties:
+                      authority:
+                        description: On a redirect, overwrite the Authority/Host portion
+                          of the URL with this value.
+                        type: string
+                      uri:
+                        description: On a redirect, overwrite the Path portion of
+                          the URL with this value. Note that the entire path will
+                          be replaced, irrespective of the request URI being matched
+                          as an exact path or prefix.
+                        type: string
+                    type: object
+                  removeResponseHeaders:
+                    description: Http headers to remove before returning the response
+                      to the caller
+                    type: object
+                  retries:
+                    description: Retry policy for HTTP requests.
+                    properties:
+                      attempts:
+                        description: REQUIRED. Number of retries for a given request.
+                          The interval between retries will be determined automatically
+                          (25ms+). Actual number of retries attempted depends on the
+                          httpReqTimeout.
+                        format: int64
+                        type: integer
+                      perTryTimeout:
+                        description: 'Timeout per retry attempt for a given request.
+                          format: 1h/1m/1s/1ms. MUST BE >=1ms.'
+                        type: string
+                    required:
+                    - attempts
+                    - perTryTimeout
+                    type: object
+                  rewrite:
+                    description: Rewrite HTTP URIs and Authority headers. Rewrite
+                      cannot be used with Redirect primitive. Rewrite will be performed
+                      before forwarding.
+                    properties:
+                      authority:
+                        description: rewrite the Authority/Host header with this value.
+                        type: string
+                      uri:
+                        description: rewrite the path (or the prefix) portion of the
+                          URI with this value. If the original URI was matched based
+                          on prefix, the value provided in this field will replace
+                          the corresponding matched prefix.
+                        type: string
+                    type: object
+                  route:
+                    description: A http rule can either redirect or forward (default)
+                      traffic. The forwarding target can be one of several versions
+                      of a service (see glossary in beginning of document). Weights
+                      associated with the service version determine the proportion
+                      of traffic it receives.
+                    items:
+                      properties:
+                        destination:
+                          description: REQUIRED. Destination uniquely identifies the
+                            instances of a service to which the request/connection
+                            should be forwarded to.
+                          properties:
+                            host:
+                              description: 'REQUIRED. The name of a service from the
+                                service registry. Service names are looked up from
+                                the platform''s service registry (e.g., Kubernetes
+                                services, Consul services, etc.) and from the hosts
+                                declared by [ServiceEntry](#ServiceEntry). Traffic
+                                forwarded to destinations that are not found in either
+                                of the two, will be dropped.  *Note for Kubernetes
+                                users*: When short names are used (e.g. "reviews"
+                                instead of "reviews.default.svc.cluster.local"), Istio
+                                will interpret the short name based on the namespace
+                                of the rule, not the service. A rule in the "default"
+                                namespace containing a host "reviews will be interpreted
+                                as "reviews.default.svc.cluster.local", irrespective
+                                of the actual namespace associated with the reviews
+                                service. _To avoid potential misconfigurations, it
+                                is recommended to always use fully qualified domain
+                                names over short names._'
+                              type: string
+                            port:
+                              description: Specifies the port on the host that is
+                                being addressed. If a service exposes only a single
+                                port it is not required to explicitly select the port.
+                              properties:
+                                name:
+                                  description: Valid port name
+                                  type: string
+                                number:
+                                  description: Valid port number
+                                  format: int32
+                                  type: integer
+                              type: object
+                            subset:
+                              description: The name of a subset within the service.
+                                Applicable only to services within the mesh. The subset
+                                must be defined in a corresponding DestinationRule.
+                              type: string
+                          required:
+                          - host
+                          type: object
+                        weight:
+                          description: REQUIRED. The proportion of traffic to be forwarded
+                            to the service version. (0-100). Sum of weights across
+                            destinations SHOULD BE == 100. If there is only destination
+                            in a rule, the weight value is assumed to be 100.
+                          format: int64
+                          type: integer
+                      required:
+                      - destination
+                      - weight
+                      type: object
+                    type: array
+                  timeout:
+                    description: Timeout for HTTP requests.
+                    type: string
+                  websocketUpgrade:
+                    description: Indicates that a HTTP/1.1 client connection to this
+                      particular route should be allowed (and expected) to upgrade
+                      to a WebSocket connection. The default is false. Istio's reference
+                      sidecar implementation (Envoy) expects the first request to
+                      this route to contain the WebSocket upgrade headers. Otherwise,
+                      the request will be rejected. Note that Websocket allows secondary
+                      protocol negotiation which may then be subject to further routing
+                      rules based on the protocol selected.
+                    type: boolean
+                type: object
+              type: array
+            tcp:
+              description: An ordered list of route rules for TCP traffic. The first
+                rule matching an incoming request is used.
+              items:
+                properties:
+                  match:
+                    description: Match conditions to be satisfied for the rule to
+                      be activated. All conditions inside a single match block have
+                      AND semantics, while the list of match blocks have OR semantics.
+                      The rule is matched if any one of the match blocks succeed.
+                    items:
+                      properties:
+                        destinationSubnets:
+                          description: IPv4 or IPv6 ip address of destination with
+                            optional subnet.  E.g., a.b.c.d/xx form or just a.b.c.d.
+                          items:
+                            type: string
+                          type: array
+                        gateways:
+                          description: Names of gateways where the rule should be
+                            applied to. Gateway names at the top of the VirtualService
+                            (if any) are overridden. The gateway match is independent
+                            of sourceLabels.
+                          items:
+                            type: string
+                          type: array
+                        port:
+                          description: Specifies the port on the host that is being
+                            addressed. Many services only expose a single port or
+                            label ports with the protocols they support, in these
+                            cases it is not required to explicitly select the port.
+                          format: int64
+                          type: integer
+                        sourceLabels:
+                          description: One or more labels that constrain the applicability
+                            of a rule to workloads with the given labels. If the VirtualService
+                            has a list of gateways specified at the top, it should
+                            include the reserved gateway `mesh` in order for this
+                            field to be applicable.
+                          type: object
+                      type: object
+                    type: array
+                  route:
+                    description: The destinations to which the connection should be
+                      forwarded to. Weights must add to 100%.
+                    items:
+                      properties:
+                        destination:
+                          description: REQUIRED. Destination uniquely identifies the
+                            instances of a service to which the request/connection
+                            should be forwarded to.
+                          properties:
+                            host:
+                              description: 'REQUIRED. The name of a service from the
+                                service registry. Service names are looked up from
+                                the platform''s service registry (e.g., Kubernetes
+                                services, Consul services, etc.) and from the hosts
+                                declared by [ServiceEntry](#ServiceEntry). Traffic
+                                forwarded to destinations that are not found in either
+                                of the two, will be dropped.  *Note for Kubernetes
+                                users*: When short names are used (e.g. "reviews"
+                                instead of "reviews.default.svc.cluster.local"), Istio
+                                will interpret the short name based on the namespace
+                                of the rule, not the service. A rule in the "default"
+                                namespace containing a host "reviews will be interpreted
+                                as "reviews.default.svc.cluster.local", irrespective
+                                of the actual namespace associated with the reviews
+                                service. _To avoid potential misconfigurations, it
+                                is recommended to always use fully qualified domain
+                                names over short names._'
+                              type: string
+                            port:
+                              description: Specifies the port on the host that is
+                                being addressed. If a service exposes only a single
+                                port it is not required to explicitly select the port.
+                              properties:
+                                name:
+                                  description: Valid port name
+                                  type: string
+                                number:
+                                  description: Valid port number
+                                  format: int32
+                                  type: integer
+                              type: object
+                            subset:
+                              description: The name of a subset within the service.
+                                Applicable only to services within the mesh. The subset
+                                must be defined in a corresponding DestinationRule.
+                              type: string
+                          required:
+                          - host
+                          type: object
+                        weight:
+                          description: REQUIRED. The proportion of traffic to be forwarded
+                            to the service version. (0-100). Sum of weights across
+                            destinations SHOULD BE == 100. If there is only destination
+                            in a rule, the weight value is assumed to be 100.
+                          format: int64
+                          type: integer
+                      required:
+                      - destination
+                      - weight
+                      type: object
+                    type: array
+                required:
+                - match
+                - route
+                type: object
+              type: array
+            tls:
+              items:
+                properties:
+                  match:
+                    description: REQUIRED. Match conditions to be satisfied for the
+                      rule to be activated. All conditions inside a single match block
+                      have AND semantics, while the list of match blocks have OR semantics.
+                      The rule is matched if any one of the match blocks succeed.
+                    items:
+                      properties:
+                        destinationSubnets:
+                          description: IPv4 or IPv6 ip addresses of destination with
+                            optional subnet.  E.g., a.b.c.d/xx form or just a.b.c.d.
+                          items:
+                            type: string
+                          type: array
+                        gateways:
+                          description: Names of gateways where the rule should be
+                            applied to. Gateway names at the top of the VirtualService
+                            (if any) are overridden. The gateway match is independent
+                            of sourceLabels.
+                          items:
+                            type: string
+                          type: array
+                        port:
+                          description: Specifies the port on the host that is being
+                            addressed. Many services only expose a single port or
+                            label ports with the protocols they support, in these
+                            cases it is not required to explicitly select the port.
+                          format: int64
+                          type: integer
+                        sniHosts:
+                          description: REQUIRED. SNI (server name indicator) to match
+                            on. Wildcard prefixes can be used in the SNI value, e.g.,
+                            *.com will match foo.example.com as well as example.com.
+                            An SNI value must be a subset (i.e., fall within the domain)
+                            of the corresponding virtual service's hosts
+                          items:
+                            type: string
+                          type: array
+                        sourceLabels:
+                          description: One or more labels that constrain the applicability
+                            of a rule to workloads with the given labels. If the VirtualService
+                            has a list of gateways specified at the top, it should
+                            include the reserved gateway `mesh` in order for this
+                            field to be applicable.
+                          type: object
+                      required:
+                      - sniHosts
+                      type: object
+                    type: array
+                  route:
+                    description: The destination to which the connection should be
+                      forwarded to.
+                    items:
+                      properties:
+                        destination:
+                          description: REQUIRED. Destination uniquely identifies the
+                            instances of a service to which the request/connection
+                            should be forwarded to.
+                          properties:
+                            host:
+                              description: 'REQUIRED. The name of a service from the
+                                service registry. Service names are looked up from
+                                the platform''s service registry (e.g., Kubernetes
+                                services, Consul services, etc.) and from the hosts
+                                declared by [ServiceEntry](#ServiceEntry). Traffic
+                                forwarded to destinations that are not found in either
+                                of the two, will be dropped.  *Note for Kubernetes
+                                users*: When short names are used (e.g. "reviews"
+                                instead of "reviews.default.svc.cluster.local"), Istio
+                                will interpret the short name based on the namespace
+                                of the rule, not the service. A rule in the "default"
+                                namespace containing a host "reviews will be interpreted
+                                as "reviews.default.svc.cluster.local", irrespective
+                                of the actual namespace associated with the reviews
+                                service. _To avoid potential misconfigurations, it
+                                is recommended to always use fully qualified domain
+                                names over short names._'
+                              type: string
+                            port:
+                              description: Specifies the port on the host that is
+                                being addressed. If a service exposes only a single
+                                port it is not required to explicitly select the port.
+                              properties:
+                                name:
+                                  description: Valid port name
+                                  type: string
+                                number:
+                                  description: Valid port number
+                                  format: int32
+                                  type: integer
+                              type: object
+                            subset:
+                              description: The name of a subset within the service.
+                                Applicable only to services within the mesh. The subset
+                                must be defined in a corresponding DestinationRule.
+                              type: string
+                          required:
+                          - host
+                          type: object
+                        weight:
+                          description: REQUIRED. The proportion of traffic to be forwarded
+                            to the service version. (0-100). Sum of weights across
+                            destinations SHOULD BE == 100. If there is only destination
+                            in a rule, the weight value is assumed to be 100.
+                          format: int64
+                          type: integer
+                      required:
+                      - destination
+                      - weight
+                      type: object
+                    type: array
+                required:
+                - match
+                - route
+                type: object
+              type: array
+          required:
+          - hosts
+          type: object
+      required:
+      - spec
+  version: v1alpha3
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/servicemesh_v1alpha2_servicepolicy.yaml

@@ -0,0 +1,822 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: servicepolicies.servicemesh.kubesphere.io
+spec:
+  group: servicemesh.kubesphere.io
+  names:
+    kind: ServicePolicy
+    plural: servicepolicies
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            selector:
+              description: Label selector for destination rules.
+              type: object
+            template:
+              description: Template used to create a destination rule
+              properties:
+                spec:
+                  description: Spec indicates the behavior of a destination rule.
+                  properties:
+                    host:
+                      description: 'REQUIRED. The name of a service from the service
+                        registry. Service names are looked up from the platform''s
+                        service registry (e.g., Kubernetes services, Consul services,
+                        etc.) and from the hosts declared by [ServiceEntries](#ServiceEntry).
+                        Rules defined for services that do not exist in the service
+                        registry will be ignored.  *Note for Kubernetes users*: When
+                        short names are used (e.g. "reviews" instead of "reviews.default.svc.cluster.local"),
+                        Istio will interpret the short name based on the namespace
+                        of the rule, not the service. A rule in the "default" namespace
+                        containing a host "reviews will be interpreted as "reviews.default.svc.cluster.local",
+                        irrespective of the actual namespace associated with the reviews
+                        service. _To avoid potential misconfigurations, it is recommended
+                        to always use fully qualified domain names over short names._  Note
+                        that the host field applies to both HTTP and TCP services.'
+                      type: string
+                    subsets:
+                      description: One or more named sets that represent individual
+                        versions of a service. Traffic policies can be overridden
+                        at subset level.
+                      items:
+                        properties:
+                          labels:
+                            description: REQUIRED. Labels apply a filter over the
+                              endpoints of a service in the service registry. See
+                              route rules for examples of usage.
+                            type: object
+                          name:
+                            description: REQUIRED. Name of the subset. The service
+                              name and the subset name can be used for traffic splitting
+                              in a route rule.
+                            type: string
+                          trafficPolicy:
+                            description: Traffic policies that apply to this subset.
+                              Subsets inherit the traffic policies specified at the
+                              DestinationRule level. Settings specified at the subset
+                              level will override the corresponding settings specified
+                              at the DestinationRule level.
+                            properties:
+                              connectionPool:
+                                description: Settings controlling the volume of connections
+                                  to an upstream service
+                                properties:
+                                  http:
+                                    description: HTTP connection pool settings.
+                                    properties:
+                                      maxRequestsPerConnection:
+                                        description: Maximum number of requests per
+                                          connection to a backend. Setting this parameter
+                                          to 1 disables keep alive.
+                                        format: int32
+                                        type: integer
+                                      maxRetries:
+                                        description: Maximum number of retries that
+                                          can be outstanding to all hosts in a cluster
+                                          at a given time. Defaults to 3.
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                  tcp:
+                                    description: Settings common to both HTTP and
+                                      TCP upstream connections.
+                                    properties:
+                                      connectTimeout:
+                                        description: TCP connection timeout.
+                                        type: string
+                                      maxConnections:
+                                        description: Maximum number of HTTP1 /TCP
+                                          connections to a destination host.
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                type: object
+                              loadBalancer:
+                                description: Settings controlling the load balancer
+                                  algorithms.
+                                properties:
+                                  consistentHash:
+                                    properties:
+                                      httpCookie:
+                                        description: Hash based on HTTP cookie.
+                                        properties:
+                                          name:
+                                            description: REQUIRED. Name of the cookie.
+                                            type: string
+                                          path:
+                                            description: Path to set for the cookie.
+                                            type: string
+                                          ttl:
+                                            description: REQUIRED. Lifetime of the
+                                              cookie.
+                                            type: string
+                                        required:
+                                        - name
+                                        - ttl
+                                        type: object
+                                      httpHeaderName:
+                                        description: 'It is required to specify exactly
+                                          one of the fields as hash key: HttpHeaderName,
+                                          HttpCookie, or UseSourceIP. Hash based on
+                                          a specific HTTP header.'
+                                        type: string
+                                      minimumRingSize:
+                                        description: The minimum number of virtual
+                                          nodes to use for the hash ring. Defaults
+                                          to 1024. Larger ring sizes result in more
+                                          granular load distributions. If the number
+                                          of hosts in the load balancing pool is larger
+                                          than the ring size, each host will be assigned
+                                          a single virtual node.
+                                        format: int64
+                                        type: integer
+                                      useSourceIp:
+                                        description: Hash based on the source IP address.
+                                        type: boolean
+                                    type: object
+                                  simple:
+                                    description: 'It is required to specify exactly
+                                      one of the fields: Simple or ConsistentHash'
+                                    type: string
+                                type: object
+                              outlierDetection:
+                                description: Settings controlling eviction of unhealthy
+                                  hosts from the load balancing pool
+                                properties:
+                                  baseEjectionTime:
+                                    description: 'Minimum ejection duration. A host
+                                      will remain ejected for a period equal to the
+                                      product of minimum ejection duration and the
+                                      number of times the host has been ejected. This
+                                      technique allows the system to automatically
+                                      increase the ejection period for unhealthy upstream
+                                      servers. format: 1h/1m/1s/1ms. MUST BE >=1ms.
+                                      Default is 30s.'
+                                    type: string
+                                  consecutiveErrors:
+                                    description: Number of errors before a host is
+                                      ejected from the connection pool. Defaults to
+                                      5. When the upstream host is accessed over HTTP,
+                                      a 5xx return code qualifies as an error. When
+                                      the upstream host is accessed over an opaque
+                                      TCP connection, connect timeouts and connection
+                                      error/failure events qualify as an error.
+                                    format: int32
+                                    type: integer
+                                  interval:
+                                    description: 'Time interval between ejection sweep
+                                      analysis. format: 1h/1m/1s/1ms. MUST BE >=1ms.
+                                      Default is 10s.'
+                                    type: string
+                                  maxEjectionPercent:
+                                    description: Maximum % of hosts in the load balancing
+                                      pool for the upstream service that can be ejected.
+                                      Defaults to 10%.
+                                    format: int32
+                                    type: integer
+                                type: object
+                              portLevelSettings:
+                                description: Traffic policies specific to individual
+                                  ports. Note that port level settings will override
+                                  the destination-level settings. Traffic settings
+                                  specified at the destination-level will not be inherited
+                                  when overridden by port-level settings, i.e. default
+                                  values will be applied to fields omitted in port-level
+                                  traffic policies.
+                                items:
+                                  properties:
+                                    connectionPool:
+                                      description: Settings controlling the volume
+                                        of connections to an upstream service
+                                      properties:
+                                        http:
+                                          description: HTTP connection pool settings.
+                                          properties:
+                                            maxRequestsPerConnection:
+                                              description: Maximum number of requests
+                                                per connection to a backend. Setting
+                                                this parameter to 1 disables keep
+                                                alive.
+                                              format: int32
+                                              type: integer
+                                            maxRetries:
+                                              description: Maximum number of retries
+                                                that can be outstanding to all hosts
+                                                in a cluster at a given time. Defaults
+                                                to 3.
+                                              format: int32
+                                              type: integer
+                                          type: object
+                                        tcp:
+                                          description: Settings common to both HTTP
+                                            and TCP upstream connections.
+                                          properties:
+                                            connectTimeout:
+                                              description: TCP connection timeout.
+                                              type: string
+                                            maxConnections:
+                                              description: Maximum number of HTTP1
+                                                /TCP connections to a destination
+                                                host.
+                                              format: int32
+                                              type: integer
+                                          type: object
+                                      type: object
+                                    loadBalancer:
+                                      description: Settings controlling the load balancer
+                                        algorithms.
+                                      properties:
+                                        consistentHash:
+                                          properties:
+                                            httpCookie:
+                                              description: Hash based on HTTP cookie.
+                                              properties:
+                                                name:
+                                                  description: REQUIRED. Name of the
+                                                    cookie.
+                                                  type: string
+                                                path:
+                                                  description: Path to set for the
+                                                    cookie.
+                                                  type: string
+                                                ttl:
+                                                  description: REQUIRED. Lifetime
+                                                    of the cookie.
+                                                  type: string
+                                              required:
+                                              - name
+                                              - ttl
+                                              type: object
+                                            httpHeaderName:
+                                              description: 'It is required to specify
+                                                exactly one of the fields as hash
+                                                key: HttpHeaderName, HttpCookie, or
+                                                UseSourceIP. Hash based on a specific
+                                                HTTP header.'
+                                              type: string
+                                            minimumRingSize:
+                                              description: The minimum number of virtual
+                                                nodes to use for the hash ring. Defaults
+                                                to 1024. Larger ring sizes result
+                                                in more granular load distributions.
+                                                If the number of hosts in the load
+                                                balancing pool is larger than the
+                                                ring size, each host will be assigned
+                                                a single virtual node.
+                                              format: int64
+                                              type: integer
+                                            useSourceIp:
+                                              description: Hash based on the source
+                                                IP address.
+                                              type: boolean
+                                          type: object
+                                        simple:
+                                          description: 'It is required to specify
+                                            exactly one of the fields: Simple or ConsistentHash'
+                                          type: string
+                                      type: object
+                                    outlierDetection:
+                                      description: Settings controlling eviction of
+                                        unhealthy hosts from the load balancing pool
+                                      properties:
+                                        baseEjectionTime:
+                                          description: 'Minimum ejection duration.
+                                            A host will remain ejected for a period
+                                            equal to the product of minimum ejection
+                                            duration and the number of times the host
+                                            has been ejected. This technique allows
+                                            the system to automatically increase the
+                                            ejection period for unhealthy upstream
+                                            servers. format: 1h/1m/1s/1ms. MUST BE
+                                            >=1ms. Default is 30s.'
+                                          type: string
+                                        consecutiveErrors:
+                                          description: Number of errors before a host
+                                            is ejected from the connection pool. Defaults
+                                            to 5. When the upstream host is accessed
+                                            over HTTP, a 5xx return code qualifies
+                                            as an error. When the upstream host is
+                                            accessed over an opaque TCP connection,
+                                            connect timeouts and connection error/failure
+                                            events qualify as an error.
+                                          format: int32
+                                          type: integer
+                                        interval:
+                                          description: 'Time interval between ejection
+                                            sweep analysis. format: 1h/1m/1s/1ms.
+                                            MUST BE >=1ms. Default is 10s.'
+                                          type: string
+                                        maxEjectionPercent:
+                                          description: Maximum % of hosts in the load
+                                            balancing pool for the upstream service
+                                            that can be ejected. Defaults to 10%.
+                                          format: int32
+                                          type: integer
+                                      type: object
+                                    port:
+                                      description: Specifies the port name or number
+                                        of a port on the destination service on which
+                                        this policy is being applied.  Names must
+                                        comply with DNS label syntax (rfc1035) and
+                                        therefore cannot collide with numbers. If
+                                        there are multiple ports on a service with
+                                        the same protocol the names should be of the
+                                        form <protocol-name>-<DNS label>.
+                                      properties:
+                                        name:
+                                          description: Valid port name
+                                          type: string
+                                        number:
+                                          description: Valid port number
+                                          format: int32
+                                          type: integer
+                                      type: object
+                                    tls:
+                                      description: TLS related settings for connections
+                                        to the upstream service.
+                                      properties:
+                                        caCertificates:
+                                          description: 'OPTIONAL: The path to the
+                                            file containing certificate authority
+                                            certificates to use in verifying a presented
+                                            server certificate. If omitted, the proxy
+                                            will not verify the server''s certificate.
+                                            Should be empty if mode is `ISTIO_MUTUAL`.'
+                                          type: string
+                                        clientCertificate:
+                                          description: REQUIRED if mode is `MUTUAL`.
+                                            The path to the file holding the client-side
+                                            TLS certificate to use. Should be empty
+                                            if mode is `ISTIO_MUTUAL`.
+                                          type: string
+                                        mode:
+                                          description: 'REQUIRED: Indicates whether
+                                            connections to this port should be secured
+                                            using TLS. The value of this field determines
+                                            how TLS is enforced.'
+                                          type: string
+                                        privateKey:
+                                          description: REQUIRED if mode is `MUTUAL`.
+                                            The path to the file holding the client's
+                                            private key. Should be empty if mode is
+                                            `ISTIO_MUTUAL`.
+                                          type: string
+                                        sni:
+                                          description: SNI string to present to the
+                                            server during TLS handshake. Should be
+                                            empty if mode is `ISTIO_MUTUAL`.
+                                          type: string
+                                        subjectAltNames:
+                                          description: A list of alternate names to
+                                            verify the subject identity in the certificate.
+                                            If specified, the proxy will verify that
+                                            the server certificate's subject alt name
+                                            matches one of the specified values. Should
+                                            be empty if mode is `ISTIO_MUTUAL`.
+                                          items:
+                                            type: string
+                                          type: array
+                                      required:
+                                      - mode
+                                      type: object
+                                  required:
+                                  - port
+                                  type: object
+                                type: array
+                              tls:
+                                description: TLS related settings for connections
+                                  to the upstream service.
+                                properties:
+                                  caCertificates:
+                                    description: 'OPTIONAL: The path to the file containing
+                                      certificate authority certificates to use in
+                                      verifying a presented server certificate. If
+                                      omitted, the proxy will not verify the server''s
+                                      certificate. Should be empty if mode is `ISTIO_MUTUAL`.'
+                                    type: string
+                                  clientCertificate:
+                                    description: REQUIRED if mode is `MUTUAL`. The
+                                      path to the file holding the client-side TLS
+                                      certificate to use. Should be empty if mode
+                                      is `ISTIO_MUTUAL`.
+                                    type: string
+                                  mode:
+                                    description: 'REQUIRED: Indicates whether connections
+                                      to this port should be secured using TLS. The
+                                      value of this field determines how TLS is enforced.'
+                                    type: string
+                                  privateKey:
+                                    description: REQUIRED if mode is `MUTUAL`. The
+                                      path to the file holding the client's private
+                                      key. Should be empty if mode is `ISTIO_MUTUAL`.
+                                    type: string
+                                  sni:
+                                    description: SNI string to present to the server
+                                      during TLS handshake. Should be empty if mode
+                                      is `ISTIO_MUTUAL`.
+                                    type: string
+                                  subjectAltNames:
+                                    description: A list of alternate names to verify
+                                      the subject identity in the certificate. If
+                                      specified, the proxy will verify that the server
+                                      certificate's subject alt name matches one of
+                                      the specified values. Should be empty if mode
+                                      is `ISTIO_MUTUAL`.
+                                    items:
+                                      type: string
+                                    type: array
+                                required:
+                                - mode
+                                type: object
+                            type: object
+                        required:
+                        - name
+                        - labels
+                        type: object
+                      type: array
+                    trafficPolicy:
+                      description: Traffic policies to apply (load balancing policy,
+                        connection pool sizes, outlier detection).
+                      properties:
+                        connectionPool:
+                          description: Settings controlling the volume of connections
+                            to an upstream service
+                          properties:
+                            http:
+                              description: HTTP connection pool settings.
+                              properties:
+                                maxRequestsPerConnection:
+                                  description: Maximum number of requests per connection
+                                    to a backend. Setting this parameter to 1 disables
+                                    keep alive.
+                                  format: int32
+                                  type: integer
+                                maxRetries:
+                                  description: Maximum number of retries that can
+                                    be outstanding to all hosts in a cluster at a
+                                    given time. Defaults to 3.
+                                  format: int32
+                                  type: integer
+                              type: object
+                            tcp:
+                              description: Settings common to both HTTP and TCP upstream
+                                connections.
+                              properties:
+                                connectTimeout:
+                                  description: TCP connection timeout.
+                                  type: string
+                                maxConnections:
+                                  description: Maximum number of HTTP1 /TCP connections
+                                    to a destination host.
+                                  format: int32
+                                  type: integer
+                              type: object
+                          type: object
+                        loadBalancer:
+                          description: Settings controlling the load balancer algorithms.
+                          properties:
+                            consistentHash:
+                              properties:
+                                httpCookie:
+                                  description: Hash based on HTTP cookie.
+                                  properties:
+                                    name:
+                                      description: REQUIRED. Name of the cookie.
+                                      type: string
+                                    path:
+                                      description: Path to set for the cookie.
+                                      type: string
+                                    ttl:
+                                      description: REQUIRED. Lifetime of the cookie.
+                                      type: string
+                                  required:
+                                  - name
+                                  - ttl
+                                  type: object
+                                httpHeaderName:
+                                  description: 'It is required to specify exactly
+                                    one of the fields as hash key: HttpHeaderName,
+                                    HttpCookie, or UseSourceIP. Hash based on a specific
+                                    HTTP header.'
+                                  type: string
+                                minimumRingSize:
+                                  description: The minimum number of virtual nodes
+                                    to use for the hash ring. Defaults to 1024. Larger
+                                    ring sizes result in more granular load distributions.
+                                    If the number of hosts in the load balancing pool
+                                    is larger than the ring size, each host will be
+                                    assigned a single virtual node.
+                                  format: int64
+                                  type: integer
+                                useSourceIp:
+                                  description: Hash based on the source IP address.
+                                  type: boolean
+                              type: object
+                            simple:
+                              description: 'It is required to specify exactly one
+                                of the fields: Simple or ConsistentHash'
+                              type: string
+                          type: object
+                        outlierDetection:
+                          description: Settings controlling eviction of unhealthy
+                            hosts from the load balancing pool
+                          properties:
+                            baseEjectionTime:
+                              description: 'Minimum ejection duration. A host will
+                                remain ejected for a period equal to the product of
+                                minimum ejection duration and the number of times
+                                the host has been ejected. This technique allows the
+                                system to automatically increase the ejection period
+                                for unhealthy upstream servers. format: 1h/1m/1s/1ms.
+                                MUST BE >=1ms. Default is 30s.'
+                              type: string
+                            consecutiveErrors:
+                              description: Number of errors before a host is ejected
+                                from the connection pool. Defaults to 5. When the
+                                upstream host is accessed over HTTP, a 5xx return
+                                code qualifies as an error. When the upstream host
+                                is accessed over an opaque TCP connection, connect
+                                timeouts and connection error/failure events qualify
+                                as an error.
+                              format: int32
+                              type: integer
+                            interval:
+                              description: 'Time interval between ejection sweep analysis.
+                                format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
+                              type: string
+                            maxEjectionPercent:
+                              description: Maximum % of hosts in the load balancing
+                                pool for the upstream service that can be ejected.
+                                Defaults to 10%.
+                              format: int32
+                              type: integer
+                          type: object
+                        portLevelSettings:
+                          description: Traffic policies specific to individual ports.
+                            Note that port level settings will override the destination-level
+                            settings. Traffic settings specified at the destination-level
+                            will not be inherited when overridden by port-level settings,
+                            i.e. default values will be applied to fields omitted
+                            in port-level traffic policies.
+                          items:
+                            properties:
+                              connectionPool:
+                                description: Settings controlling the volume of connections
+                                  to an upstream service
+                                properties:
+                                  http:
+                                    description: HTTP connection pool settings.
+                                    properties:
+                                      maxRequestsPerConnection:
+                                        description: Maximum number of requests per
+                                          connection to a backend. Setting this parameter
+                                          to 1 disables keep alive.
+                                        format: int32
+                                        type: integer
+                                      maxRetries:
+                                        description: Maximum number of retries that
+                                          can be outstanding to all hosts in a cluster
+                                          at a given time. Defaults to 3.
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                  tcp:
+                                    description: Settings common to both HTTP and
+                                      TCP upstream connections.
+                                    properties:
+                                      connectTimeout:
+                                        description: TCP connection timeout.
+                                        type: string
+                                      maxConnections:
+                                        description: Maximum number of HTTP1 /TCP
+                                          connections to a destination host.
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                type: object
+                              loadBalancer:
+                                description: Settings controlling the load balancer
+                                  algorithms.
+                                properties:
+                                  consistentHash:
+                                    properties:
+                                      httpCookie:
+                                        description: Hash based on HTTP cookie.
+                                        properties:
+                                          name:
+                                            description: REQUIRED. Name of the cookie.
+                                            type: string
+                                          path:
+                                            description: Path to set for the cookie.
+                                            type: string
+                                          ttl:
+                                            description: REQUIRED. Lifetime of the
+                                              cookie.
+                                            type: string
+                                        required:
+                                        - name
+                                        - ttl
+                                        type: object
+                                      httpHeaderName:
+                                        description: 'It is required to specify exactly
+                                          one of the fields as hash key: HttpHeaderName,
+                                          HttpCookie, or UseSourceIP. Hash based on
+                                          a specific HTTP header.'
+                                        type: string
+                                      minimumRingSize:
+                                        description: The minimum number of virtual
+                                          nodes to use for the hash ring. Defaults
+                                          to 1024. Larger ring sizes result in more
+                                          granular load distributions. If the number
+                                          of hosts in the load balancing pool is larger
+                                          than the ring size, each host will be assigned
+                                          a single virtual node.
+                                        format: int64
+                                        type: integer
+                                      useSourceIp:
+                                        description: Hash based on the source IP address.
+                                        type: boolean
+                                    type: object
+                                  simple:
+                                    description: 'It is required to specify exactly
+                                      one of the fields: Simple or ConsistentHash'
+                                    type: string
+                                type: object
+                              outlierDetection:
+                                description: Settings controlling eviction of unhealthy
+                                  hosts from the load balancing pool
+                                properties:
+                                  baseEjectionTime:
+                                    description: 'Minimum ejection duration. A host
+                                      will remain ejected for a period equal to the
+                                      product of minimum ejection duration and the
+                                      number of times the host has been ejected. This
+                                      technique allows the system to automatically
+                                      increase the ejection period for unhealthy upstream
+                                      servers. format: 1h/1m/1s/1ms. MUST BE >=1ms.
+                                      Default is 30s.'
+                                    type: string
+                                  consecutiveErrors:
+                                    description: Number of errors before a host is
+                                      ejected from the connection pool. Defaults to
+                                      5. When the upstream host is accessed over HTTP,
+                                      a 5xx return code qualifies as an error. When
+                                      the upstream host is accessed over an opaque
+                                      TCP connection, connect timeouts and connection
+                                      error/failure events qualify as an error.
+                                    format: int32
+                                    type: integer
+                                  interval:
+                                    description: 'Time interval between ejection sweep
+                                      analysis. format: 1h/1m/1s/1ms. MUST BE >=1ms.
+                                      Default is 10s.'
+                                    type: string
+                                  maxEjectionPercent:
+                                    description: Maximum % of hosts in the load balancing
+                                      pool for the upstream service that can be ejected.
+                                      Defaults to 10%.
+                                    format: int32
+                                    type: integer
+                                type: object
+                              port:
+                                description: Specifies the port name or number of
+                                  a port on the destination service on which this
+                                  policy is being applied.  Names must comply with
+                                  DNS label syntax (rfc1035) and therefore cannot
+                                  collide with numbers. If there are multiple ports
+                                  on a service with the same protocol the names should
+                                  be of the form <protocol-name>-<DNS label>.
+                                properties:
+                                  name:
+                                    description: Valid port name
+                                    type: string
+                                  number:
+                                    description: Valid port number
+                                    format: int32
+                                    type: integer
+                                type: object
+                              tls:
+                                description: TLS related settings for connections
+                                  to the upstream service.
+                                properties:
+                                  caCertificates:
+                                    description: 'OPTIONAL: The path to the file containing
+                                      certificate authority certificates to use in
+                                      verifying a presented server certificate. If
+                                      omitted, the proxy will not verify the server''s
+                                      certificate. Should be empty if mode is `ISTIO_MUTUAL`.'
+                                    type: string
+                                  clientCertificate:
+                                    description: REQUIRED if mode is `MUTUAL`. The
+                                      path to the file holding the client-side TLS
+                                      certificate to use. Should be empty if mode
+                                      is `ISTIO_MUTUAL`.
+                                    type: string
+                                  mode:
+                                    description: 'REQUIRED: Indicates whether connections
+                                      to this port should be secured using TLS. The
+                                      value of this field determines how TLS is enforced.'
+                                    type: string
+                                  privateKey:
+                                    description: REQUIRED if mode is `MUTUAL`. The
+                                      path to the file holding the client's private
+                                      key. Should be empty if mode is `ISTIO_MUTUAL`.
+                                    type: string
+                                  sni:
+                                    description: SNI string to present to the server
+                                      during TLS handshake. Should be empty if mode
+                                      is `ISTIO_MUTUAL`.
+                                    type: string
+                                  subjectAltNames:
+                                    description: A list of alternate names to verify
+                                      the subject identity in the certificate. If
+                                      specified, the proxy will verify that the server
+                                      certificate's subject alt name matches one of
+                                      the specified values. Should be empty if mode
+                                      is `ISTIO_MUTUAL`.
+                                    items:
+                                      type: string
+                                    type: array
+                                required:
+                                - mode
+                                type: object
+                            required:
+                            - port
+                            type: object
+                          type: array
+                        tls:
+                          description: TLS related settings for connections to the
+                            upstream service.
+                          properties:
+                            caCertificates:
+                              description: 'OPTIONAL: The path to the file containing
+                                certificate authority certificates to use in verifying
+                                a presented server certificate. If omitted, the proxy
+                                will not verify the server''s certificate. Should
+                                be empty if mode is `ISTIO_MUTUAL`.'
+                              type: string
+                            clientCertificate:
+                              description: REQUIRED if mode is `MUTUAL`. The path
+                                to the file holding the client-side TLS certificate
+                                to use. Should be empty if mode is `ISTIO_MUTUAL`.
+                              type: string
+                            mode:
+                              description: 'REQUIRED: Indicates whether connections
+                                to this port should be secured using TLS. The value
+                                of this field determines how TLS is enforced.'
+                              type: string
+                            privateKey:
+                              description: REQUIRED if mode is `MUTUAL`. The path
+                                to the file holding the client's private key. Should
+                                be empty if mode is `ISTIO_MUTUAL`.
+                              type: string
+                            sni:
+                              description: SNI string to present to the server during
+                                TLS handshake. Should be empty if mode is `ISTIO_MUTUAL`.
+                              type: string
+                            subjectAltNames:
+                              description: A list of alternate names to verify the
+                                subject identity in the certificate. If specified,
+                                the proxy will verify that the server certificate's
+                                subject alt name matches one of the specified values.
+                                Should be empty if mode is `ISTIO_MUTUAL`.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - mode
+                          type: object
+                      type: object
+                  required:
+                  - host
+                  type: object
+              type: object
+          type: object
+        status:
+          type: object
+  version: v1alpha2
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/servicemesh_v1alpha2_strategy.yaml

@@ -0,0 +1,787 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: strategies.servicemesh.kubesphere.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.type
+    description: type of strategy
+    name: Type
+    type: string
+  - JSONPath: .spec.template.spec.hosts
+    description: destination hosts
+    name: Hosts
+    type: string
+  - JSONPath: .metadata.creationTimestamp
+    description: 'CreationTimestamp is a timestamp representing the server time when
+      this object was created. It is not guaranteed to be set in happens-before order
+      across separate operations. Clients may not set this value. It is represented
+      in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+      lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+    name: Age
+    type: date
+  group: servicemesh.kubesphere.io
+  names:
+    kind: Strategy
+    plural: strategies
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            governor:
+              description: Governor version, the version takes control of all incoming
+                traffic label version value
+              type: string
+            principal:
+              description: Principal version, the one as reference version label version
+                value
+              type: string
+            selector:
+              description: Label selector for virtual services.
+              type: object
+            strategyPolicy:
+              description: strategy policy, how the strategy will be applied by the
+                strategy controller
+              type: string
+            template:
+              description: Template describes the virtual service that will be created.
+              properties:
+                metadata:
+                  description: Metadata of the virtual services created from this
+                    template
+                  type: object
+                spec:
+                  description: Spec indicates the behavior of a virtual service.
+                  properties:
+                    gateways:
+                      description: The names of gateways and sidecars that should
+                        apply these routes. A single VirtualService is used for sidecars
+                        inside the mesh as well as for one or more gateways. The selection
+                        condition imposed by this field can be overridden using the
+                        source field in the match conditions of HTTP/TCP routes. The
+                        reserved word "mesh" is used to imply all the sidecars in
+                        the mesh. When this field is omitted, the default gateway
+                        ("mesh") will be used, which would apply the rule to all sidecars
+                        in the mesh. If a list of gateway names is provided, the rules
+                        will apply only to the gateways. To apply the rules to both
+                        gateways and sidecars, specify "mesh" as one of the gateway
+                        names.
+                      items:
+                        type: string
+                      type: array
+                    hosts:
+                      description: REQUIRED. The destination address for traffic captured
+                        by this virtual service. Could be a DNS name with wildcard
+                        prefix or a CIDR prefix. Depending on the platform, short-names
+                        can also be used instead of a FQDN (i.e. has no dots in the
+                        name). In such a scenario, the FQDN of the host would be derived
+                        based on the underlying platform.  For example on Kubernetes,
+                        when hosts contains a short name, Istio will interpret the
+                        short name based on the namespace of the rule. Thus, when
+                        a client namespace applies a rule in the "default" namespace
+                        containing a name "reviews, Istio will setup routes to the
+                        "reviews.default.svc.cluster.local" service. However, if a
+                        different name such as "reviews.sales.svc.cluster.local" is
+                        used, it would be treated as a FQDN during virtual host matching.
+                        In Consul, a plain service name would be resolved to the FQDN
+                        "reviews.service.consul".  Note that the hosts field applies
+                        to both HTTP and TCP services. Service inside the mesh, i.e.,
+                        those found in the service registry, must always be referred
+                        to using their alphanumeric names. IP addresses or CIDR prefixes
+                        are allowed only for services defined via the Gateway.
+                      items:
+                        type: string
+                      type: array
+                    http:
+                      description: An ordered list of route rules for HTTP traffic.
+                        The first rule matching an incoming request is used.
+                      items:
+                        properties:
+                          appendHeaders:
+                            description: Additional HTTP headers to add before forwarding
+                              a request to the destination service.
+                            type: object
+                          corsPolicy:
+                            description: Cross-Origin Resource Sharing policy
+                            properties:
+                              allowCredentials:
+                                description: Indicates whether the caller is allowed
+                                  to send the actual request (not the preflight) using
+                                  credentials. Translates to Access-Control-Allow-Credentials
+                                  header.
+                                type: boolean
+                              allowHeaders:
+                                description: List of HTTP headers that can be used
+                                  when requesting the resource. Serialized to Access-Control-Allow-Methods
+                                  header.
+                                items:
+                                  type: string
+                                type: array
+                              allowMethods:
+                                description: List of HTTP methods allowed to access
+                                  the resource. The content will be serialized into
+                                  the Access-Control-Allow-Methods header.
+                                items:
+                                  type: string
+                                type: array
+                              allowOrigin:
+                                description: The list of origins that are allowed
+                                  to perform CORS requests. The content will be serialized
+                                  into the Access-Control-Allow-Origin header. Wildcard
+                                  * will allow all origins.
+                                items:
+                                  type: string
+                                type: array
+                              exposeHeaders:
+                                description: A white list of HTTP headers that the
+                                  browsers are allowed to access. Serialized into
+                                  Access-Control-Expose-Headers header.
+                                items:
+                                  type: string
+                                type: array
+                              maxAge:
+                                description: Specifies how long the the results of
+                                  a preflight request can be cached. Translates to
+                                  the Access-Control-Max-Age header.
+                                type: string
+                            type: object
+                          fault:
+                            description: Fault injection policy to apply on HTTP traffic.
+                            properties:
+                              abort:
+                                description: Abort Http request attempts and return
+                                  error codes back to downstream service, giving the
+                                  impression that the upstream service is faulty.
+                                properties:
+                                  httpStatus:
+                                    description: REQUIRED. HTTP status code to use
+                                      to abort the Http request.
+                                    format: int64
+                                    type: integer
+                                  percent:
+                                    description: Percentage of requests to be aborted
+                                      with the error code provided (0-100).
+                                    format: int64
+                                    type: integer
+                                required:
+                                - httpStatus
+                                type: object
+                              delay:
+                                description: Delay requests before forwarding, emulating
+                                  various failures such as network issues, overloaded
+                                  upstream service, etc.
+                                properties:
+                                  exponentialDelay:
+                                    description: (-- Add a delay (based on an exponential
+                                      function) before forwarding the request. mean
+                                      delay needed to derive the exponential delay
+                                      values --)
+                                    type: string
+                                  fixedDelay:
+                                    description: 'REQUIRED. Add a fixed delay before
+                                      forwarding the request. Format: 1h/1m/1s/1ms.
+                                      MUST be >=1ms.'
+                                    type: string
+                                  percent:
+                                    description: Percentage of requests on which the
+                                      delay will be injected (0-100).
+                                    format: int64
+                                    type: integer
+                                required:
+                                - fixedDelay
+                                type: object
+                            type: object
+                          match:
+                            description: Match conditions to be satisfied for the
+                              rule to be activated. All conditions inside a single
+                              match block have AND semantics, while the list of match
+                              blocks have OR semantics. The rule is matched if any
+                              one of the match blocks succeed.
+                            items:
+                              properties:
+                                authority:
+                                  description: 'HTTP Authority values are case-sensitive
+                                    and formatted as follows:  - `exact: "value"`
+                                    for exact string match  - `prefix: "value"` for
+                                    prefix-based match  - `regex: "value"` for ECMAscript
+                                    style regex-based match'
+                                  properties:
+                                    exact:
+                                      description: exact string match
+                                      type: string
+                                    prefix:
+                                      description: prefix-based match
+                                      type: string
+                                    regex:
+                                      description: ECMAscript style regex-based match
+                                      type: string
+                                    suffix:
+                                      description: suffix-based match.
+                                      type: string
+                                  type: object
+                                gateways:
+                                  description: Names of gateways where the rule should
+                                    be applied to. Gateway names at the top of the
+                                    VirtualService (if any) are overridden. The gateway
+                                    match is independent of sourceLabels.
+                                  items:
+                                    type: string
+                                  type: array
+                                headers:
+                                  description: 'The header keys must be lowercase
+                                    and use hyphen as the separator, e.g. _x-request-id_.  Header
+                                    values are case-sensitive and formatted as follows:  -
+                                    `exact: "value"` for exact string match  - `prefix:
+                                    "value"` for prefix-based match  - `regex: "value"`
+                                    for ECMAscript style regex-based match  **Note:**
+                                    The keys `uri`, `scheme`, `method`, and `authority`
+                                    will be ignored.'
+                                  type: object
+                                method:
+                                  description: 'HTTP Method values are case-sensitive
+                                    and formatted as follows:  - `exact: "value"`
+                                    for exact string match  - `prefix: "value"` for
+                                    prefix-based match  - `regex: "value"` for ECMAscript
+                                    style regex-based match'
+                                  properties:
+                                    exact:
+                                      description: exact string match
+                                      type: string
+                                    prefix:
+                                      description: prefix-based match
+                                      type: string
+                                    regex:
+                                      description: ECMAscript style regex-based match
+                                      type: string
+                                    suffix:
+                                      description: suffix-based match.
+                                      type: string
+                                  type: object
+                                port:
+                                  description: Specifies the ports on the host that
+                                    is being addressed. Many services only expose
+                                    a single port or label ports with the protocols
+                                    they support, in these cases it is not required
+                                    to explicitly select the port.
+                                  format: int32
+                                  type: integer
+                                scheme:
+                                  description: 'URI Scheme values are case-sensitive
+                                    and formatted as follows:  - `exact: "value"`
+                                    for exact string match  - `prefix: "value"` for
+                                    prefix-based match  - `regex: "value"` for ECMAscript
+                                    style regex-based match'
+                                  properties:
+                                    exact:
+                                      description: exact string match
+                                      type: string
+                                    prefix:
+                                      description: prefix-based match
+                                      type: string
+                                    regex:
+                                      description: ECMAscript style regex-based match
+                                      type: string
+                                    suffix:
+                                      description: suffix-based match.
+                                      type: string
+                                  type: object
+                                sourceLabels:
+                                  description: One or more labels that constrain the
+                                    applicability of a rule to workloads with the
+                                    given labels. If the VirtualService has a list
+                                    of gateways specified at the top, it should include
+                                    the reserved gateway `mesh` in order for this
+                                    field to be applicable.
+                                  type: object
+                                uri:
+                                  description: 'URI to match values are case-sensitive
+                                    and formatted as follows:  - `exact: "value"`
+                                    for exact string match  - `prefix: "value"` for
+                                    prefix-based match  - `regex: "value"` for ECMAscript
+                                    style regex-based match'
+                                  properties:
+                                    exact:
+                                      description: exact string match
+                                      type: string
+                                    prefix:
+                                      description: prefix-based match
+                                      type: string
+                                    regex:
+                                      description: ECMAscript style regex-based match
+                                      type: string
+                                    suffix:
+                                      description: suffix-based match.
+                                      type: string
+                                  type: object
+                              type: object
+                            type: array
+                          mirror:
+                            description: Mirror HTTP traffic to a another destination
+                              in addition to forwarding the requests to the intended
+                              destination. Mirrored traffic is on a best effort basis
+                              where the sidecar/gateway will not wait for the mirrored
+                              cluster to respond before returning the response from
+                              the original destination.  Statistics will be generated
+                              for the mirrored destination.
+                            properties:
+                              host:
+                                description: 'REQUIRED. The name of a service from
+                                  the service registry. Service names are looked up
+                                  from the platform''s service registry (e.g., Kubernetes
+                                  services, Consul services, etc.) and from the hosts
+                                  declared by [ServiceEntry](#ServiceEntry). Traffic
+                                  forwarded to destinations that are not found in
+                                  either of the two, will be dropped.  *Note for Kubernetes
+                                  users*: When short names are used (e.g. "reviews"
+                                  instead of "reviews.default.svc.cluster.local"),
+                                  Istio will interpret the short name based on the
+                                  namespace of the rule, not the service. A rule in
+                                  the "default" namespace containing a host "reviews
+                                  will be interpreted as "reviews.default.svc.cluster.local",
+                                  irrespective of the actual namespace associated
+                                  with the reviews service. _To avoid potential misconfigurations,
+                                  it is recommended to always use fully qualified
+                                  domain names over short names._'
+                                type: string
+                              port:
+                                description: Specifies the port on the host that is
+                                  being addressed. If a service exposes only a single
+                                  port it is not required to explicitly select the
+                                  port.
+                                properties:
+                                  name:
+                                    description: Valid port name
+                                    type: string
+                                  number:
+                                    description: Valid port number
+                                    format: int32
+                                    type: integer
+                                type: object
+                              subset:
+                                description: The name of a subset within the service.
+                                  Applicable only to services within the mesh. The
+                                  subset must be defined in a corresponding DestinationRule.
+                                type: string
+                            required:
+                            - host
+                            type: object
+                          redirect:
+                            description: A http rule can either redirect or forward
+                              (default) traffic. If traffic passthrough option is
+                              specified in the rule, route/redirect will be ignored.
+                              The redirect primitive can be used to send a HTTP 302
+                              redirect to a different URI or Authority.
+                            properties:
+                              authority:
+                                description: On a redirect, overwrite the Authority/Host
+                                  portion of the URL with this value.
+                                type: string
+                              uri:
+                                description: On a redirect, overwrite the Path portion
+                                  of the URL with this value. Note that the entire
+                                  path will be replaced, irrespective of the request
+                                  URI being matched as an exact path or prefix.
+                                type: string
+                            type: object
+                          removeResponseHeaders:
+                            description: Http headers to remove before returning the
+                              response to the caller
+                            type: object
+                          retries:
+                            description: Retry policy for HTTP requests.
+                            properties:
+                              attempts:
+                                description: REQUIRED. Number of retries for a given
+                                  request. The interval between retries will be determined
+                                  automatically (25ms+). Actual number of retries
+                                  attempted depends on the httpReqTimeout.
+                                format: int64
+                                type: integer
+                              perTryTimeout:
+                                description: 'Timeout per retry attempt for a given
+                                  request. format: 1h/1m/1s/1ms. MUST BE >=1ms.'
+                                type: string
+                            required:
+                            - attempts
+                            - perTryTimeout
+                            type: object
+                          rewrite:
+                            description: Rewrite HTTP URIs and Authority headers.
+                              Rewrite cannot be used with Redirect primitive. Rewrite
+                              will be performed before forwarding.
+                            properties:
+                              authority:
+                                description: rewrite the Authority/Host header with
+                                  this value.
+                                type: string
+                              uri:
+                                description: rewrite the path (or the prefix) portion
+                                  of the URI with this value. If the original URI
+                                  was matched based on prefix, the value provided
+                                  in this field will replace the corresponding matched
+                                  prefix.
+                                type: string
+                            type: object
+                          route:
+                            description: A http rule can either redirect or forward
+                              (default) traffic. The forwarding target can be one
+                              of several versions of a service (see glossary in beginning
+                              of document). Weights associated with the service version
+                              determine the proportion of traffic it receives.
+                            items:
+                              properties:
+                                destination:
+                                  description: REQUIRED. Destination uniquely identifies
+                                    the instances of a service to which the request/connection
+                                    should be forwarded to.
+                                  properties:
+                                    host:
+                                      description: 'REQUIRED. The name of a service
+                                        from the service registry. Service names are
+                                        looked up from the platform''s service registry
+                                        (e.g., Kubernetes services, Consul services,
+                                        etc.) and from the hosts declared by [ServiceEntry](#ServiceEntry).
+                                        Traffic forwarded to destinations that are
+                                        not found in either of the two, will be dropped.  *Note
+                                        for Kubernetes users*: When short names are
+                                        used (e.g. "reviews" instead of "reviews.default.svc.cluster.local"),
+                                        Istio will interpret the short name based
+                                        on the namespace of the rule, not the service.
+                                        A rule in the "default" namespace containing
+                                        a host "reviews will be interpreted as "reviews.default.svc.cluster.local",
+                                        irrespective of the actual namespace associated
+                                        with the reviews service. _To avoid potential
+                                        misconfigurations, it is recommended to always
+                                        use fully qualified domain names over short
+                                        names._'
+                                      type: string
+                                    port:
+                                      description: Specifies the port on the host
+                                        that is being addressed. If a service exposes
+                                        only a single port it is not required to explicitly
+                                        select the port.
+                                      properties:
+                                        name:
+                                          description: Valid port name
+                                          type: string
+                                        number:
+                                          description: Valid port number
+                                          format: int32
+                                          type: integer
+                                      type: object
+                                    subset:
+                                      description: The name of a subset within the
+                                        service. Applicable only to services within
+                                        the mesh. The subset must be defined in a
+                                        corresponding DestinationRule.
+                                      type: string
+                                  required:
+                                  - host
+                                  type: object
+                                weight:
+                                  description: REQUIRED. The proportion of traffic
+                                    to be forwarded to the service version. (0-100).
+                                    Sum of weights across destinations SHOULD BE ==
+                                    100. If there is only destination in a rule, the
+                                    weight value is assumed to be 100.
+                                  format: int64
+                                  type: integer
+                              required:
+                              - destination
+                              - weight
+                              type: object
+                            type: array
+                          timeout:
+                            description: Timeout for HTTP requests.
+                            type: string
+                          websocketUpgrade:
+                            description: Indicates that a HTTP/1.1 client connection
+                              to this particular route should be allowed (and expected)
+                              to upgrade to a WebSocket connection. The default is
+                              false. Istio's reference sidecar implementation (Envoy)
+                              expects the first request to this route to contain the
+                              WebSocket upgrade headers. Otherwise, the request will
+                              be rejected. Note that Websocket allows secondary protocol
+                              negotiation which may then be subject to further routing
+                              rules based on the protocol selected.
+                            type: boolean
+                        type: object
+                      type: array
+                    tcp:
+                      description: An ordered list of route rules for TCP traffic.
+                        The first rule matching an incoming request is used.
+                      items:
+                        properties:
+                          match:
+                            description: Match conditions to be satisfied for the
+                              rule to be activated. All conditions inside a single
+                              match block have AND semantics, while the list of match
+                              blocks have OR semantics. The rule is matched if any
+                              one of the match blocks succeed.
+                            items:
+                              properties:
+                                destinationSubnets:
+                                  description: IPv4 or IPv6 ip address of destination
+                                    with optional subnet.  E.g., a.b.c.d/xx form or
+                                    just a.b.c.d.
+                                  items:
+                                    type: string
+                                  type: array
+                                gateways:
+                                  description: Names of gateways where the rule should
+                                    be applied to. Gateway names at the top of the
+                                    VirtualService (if any) are overridden. The gateway
+                                    match is independent of sourceLabels.
+                                  items:
+                                    type: string
+                                  type: array
+                                port:
+                                  description: Specifies the port on the host that
+                                    is being addressed. Many services only expose
+                                    a single port or label ports with the protocols
+                                    they support, in these cases it is not required
+                                    to explicitly select the port.
+                                  format: int64
+                                  type: integer
+                                sourceLabels:
+                                  description: One or more labels that constrain the
+                                    applicability of a rule to workloads with the
+                                    given labels. If the VirtualService has a list
+                                    of gateways specified at the top, it should include
+                                    the reserved gateway `mesh` in order for this
+                                    field to be applicable.
+                                  type: object
+                              type: object
+                            type: array
+                          route:
+                            description: The destinations to which the connection
+                              should be forwarded to. Weights must add to 100%.
+                            items:
+                              properties:
+                                destination:
+                                  description: REQUIRED. Destination uniquely identifies
+                                    the instances of a service to which the request/connection
+                                    should be forwarded to.
+                                  properties:
+                                    host:
+                                      description: 'REQUIRED. The name of a service
+                                        from the service registry. Service names are
+                                        looked up from the platform''s service registry
+                                        (e.g., Kubernetes services, Consul services,
+                                        etc.) and from the hosts declared by [ServiceEntry](#ServiceEntry).
+                                        Traffic forwarded to destinations that are
+                                        not found in either of the two, will be dropped.  *Note
+                                        for Kubernetes users*: When short names are
+                                        used (e.g. "reviews" instead of "reviews.default.svc.cluster.local"),
+                                        Istio will interpret the short name based
+                                        on the namespace of the rule, not the service.
+                                        A rule in the "default" namespace containing
+                                        a host "reviews will be interpreted as "reviews.default.svc.cluster.local",
+                                        irrespective of the actual namespace associated
+                                        with the reviews service. _To avoid potential
+                                        misconfigurations, it is recommended to always
+                                        use fully qualified domain names over short
+                                        names._'
+                                      type: string
+                                    port:
+                                      description: Specifies the port on the host
+                                        that is being addressed. If a service exposes
+                                        only a single port it is not required to explicitly
+                                        select the port.
+                                      properties:
+                                        name:
+                                          description: Valid port name
+                                          type: string
+                                        number:
+                                          description: Valid port number
+                                          format: int32
+                                          type: integer
+                                      type: object
+                                    subset:
+                                      description: The name of a subset within the
+                                        service. Applicable only to services within
+                                        the mesh. The subset must be defined in a
+                                        corresponding DestinationRule.
+                                      type: string
+                                  required:
+                                  - host
+                                  type: object
+                                weight:
+                                  description: REQUIRED. The proportion of traffic
+                                    to be forwarded to the service version. (0-100).
+                                    Sum of weights across destinations SHOULD BE ==
+                                    100. If there is only destination in a rule, the
+                                    weight value is assumed to be 100.
+                                  format: int64
+                                  type: integer
+                              required:
+                              - destination
+                              - weight
+                              type: object
+                            type: array
+                        required:
+                        - match
+                        - route
+                        type: object
+                      type: array
+                    tls:
+                      items:
+                        properties:
+                          match:
+                            description: REQUIRED. Match conditions to be satisfied
+                              for the rule to be activated. All conditions inside
+                              a single match block have AND semantics, while the list
+                              of match blocks have OR semantics. The rule is matched
+                              if any one of the match blocks succeed.
+                            items:
+                              properties:
+                                destinationSubnets:
+                                  description: IPv4 or IPv6 ip addresses of destination
+                                    with optional subnet.  E.g., a.b.c.d/xx form or
+                                    just a.b.c.d.
+                                  items:
+                                    type: string
+                                  type: array
+                                gateways:
+                                  description: Names of gateways where the rule should
+                                    be applied to. Gateway names at the top of the
+                                    VirtualService (if any) are overridden. The gateway
+                                    match is independent of sourceLabels.
+                                  items:
+                                    type: string
+                                  type: array
+                                port:
+                                  description: Specifies the port on the host that
+                                    is being addressed. Many services only expose
+                                    a single port or label ports with the protocols
+                                    they support, in these cases it is not required
+                                    to explicitly select the port.
+                                  format: int64
+                                  type: integer
+                                sniHosts:
+                                  description: REQUIRED. SNI (server name indicator)
+                                    to match on. Wildcard prefixes can be used in
+                                    the SNI value, e.g., *.com will match foo.example.com
+                                    as well as example.com. An SNI value must be a
+                                    subset (i.e., fall within the domain) of the corresponding
+                                    virtual service's hosts
+                                  items:
+                                    type: string
+                                  type: array
+                                sourceLabels:
+                                  description: One or more labels that constrain the
+                                    applicability of a rule to workloads with the
+                                    given labels. If the VirtualService has a list
+                                    of gateways specified at the top, it should include
+                                    the reserved gateway `mesh` in order for this
+                                    field to be applicable.
+                                  type: object
+                              required:
+                              - sniHosts
+                              type: object
+                            type: array
+                          route:
+                            description: The destination to which the connection should
+                              be forwarded to.
+                            items:
+                              properties:
+                                destination:
+                                  description: REQUIRED. Destination uniquely identifies
+                                    the instances of a service to which the request/connection
+                                    should be forwarded to.
+                                  properties:
+                                    host:
+                                      description: 'REQUIRED. The name of a service
+                                        from the service registry. Service names are
+                                        looked up from the platform''s service registry
+                                        (e.g., Kubernetes services, Consul services,
+                                        etc.) and from the hosts declared by [ServiceEntry](#ServiceEntry).
+                                        Traffic forwarded to destinations that are
+                                        not found in either of the two, will be dropped.  *Note
+                                        for Kubernetes users*: When short names are
+                                        used (e.g. "reviews" instead of "reviews.default.svc.cluster.local"),
+                                        Istio will interpret the short name based
+                                        on the namespace of the rule, not the service.
+                                        A rule in the "default" namespace containing
+                                        a host "reviews will be interpreted as "reviews.default.svc.cluster.local",
+                                        irrespective of the actual namespace associated
+                                        with the reviews service. _To avoid potential
+                                        misconfigurations, it is recommended to always
+                                        use fully qualified domain names over short
+                                        names._'
+                                      type: string
+                                    port:
+                                      description: Specifies the port on the host
+                                        that is being addressed. If a service exposes
+                                        only a single port it is not required to explicitly
+                                        select the port.
+                                      properties:
+                                        name:
+                                          description: Valid port name
+                                          type: string
+                                        number:
+                                          description: Valid port number
+                                          format: int32
+                                          type: integer
+                                      type: object
+                                    subset:
+                                      description: The name of a subset within the
+                                        service. Applicable only to services within
+                                        the mesh. The subset must be defined in a
+                                        corresponding DestinationRule.
+                                      type: string
+                                  required:
+                                  - host
+                                  type: object
+                                weight:
+                                  description: REQUIRED. The proportion of traffic
+                                    to be forwarded to the service version. (0-100).
+                                    Sum of weights across destinations SHOULD BE ==
+                                    100. If there is only destination in a rule, the
+                                    weight value is assumed to be 100.
+                                  format: int64
+                                  type: integer
+                              required:
+                              - destination
+                              - weight
+                              type: object
+                            type: array
+                        required:
+                        - match
+                        - route
+                        type: object
+                      type: array
+                  required:
+                  - hosts
+                  type: object
+              type: object
+            type:
+              description: Strategy type
+              type: string
+          type: object
+        status:
+          type: object
+  version: v1alpha2
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/tenant_v1alpha1_workspace.yaml

@@ -0,0 +1,42 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: workspaces.tenant.kubesphere.io
+spec:
+  group: tenant.kubesphere.io
+  names:
+    kind: Workspace
+    plural: workspaces
+  scope: Cluster
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            manager:
+              type: string
+          type: object
+        status:
+          type: object
+  version: v1alpha1
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/default/kustomization.yaml

@@ -0,0 +1,49 @@
+# Adds namespace to all resources.
+namespace: t-system
+
+# Value of this field is prepended to the
+# names of all resources, e.g. a deployment named
+# "wordpress" becomes "alices-wordpress".
+# Note that it should also match with the prefix (text before '-') of the namespace
+# field above.
+namePrefix: t-
+
+# Labels to add to all resources and selectors.
+#commonLabels:
+#  someName: someValue
+
+# Each entry in this list must resolve to an existing
+# resource definition in YAML.  These are the resource
+# files that kustomize reads, modifies and emits as a
+# YAML string, with resources separated by document
+# markers ("---").
+resources:
+- ../rbac/rbac_role.yaml
+- ../rbac/rbac_role_binding.yaml
+- ../manager/manager.yaml
+  # Comment the following 3 lines if you want to disable
+  # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
+  # which protects your /metrics endpoint.
+#- ../rbac/auth_proxy_service.yaml
+#- ../rbac/auth_proxy_role.yaml
+#- ../rbac/auth_proxy_role_binding.yaml
+
+patches:
+- manager_image_patch.yaml
+  # Protect the /metrics endpoint by putting it behind auth.
+  # Only one of manager_auth_proxy_patch.yaml and
+  # manager_prometheus_metrics_patch.yaml should be enabled.
+- manager_auth_proxy_patch.yaml
+  # If you want your controller-manager to expose the /metrics
+  # endpoint w/o any authn/z, uncomment the following line and
+  # comment manager_auth_proxy_patch.yaml.
+  # Only one of manager_auth_proxy_patch.yaml and
+  # manager_prometheus_metrics_patch.yaml should be enabled.
+#- manager_prometheus_metrics_patch.yaml
+
+vars:
+- name: WEBHOOK_SECRET_NAME
+  objref:
+    kind: Secret
+    name: webhook-server-secret
+    apiVersion: v1

config/default/manager_auth_proxy_patch.yaml

@@ -0,0 +1,24 @@
+# This patch inject a sidecar container which is a HTTP proxy for the controller manager,
+# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: kube-rbac-proxy
+        image: quay.io/coreos/kube-rbac-proxy:v0.4.0
+        args:
+        - "--secure-listen-address=0.0.0.0:8443"
+        - "--upstream=http://127.0.0.1:8080/"
+        - "--logtostderr=true"
+        - "--v=10"
+        ports:
+        - containerPort: 8443
+          name: https
+      - name: manager
+        args:
+        - "--metrics-addr=127.0.0.1:8080"

config/default/manager_image_patch.yaml

@@ -0,0 +1,12 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      # Change the value of image field below to your controller image URL
+      - image: kubespheredev/controller-manager:latest
+        name: manager

config/default/manager_prometheus_metrics_patch.yaml

@@ -0,0 +1,19 @@
+# This patch enables Prometheus scraping for the manager pod.
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    metadata:
+      annotations:
+        prometheus.io/scrape: 'true'
+    spec:
+      containers:
+      # Expose the prometheus metrics on default port
+      - name: manager
+        ports:
+        - containerPort: 8080
+          name: metrics
+          protocol: TCP

config/manager/manager.yaml

@@ -0,0 +1,83 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    control-plane: controller-manager
+    controller-tools.k8s.io: "1.0"
+  name: system
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: controller-manager-service
+  namespace: system
+  labels:
+    control-plane: controller-manager
+    controller-tools.k8s.io: "1.0"
+spec:
+  selector:
+    control-plane: controller-manager
+    controller-tools.k8s.io: "1.0"
+  ports:
+  - port: 443
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: controller-manager
+  namespace: system
+  labels:
+    control-plane: controller-manager
+    controller-tools.k8s.io: "1.0"
+spec:
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+      controller-tools.k8s.io: "1.0"
+  serviceName: controller-manager-service
+  template:
+    metadata:
+      labels:
+        control-plane: controller-manager
+        controller-tools.k8s.io: "1.0"
+    spec:
+      containers:
+      - command:
+        - ./controller-manager
+        image: kubespheredev/controller-manager:latest
+        imagePullPolicy: Always
+        name: manager
+        env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: SECRET_NAME
+            value: $(WEBHOOK_SECRET_NAME)
+        resources:
+          limits:
+            cpu: 100m
+            memory: 30Mi
+          requests:
+            cpu: 100m
+            memory: 20Mi
+        ports:
+        - containerPort: 9876
+          name: webhook-server
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /tmp/cert
+          name: cert
+          readOnly: true
+      terminationGracePeriodSeconds: 10
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: webhook-server-secret
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: webhook-server-secret
+  namespace: system

config/rbac/auth_proxy_role.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: proxy-role
+rules:
+- apiGroups: ["authentication.k8s.io"]
+  resources:
+  - tokenreviews
+  verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+  resources:
+  - subjectaccessreviews
+  verbs: ["create"]

config/rbac/auth_proxy_role_binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: proxy-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: proxy-role
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: system

config/rbac/auth_proxy_service.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    prometheus.io/port: "8443"
+    prometheus.io/scheme: https
+    prometheus.io/scrape: "true"
+  labels:
+    control-plane: controller-manager
+    controller-tools.k8s.io: "1.0"
+  name: controller-manager-metrics-service
+  namespace: system
+spec:
+  ports:
+  - name: https
+    port: 8443
+    targetPort: https
+  selector:
+    control-plane: controller-manager
+    controller-tools.k8s.io: "1.0"

config/rbac/rbac_role.yaml

@@ -0,0 +1,103 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: manager-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces/status
+    verbs:
+      - get
+      - update
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces/status
+    verbs:
+      - get
+      - update
+      - patch
+  - apiGroups:
+      - tenant.kubesphere.io
+    resources:
+      - workspaces
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - tenant.kubesphere.io
+    resources:
+      - workspaces/status
+    verbs:
+      - get
+      - update
+      - patch
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - mutatingwebhookconfigurations
+      - validatingwebhookconfigurations
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete

config/rbac/rbac_role_binding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  creationTimestamp: null
+  name: manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: manager-role
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: system

config/samples/servicemesh_v1alpha2_servicepolicy.yaml

@@ -0,0 +1,9 @@
+apiVersion: servicemesh.kubesphere.io/v1alpha2
+kind: ServicePolicy
+metadata:
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: servicepolicy-sample
+spec:
+  # Add fields here
+  foo: bar

config/samples/servicemesh_v1alpha2_strategy.yaml

@@ -0,0 +1,28 @@
+apiVersion: servicemesh.kubesphere.io/v1alpha2
+kind: Strategy
+metadata:
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: strategy-sample
+spec:
+  # Add fields here
+  type: Canary
+  selector:
+    matchLabels:
+      "servicemesh.kubesphere.io/type": "canary"
+  template:
+    spec:
+      service: "details"
+      principal: "v1"
+      hosts:
+      - details
+      http:
+      - route:
+        - destination:
+            host: "details"
+            subset: v1
+          weight: 60
+        - destination:
+            host: "details"
+            subset: v2
+          weight: 40

config/samples/tenant_v1alpha1_workspace.yaml

@@ -0,0 +1,8 @@
+apiVersion: tenant.kubesphere.io/v1alpha1
+kind: Workspace
+metadata:
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: workspace-sample
+  spec:
+    manager: admin

docs/README.md

@@ -1,51 +0,0 @@
-# OpenPitrix Developer Guide
-
-The developer guide is for anyone wanting to either write code which directly accesses the
-OpenPitrix API, or to contribute directly to the OpenPitrix project.
-
-
-## The process of developing and contributing code to the OpenPitrix project
-
-* **Welcome to OpenPitrix (New Developer Guide)**
-  ([welcome-to-OpenPitrix-new-developer-guide.md](welcome-to-OpenPitrix-new-developer-guide.md)):
-  An introductory guide to contributing to OpenPitrix.
-
-* **On Collaborative Development** ([collab.md](collab.md)): Info on pull requests and code reviews.
-
-* **GitHub Issues** ([issues.md](issues.md)): How incoming issues are triaged.
-
-* **Pull Request Process** ([pull-requests.md](pull-requests.md)): When and why pull requests are closed.
-
-* **Getting Recent Builds** ([getting-builds.md](getting-builds.md)): How to get recent builds including the latest builds that pass CI.
-
-* **Automated Tools** ([automation.md](automation.md)): Descriptions of the automation that is running on our github repository.
-
-
-## Setting up your dev environment, coding, and debugging
-
-* **Development Guide** ([development.md](development.md)): Setting up your development environment.
-
-* **Testing** ([testing.md](testing.md)): How to run unit, integration, and end-to-end tests in your development sandbox.
-
-* **Hunting flaky tests** ([flaky-tests.md](flaky-tests.md)): We have a goal of 99.9% flake free tests.
-  Here's how to run your tests many times.
-
-* **Logging Conventions** ([logging.md](logging.md)): Glog levels.
-
-* **Coding Conventions** ([coding-conventions.md](coding-conventions.md)):
-  Coding style advice for contributors.
-
-* **Document Conventions** ([how-to-doc.md](how-to-doc.md))
-  Document style advice for contributors.
-
-* **Running a cluster locally** ([running-locally.md](running-locally.md)):
-  A fast and lightweight local cluster deployment for development.
-
-## Developing against the OpenPitrix API
-
-* The [REST API documentation](http://openpitrix.io/docs/reference/) explains the REST
-  API exposed by apiserver.
-
-## Building releases
-
-See the [openpitrix/release](https://github.com/kubernetes/release) repository for details on creating releases and related tools and helper scripts.

docs/development-guide.md

@@ -0,0 +1,176 @@
+# Development Guide
+
+This document walks you through how to get started developing KubeSphere and development workflow.
+
+## Preparing the environment
+
+### Go
+
+KubeSphere development is based on [Kubernetes](https://github.com/kubernetes/kubernetes), both of them are written in [Go](http://golang.org/). If you don't have a Go development environment, please [set one up](http://golang.org/doc/code.html).
+
+| Kubernetes     | requires Go |
+|----------------|-------------|
+| 1.13+          | >= 1.12     |
+
+> Tips: 
+> - Ensure your GOPATH and PATH have been configured in accordance with the Go
+environment instructions. 
+> - It's recommended to install [macOS GNU tools](https://www.topbug.net/blog/2013/04/14/install-and-use-gnu-command-line-tools-in-mac-os-x) for Mac OS.
+
+
+### Dependency management
+
+KubeSphere uses `dep` to manage dependencies in the `vendor/` tree, execute following command to install [dep](https://github.com/golang/dep).
+
+```go
+go get -u github.com/golang/dep/cmd/dep
+```
+#### Dependencies
+
+[kubesphere/kubesphere](https://github.com/kubesphere/kubesphere) repository contains the source code . If you're looking for its dependent components, they live in their own repositories since they can be individual and universal.
+
+- [Alert](https://github.com/kubesphere/alert): Alert is an enterprise-grade general-purpose high-performance alerting system.
+- [Notification](https://github.com/openpitrix/notification): Notification is an enterprise-grade general-purpose high-performance notification system, it provides email notification service for KubeSphere currently.
+- [OpenPitrix](https://github.com/openpitrix/openpitrix): Application management platform on multi-cloud environment, it provides application template and application management for KubeSphere currently.
+- [SonarQube](https://github.com/SonarSource/sonarqube): Integrated in KubeSphere DevOps, it provides the capability to not only show health of an application but also to highlight issues newly introduced. 
+
+### Test
+
+In the development process, it is recommended to use local Kubernetes clusters, such as [minikube](https://kubernetes.io/docs/tasks/tools/install-minikube/), or to install an single-node [all-in-one](https://github.com/kubesphere/kubesphere#all-in-one) environment (Kubernetes-based) for quick testing.
+
+> Tip: It also supports to use Docker for Desktop ships with Kubernetes as the test environment.
+
+## Development Workflow
+
+![ks-workflow](images/ks-workflow.png)
+
+### 1 Fork in the cloud
+
+1. Visit https://github.com/kubesphere/kubesphere
+2. Click `Fork` button to establish a cloud-based fork.
+
+### 2 Clone fork to local storage
+
+Per Go's [workspace instructions][https://golang.org/doc/code.html#Workspaces], place KubeSphere' code on your `GOPATH` using the following cloning procedure.
+
+1. Define a local working directory:
+
+```bash
+$ export working_dir=$GOPATH/src/kubesphere.io
+$ export user={your github profile name}
+```
+
+2. Create your clone locally:
+
+```bash
+$ mkdir -p $working_dir
+$ cd $working_dir
+$ git clone https://github.com/$user/kubesphere.git
+$ cd $working_dir/kubesphere
+$ git remote add upstream https://github.com/kubesphere/kubesphere.git
+
+# Never push to upstream master
+$ git remote set-url --push upstream no_push
+
+# Confirm that your remotes make sense:
+$ git remote -v
+```
+
+### 3 Keep your branch in sync
+
+```bash
+git fetch upstream
+git checkout master
+git rebase upstream/master
+```
+
+### 4 Add new features or fix issues
+
+Branch from it:
+
+```bash
+$ git checkout -b myfeature
+```
+
+Then edit code on the myfeature branch.
+
+**Test and build**
+
+Currently, make rules only contain simple checks such as vet, unit test, will add e2e tests soon.
+
+**Using KubeBuilder**
+
+- For Linux OS, you can download and execute this [KubeBuilder script](https://raw.githubusercontent.com/kubesphere/kubesphere/master/hack/install_kubebuilder.sh).
+
+- For MacOS, you can install KubeBuilder by following this [guide](https://book.kubebuilder.io/quick-start.html).
+
+**Run and test**
+
+```bash
+$ make all
+# Run every unit test
+$ make test
+```
+
+Run `make help` for additional information on these make targets.
+
+### 5 Development in new branch
+
+**Sync with upstream**
+
+After the test is completed, suggest you to keep your local in sync with upstream which can avoid conflicts.
+
+```
+# Rebase your the master branch of your local repo.
+$ git checkout master
+$ git rebase upstream/master
+
+# Then make your development branch in sync with master branch
+git checkout new_feature
+git rebase -i master
+```
+**Commit local changes**
+
+```bash
+$ git add <file>
+$ git commit -s -m "add your description"
+```
+
+### 6 Push to your folk
+
+When ready to review (or just to establish an offsite backup or your work), push your branch to your fork on github.com:
+
+```
+$ git push -f ${your_remote_name} myfeature
+```
+
+### 7 Create a PR
+
+- Visit your fork at https://github.com/$user/kubesphere
+- Click the` Compare & Pull Request` button next to your myfeature branch.
+- Check out the [pull request process](pull-request.md) for more details and advice.
+
+
+## CI/CD
+
+KubeSphere uses [Travis CI](https://travis-ci.org/) as a CI/CD tool.
+
+The components of KubeSphere need to be compiled and build include following:
+
+`ks-apiserver, ks-controller-manager, ks-account, ks-apigateway, ks-devops`
+
+After your PR is merged，Travis CI will compile the entire project and build the image, and push the image `kubespheredev/[component-name]:latest` to Dockerhub (e.g. `kubespheredev/ks-apiserver:latest`)
+
+## API Reference
+
+KubeSphere provides standard RESTFul API and detailed API documentations for developers, see [KubeSphere API Reference](https://docs.kubesphere.io/advanced-v2.0/zh-CN/api-reference/api-docs/) for more information.
+
+## Code conventions
+
+Please reference [Code conventions](https://github.com/kubernetes/community/blob/master/contributors/guide/coding-conventions.md) and follow with the rules.
+
+**Note:**
+
+> - All new packages and most new significant functionality must come with unit tests
+> - Comment your code in English, see [Go's commenting conventions
+](http://blog.golang.org/godoc-documenting-go-code)

docs/development.md

@@ -1,74 +0,0 @@
-# Developing for KubeSphere
-
-The [community repository](https://github.com/kubesphere) hosts all information about
-building KubeSphere from source, how to contribute code and documentation, who to contact about what, etc. If you find a requirement that this doc does not capture, or if you find other docs with references to requirements that are not simply links to this doc, please [submit an issue](https://github.com/kubesphere/kubesphere/issues/new).
-
-----
-
-## To start developing KubeSphere
-
-First of all, you should fork the project. Then follow one of the three options below to develop the project. Please note you should replace the official repo when using __go get__ or __git clone__ below with your own one.
-
-### 1. You have a working [Docker Compose](https://docs.docker.com/compose/install) environment [recommend].
->You need to install [Docker](https://docs.docker.com/engine/installation/) first.
-
-```shell
-$ git clone https://github.com/kubesphere/kubesphere
-$ cd kubesphere
-$ make build
-$ make compose-up
-```
-
-Exit docker runtime environment
-```shell
-$ make compose-down
-```
-
-### 2. You have a working [Docker](https://docs.docker.com/engine/installation/) environment.
-
-
-Exit docker runtime environment
-```shell
-$ docker stop $(docker ps -f name=kubesphere -q)
-```
-
-### 3. You have a working [Go](prereqs.md#setting-up-go) environment.
-
-- Install [protoc compiler](https://github.com/google/protobuf/releases/)
-- Install protoc plugin:
-
-```shell
-$ go get github.com/golang/protobuf/protoc-gen-go
-$ go get github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway
-$ go get github.com/grpc-ecosystem/grpc-gateway/protoc-gen-swagger
-$ go get github.com/mwitkow/go-proto-validators/protoc-gen-govalidators
-```
-
-- Get kubesphere source code and build service:
-
-```shell
-$ go get -d kubesphere.io/kubesphere
-$ cd $GOPATH/src/kubesphere.io/kubesphere
-$ make generate
-$ GOBIN=`pwd`/bin go install ./cmd/...
-```
-
-- Start KubeSphere service:
-
-
-- Exit go runtime environment
-```shell
-$ ps aux | grep kubesphere- | grep -v grep | awk '{print $2}' | xargs kill -9
-```
-
-----
-
-## Test KubeSphere
-
-Visit http://127.0.0.1:9100/swagger-ui in browser, and try it online, or test kubesphere api service via command line:
-
-----
-
-## DevOps
-
-Please check [How to set up DevOps environment](devops.md).

docs/devops.md

@@ -1,79 +0,0 @@
-# Set Up DevOps Environment
-
-DevOps is recommended to use for this project. Please follow the instructions below to set up your environment. We use Jenkins with Blue Ocean plugin and deploy it on Kubernetes, also continuously deploy KubeSphere on the Kubernetes cluster.  
-
-----
-
-- [Create Kubernetes Cluster](#create-kubernetes-cluster)
-- [Deploy Jenkins](#deploy-jenkins)
-- [Configure Jenkins](#configure-jenkins)
-- [Create a Pipeline](#create-a-pipeline)
-
-## Create Kubernetes Cluster
-
-We are using [Kubernetes on QingCloud](https://appcenter.qingcloud.com/apps/app-u0llx5j8) to create a kubernetes production environment by one click. Please follow the [instructions](https://appcenter-docs.qingcloud.com/user-guide/apps/docs/kubernetes/) to create your own cluster. Access the Kubernetes client using one of the following options.
-  - **Open VPN**<a id="openvpn"></a>: Go to the left navigation tree of the [QingCloud console](https://console.qingcloud.com), choose _Networks & CDN_, then _VPC Networks_; on the content of the VPC page, choose _Management Configuration_, _VPN Service_, then you will find _Open VPN_ service. Here is the [screenshot](images/openvpn.png) of the page.
-  - **Port Forwarding**<a id="port-forwarding"></a>: same as Open VPN, but choose _Port Forwarding_ on the content of VPC page instead of VPN Service; and add a rule to forward source port to the port of ssh port of the kubernetes client, for instance, forward 10007 to 22 of the kubernetes client with the private IP being 192.168.100.7. After that, you need to open the firewall to allow the port 10007 accessible from outside. Please click the _Security Group_ ID on the same page of the VPC, and add the downstream rule for the firewall.
-  - **VNC**: If you don't want to access the client node remotely, just go to the kubernetes cluster detailed page on the [QingCloud console](https://console.qingcloud.com), and click the windows icon aside of the client ID shown as the [screenshot](images/kubernets.png) (user/password: root/k8s). The way is not recommended, however you can check kubernetes quickly using VNC since you don't configure anything. 
-
-## Deploy Jenkins
-
-1. Copy the [yaml file](../devops/kubernetes/jenkins-qingcloud.yaml) to the kubernetes client, and deploy
-   ```
-   # kubectl apply -f jenkins-qingcloud.yaml
-   ```
-
-2. Access Jenkins console by opening http://\<ip\>:9200 where ip depends on how you expose the Jenkins service to outside explained below. (You can find your way to access Jenkins console such as ingress, cloud LB etc.) On the kubernetes client
-   ```
-   # iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 9200 -j DNAT --to-destination "$(kubectl get svc -n jenkins --selector=app=jenkins -o jsonpath='{.items..spec.clusterIP}')":9200
-   # iptables -t nat -A POSTROUTING -p tcp --dport 9200 -j MASQUERADE
-   # sysctl -w net.ipv4.conf.eth0.route_localnet=1
-   ```
-
-3. Now the request to the kubernetes client port 9200 will be forwarded to the Jenkins service. 
-   
-   - If you use [Open VPN](#openvpn) to access the kubernetes client, then open http://\<kubernetes client private ip\>:9200 to access Jenkins console. 
-   - If you use [Port Forwarding](#port-forwarding) to access the client, then forward the VPC port 9200 to the kubernetes client port 9200. Now open http://\<VPC EIP\>:9200 to access Jenkins console.
-
-## Configure Jenkins
-   > You can refer [jenkins.io](https://jenkins.io/doc/tutorials/using-jenkins-to-build-a-java-maven-project/) about how to configure Jenkins and create a pipeline.
-
-1. Unlock Jenkins
-
-   - Get the Adminstrator password from the log on the kubernetes client
-     ```
-     # kubectl logs "$(kubectl get pods -n jenkins --selector=app=jenkins -o jsonpath='{.items..metadata.name}')" -c jenkins -n jenkins
-     ```
-   - Go to Jenkins console, paste the password and continue. Install suggested plugins, then create the first admin user and save & finish.
-
-2. Configure Jenkins
-   
-   We will deploy KubeSphere application into the same Kubernetes cluster as the one that the Jenkins is running on. So we need configure the Jenkins pod to access the Kubernetes cluster, and log in docker registry given that during the [Jenkins pipeline](#create-a-pipeline) we push KubeSphere image into a registry which you can change on your own. 
-  
-   On the Kubernetes client, execute the following to log in Jenkins container.
-  
-     ```
-     # kubectl exec -it "$(kubectl get pods -n jenkins --selector=app=jenkins -o jsonpath='{.items..metadata.name}')" -c jenkins -n jenkins -- /bin/bash
-     ```
-  
-     After logging in the Jenkins container, then run the following to log in docker registry and prepare folder to hold kubectl configuration.
-
-     ```
-     bash-4.3# docker login -u xxx -p xxxx
-     bash-4.3# mkdir /root/.kube
-     bash-4.3# exit
-     ```
-  
-     Once back again to the Kubernetes client, run the following to copy the tool kubectl and its configuration from the client to the Jenkins container.
-
-     ```
-     # kubectl cp /usr/bin/kubectl jenkins/"$(kubectl get pods -n jenkins --selector=app=jenkins -o jsonpath='{.items..metadata.name}')":/usr/bin/kubectl -c jenkins
-     # kubectl cp /root/.kube/config jenkins/"$(kubectl get pods -n jenkins --selector=app=jenkins -o jsonpath='{.items..metadata.name}')":/root/.kube/config -c jenkins
-     ```  
-
-## Create a pipeline
-  - Fork KubeSphere from github for your development. You need to change the docker repository to your own in the files [kubesphere.yaml](devops/kubernetes/kubesphere.yaml), [build-images.sh](devops/scripts/build-images.sh), [push-images.sh](devops/scripts/push-images.sh) and [clean.sh](devops/scripts/clean.sh).
-  - On the Jenkins panel, click _Open Blue Ocean_ and start to create a new pipeline. Choose _GitHub_, paste your access key of GitHub, select the repository you want to create a CI/CD pipeline. We already created the pipeline Jenkinsfile on the upstream repository which includes compiling KubeSphere, building images, push images, deploying the application, verifying the application and cleaning up.
-  - It is better to configure one more thing. On the Jenkins panel, go to the configuration of KubeSphere, check _Periodically if not otherwise run_ under _Scan Repository Triggers_ and select the interval at your will. 
-  - If your repository is an upstream, you can select _Discover pull requests from forks_ under _Behaviors_ so that the pipeline will work for PR before merged.
-  - Now it is good to go. Whenever you commit a change to your forked repository, the pipeline will work during the Jenkins trigger interval. 

docs/members.md

@@ -1,12 +0,0 @@
-# Contributors
-
-## Component and Member List
-
-| Name | Leads |
-|------|-------|
-| Deployment |  (yunify) |
-| Service |  (yunify) |
-| Application |  (yunify) |
-| Cluster | Jeff (yunify) |
-| App Runtime |  (yunify) |
-| Documents | |

docs/modules/app-manager/README.md

@@ -1,22 +0,0 @@
-## QuickStart
-KubeSphere uses same app-manager module from [OpenPitrix](https://github/openpitrix/openpitrix), which is another open source project initiated by QingCloud. 
-For testing and development purpose, follow steps below to setup app-manager service locally:
-* Make sure git and docker runtime is installed in your local environment  
-* Clone the OpenPitrix project to your local environment: 
-  ```console
-  git clone https://github.com/openpitrix/openpitrix.git
-  ```  
-* Get into openpitrix directory, run commands below:  
-  ```console
-  cd openpitrix
-  make build
-  make compose-up-app
-  ```  
-
-## Test app-manager
-
-Visit http://127.0.0.1:9100/swagger-ui in browser, and try it online, or test app-manager api service via command line:
-
-```shell
-$ curl http://localhost:9100/v1/apps
-{"total_items":0,"total_pages":0,"page_size":10,"current_page":1}

docs/prereqs.md

@@ -12,7 +12,6 @@ branch, but release branches should not change.
 
 - [Prerequisites](#prerequisites)
   - [Setting up Go](#setting-up-go)
-  - [Setting up Swagger](#setting-up-swagger)
 - [To start developing KubeSphere](#to-start-developing-kubesphere)
 - [DevOps](#devops)
 
@@ -37,20 +36,6 @@ $ export GOPATH=~/go
 $ export PATH=$PATH:$GOPATH/bin
 ```
 
-### Setting up Swagger
-
-KubeSphere is using [OpenAPI/Swagger](https://swagger.io) to develop API, so follow
-[the instructions](https://github.com/go-swagger/go-swagger/tree/master/docs) to
-install Swagger. If you are not familar with Swagger, please read the
-[tutorial](http://apihandyman.io/writing-openapi-swagger-specification-tutorial-part-1-introduction/#writing-openapi-fka-swagger-specification-tutorial). If you install Swagger using docker distribution,
-please run
-
-```shell
-$ docker pull quay.io/goswagger/swagger
-$ alias swagger="docker run --rm -it -e GOPATH=$GOPATH:/go -v $HOME:$HOME -w $(pwd) quay.io/goswagger/swagger"
-$ swagger version
-```
-
 ## To start developing KubeSphere
 
 There are two options to get KubeSphere source code and build the project:
@@ -70,7 +55,3 @@ $ git clone https://github.com/kubesphere/kubesphere
 $ cd kubesphere
 $ make
 ```
-
-## DevOps
-
-Please check [How to set up DevOps environment](devops.md)

docs/pull-requests.md

@@ -4,7 +4,6 @@ This doc explains the process and best practices for submitting a PR to the [Kub
 
 - [Before You Submit a PR](#before-you-submit-a-pr)
   * [Run Local Verifications](#run-local-verifications)
-  * [Sign the CLA](#sign-the-cla)
 - [The PR Submit Process](#the-pr-submit-process)
   * [Write Release Notes if Needed](#write-release-notes-if-needed)
   * [The Testing and Merge Workflow](#the-testing-and-merge-workflow)
@@ -38,22 +37,10 @@ This guide is for contributors who already have a PR to submit. If you're lookin
 You can run these local verifications before you submit your PR to predict the
 pass or fail of continuous integration.
 
-* Run and pass `make verify` (can take 30-40 minutes)
-* Run and pass `make test`
-* Run and pass `make test-integration`
-
-## Sign the CLA
-
-You must sign the CLA before your first contribution. [Read more about the CLA.](https://github.com/kubesphere/kubesphere/docs/CLA.md)
-
-If you haven't signed the Contributor License Agreement (CLA) before making a PR,
-the `@o8x-ci-robot` will leave a comment with instructions on how to sign the CLA.
-
 # The PR Submit Process
 
 Merging a PR requires the following steps to be completed before the PR will be merged automatically. For details about each step, see the [The Testing and Merge Workflow](#the-testing-and-merge-workflow) section below.
 
-- Sign the CLA (prerequisite)
 - Make the PR
 - Release notes - do one of the following:
   - Add notes in the release notes block, or
@@ -152,15 +139,15 @@ If you want to solicit reviews before the implementation of your pull request is
 The GitHub robots will add and remove the `do-not-merge/hold` label as you use the comment commands and the `do-not-merge/work-in-progress` label as you edit your title. While either label is present, your pull request will not be considered for merging.
 
 
-## Comment Commands Reference
+## Comment Commands Reference//TODO
 
 [The commands doc]() contains a reference for all comment commands. //TODO
 
-## Automation
+## Automation//TODO
 
 The KubeSphere developer community uses a variety of automation to manage pull requests.  This automation is described in detail [in the automation doc](automation.md). //TODO
 
-## How the Tests Work
+## How the Tests Work//TODO
 
 The  tests will post the status results to the PR. If an e2e test fails,
 `@o8x-ci-robot` will comment on the PR with the test history and the
@@ -212,7 +199,7 @@ Let's talk about best practices so your PR gets reviewed quickly.
 
 ## 0. Familiarize yourself with project conventions
 
-* [Development guide](development.md)
+* [Development guide](code-of-conduct.md)
 
 ## 1. Is the feature wanted? Make a Design Doc or Sketch PR
 
@@ -220,7 +207,7 @@ Are you sure Feature-X is something the KubeSphere team wants or will accept? Is
 
 It's better to get confirmation beforehand. There are two ways to do this:
 
-- Make a proposal doc (in docs/proposals; for example [the QoS proposal](), or reach out to the affected special interest group (SIG). Here's a [list of SIGs](https://github.com/KubeSphere/KubeSphere/docs/sig-list.md)
+- Make a proposal doc (in docs/proposals; for example [the QoS proposal]()
 - Coordinate your effort with [SIG Docs]() ahead of time. //TODO
 - Make a sketch PR (e.g., just the API or Go interface). Write or code up just enough to express the idea and the design and why you made those choices
 

docs/screenshots.md

@@ -0,0 +1,54 @@
+# KubeSphere Screenshots
+
+Screenshots of various KubeSphere dashboard views:
+
+## Workbench Overview
+
+![](https://pek3b.qingstor.com/kubesphere-docs/png/20190710111625.png)
+
+## Application Template
+
+![](https://pek3b.qingstor.com/kubesphere-docs/png/20190710111410.png)
+
+![](https://pek3b.qingstor.com/kubesphere-docs/png/20190710111441.png)
+
+## Project Resources Management
+
+![](https://pek3b.qingstor.com/kubesphere-docs/png/20190710112617.png)
+
+![](https://pek3b.qingstor.com/kubesphere-docs/png/20190710112653.png)
+
+## DevOps Project
+
+![](https://pek3b.qingstor.com/kubesphere-docs/png/20190710113123.png)
+
+![](https://pek3b.qingstor.com/kubesphere-docs/png/20190710113153.png)
+
+## Node Management
+
+![](https://pek3b.qingstor.com/kubesphere-docs/png/20190710111701.png)
+
+## Service Components
+
+![](https://pek3b.qingstor.com/kubesphere-docs/png/20190710111734.png)
+
+## Workspace Management
+
+![](https://pek3b.qingstor.com/kubesphere-docs/png/20190710111851.png)
+
+![](https://pek3b.qingstor.com/kubesphere-docs/png/20190710112018.png)
+
+## Monitoring Center
+
+![](https://pek3b.qingstor.com/kubesphere-docs/png/20190710113420.png)
+
+![](https://pek3b.qingstor.com/kubesphere-docs/png/20190710113444.png)
+
+![](https://pek3b.qingstor.com/kubesphere-docs/png/20190710113543.png)
+
+## Log and Alert
+
+![](https://pek3b.qingstor.com/kubesphere-docs/png/20190710113300.png)
+
+![](https://pek3b.qingstor.com/kubesphere-docs/png/20190710113650.png)
+

docs/welcome-to-KubeSphere-new-developer-guide.md

@@ -2,57 +2,30 @@
 Welcome to KubeSphere! (New Developer Guide)
 ============================================
 
-_This document assumes that you know what KubeSphere does. If you don't,
-try the demo at [https://o8x.io/](https://kubesphere.io/)._
+_This document assumes that you know what KubeSphere does. 
 
 Introduction
 ------------
 
-Have you ever wanted to contribute to the coolest cloud technology? This
+This
 document will help you understand the organization of the KubeSphere project and
 direct you to the best places to get started. By the end of this doc, you'll be
 able to pick up issues, write code to fix them, and get your work reviewed and
 merged.
 
 If you have questions about the development process, feel free to jump into our
-[Slack workspace](http://KubeSphere.slack.com/) or join our [mailing
-list](https://groups.google.com/forum/#!forum/KubeSphere-dev). If you join the
+[Slack workspace](http://KubeSphere.slack.com/). If you join the
 Slack workspace it is recommended to set your Slack display name to your GitHub
 account handle.
 
-Special Interest Groups
------------------------
 
-KubeSphere developers work in teams called Special Interest Groups (SIGs). At
-the time of this writing there are [2 SIGs](sig-list.md).
-
-The developers within each SIG have autonomy and ownership over that SIG's part
-of KubeSphere. SIGs organize themselves by meeting regularly and submitting
-markdown design documents to the
-[KubeSphere/community](https://github.com/KubeSphere/community) repository.
-Like everything else in KubeSphere, a SIG is an open, community, effort. Anybody
-is welcome to jump into a SIG and begin fixing issues, critiquing design
-proposals and reviewing code.
-
-Most people who visit the KubeSphere repository for the first time are
-bewildered by the thousands of [open
-issues](https://github.com/KubeSphere/KubeSphere/issues) in our main repository.
-But now that you know about SIGs, it's easy to filter by labels to see what's
-going on in a particular SIG. For more information about our issue system, check
-out
-[issues.md](https://github.com/KubeSphere/community/blob/master/contributors/devel/issues.md).
-
-//TODO
 
 Downloading, Building, and Testing KubeSphere
 ---------------------------------------------
 
 This guide is non-technical, so it does not cover the technical details of
 working KubeSphere. We have plenty of documentation available under
-[github.com/KubeSphere/KubeSphere/docs/](https://github.com/KubeSphere/KubeSphere/docs/).
-Check out
-[development.md](https://github.com/KubeSphere/KubeSphere/docs/development.md)
-for more details.
+[docs.kubesphere.io](https://docs.kubesphere.io).
 
 Pull-Request Process
 --------------------
@@ -61,21 +34,4 @@ The pull-request process is documented in [pull-requests.md](pull-requests.md).
 As described in that document, you must sign the CLA before
 KubeSphere can accept your contribution.
 
-
-The Release Process and Code Freeze
------------------------------------
-
-Every so often @o8x-merge-robot will refuse to merge your PR, saying something
-about release milestones. This happens when we are in a code freeze for a
-release. In order to ensure KubeSphere is stable, we stop merging everything
-that's not a bugfix, then focus on making all the release tests pass. This code
-freeze usually lasts two weeks and happens once per quarter.
-
-If you're new to KubeSphere, you won't have to worry about this too much. After
-you've contributed for a few months, you will be added as a [community
-member](https://github.com/KubeSphere/KubeSphere/docs/membership.md)
-and take ownership of some of the tests. At this point, you'll work with members
-of your SIG to review PRs coming into your area and track down issues that occur
-in tests.
-
 Thanks for reading!

hack/boilerplate.go.txt

@@ -0,0 +1,15 @@
+/*
+Copyright 2019 The KubeSphere authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/

hack/custom-boilerplate.go.txt

@@ -0,0 +1,16 @@
+/*
+Copyright 2019 The KubeSphere Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+

hack/docker_build.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+set -ex
+set -o pipefail
+
+REPO=kubespheredev
+TAG=latest
+
+# check if build was triggered by a travis cronjob
+if [[ ! -v TRAVIS_EVENT_TYPE ]]; then
+    echo "TRAVIS_EVENT_TYPE is not set, treat as regular build"
+elif [[ -z "$TRAVIS_EVENT_TYPE" ]]; then
+    echo "TRAVIS_EVENT_TYPE is empty, also normaly build"
+elif [ $TRAVIS_EVENT_TYPE == "cron" ]; then
+    TAG=dev-$(date +%Y%m%d)
+fi
+
+
+docker build -f build/ks-apigateway/Dockerfile -t $REPO/ks-apigateway:$TAG .
+docker build -f build/ks-apiserver/Dockerfile -t $REPO/ks-apiserver:$TAG .
+docker build -f build/ks-iam/Dockerfile -t $REPO/ks-account:$TAG .
+docker build -f build/ks-controller-manager/Dockerfile -t $REPO/ks-controller-manager:$TAG .
+docker build -f ./pkg/db/Dockerfile -t $REPO/ks-devops:flyway-$TAG ./pkg/db/
+
+# Push image to dockerhub, need to support multiple push
+
+echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
+docker push $REPO/ks-apigateway:$TAG
+docker push $REPO/ks-apiserver:$TAG
+docker push $REPO/ks-account:$TAG
+docker push $REPO/ks-controller-manager:$TAG
+docker push $REPO/ks-devops:flyway-$TAG

hack/gobuild.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+# Copyright 2017 KubeSphere Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# This script builds and link stamps the output
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+VERBOSE=${VERBOSE:-"0"}
+V=""
+if [[ "${VERBOSE}" == "1" ]];then
+    V="-x"
+    set -x
+fi
+
+ROOTDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+
+OUTPUT_DIR=bin
+BUILDPATH=./${1:?"path to build"}
+OUT=${OUTPUT_DIR}/${1:?"output path"}
+
+set -e
+
+BUILD_GOOS=${GOOS:-linux}
+BUILD_GOARCH=${GOARCH:-amd64}
+GOBINARY=${GOBINARY:-go}
+
+# forgoing -i (incremental build) because it will be deprecated by tool chain.
+time GOOS=${BUILD_GOOS} GOARCH=${BUILD_GOARCH} ${GOBINARY} build \
+        -o ${OUT} \
+        ${BUILDPATH}

hack/install_kubebuilder.sh

@@ -0,0 +1,80 @@
+#!/bin/sh
+
+#
+# This file will be  fetched as: curl -L https://git.io/getLatestKubebuilder | sh -
+# so it should be pure bourne shell, not bash (and not reference other scripts)
+#
+# The script fetches the latest kubebuilder release candidate and untars it.
+# It lets users to do curl -L https://git.io//getLatestKubebuilder | KUBEBUILDER_VERSION=1.0.5 sh -
+# for instance to change the version fetched.
+
+# Check if the program is installed, otherwise exit
+function command_exists () {
+  if ! [ -x "$(command -v $1)" ]; then
+    echo "Error: $1 program is not installed." >&2
+    exit 1
+  fi
+}
+
+# Determine OS
+OS="$(uname)"
+case $OS in
+  Darwin)
+    OSEXT="darwin"
+    ;;
+  Linux)
+    OSEXT="linux"
+    ;;
+  *)
+    echo "Only OSX and Linux OS are supported !"
+    exit 1
+    ;;
+esac
+
+HW=$(uname -m)
+case $HW in
+    x86_64)
+      ARCH=amd64 ;;
+    *)
+      echo "Only x86_64 machines are supported !"
+      exit 1
+      ;;
+esac
+
+# Check if curl, tar commands/programs exist
+command_exists curl
+command_exists tar
+
+KUBEBUILDER_VERSION=v1.0.8
+KUBEBUILDER_VERSION=${KUBEBUILDER_VERSION#"v"}
+KUBEBUILDER_VERSION_NAME="kubebuilder_${KUBEBUILDER_VERSION}"
+KUBEBUILDER_DIR=/usr/local/kubebuilder
+
+# Check if folder containing kubebuilder executable exists and is not empty
+if [ -d "$KUBEBUILDER_DIR" ]; then
+  if [ "$(ls -A $KUBEBUILDER_DIR)" ]; then
+    echo "\n/usr/local/kubebuilder folder is not empty. Please delete or backup it before to install ${KUBEBUILDER_VERSION_NAME}"
+    exit 1
+  fi
+fi
+
+TMP_DIR=$(mktemp -d)
+pushd $TMP_DIR
+
+# Downloading Kubebuilder compressed file using curl program
+URL="https://github.com/kubernetes-sigs/kubebuilder/releases/download/v${KUBEBUILDER_VERSION}/${KUBEBUILDER_VERSION_NAME}_${OSEXT}_${ARCH}.tar.gz"
+echo "Downloading ${KUBEBUILDER_VERSION_NAME}\nfrom $URL\n"
+curl -L "$URL"| tar xz -C $TMP_DIR
+
+echo "Downloaded executable files"
+ls "${KUBEBUILDER_VERSION_NAME}_${OSEXT}_${ARCH}/bin"
+
+echo "Moving files to $KUBEBUILDER_DIR folder\n"
+mv ${KUBEBUILDER_VERSION_NAME}_${OSEXT}_${ARCH} kubebuilder && sudo mv -f kubebuilder /usr/local/
+
+echo "Add kubebuilder to your path; e.g copy paste in your shell and/or edit your ~/.profile file"
+echo "export PATH=\$PATH:/usr/local/kubebuilder/bin"
+popd
+rm -rf $TMP_DIR
+
+export PATH=$PATH:/usr/local/kubebuilder/bin

install/ingress-controller/ingress-controller.yaml

@@ -22,7 +22,7 @@ spec:
       serviceAccountName: kubesphere-router-serviceaccount
       containers:
         - name: nginx-ingress-controller
-          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.16.2
+          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.24.1
           args:
             - /nginx-ingress-controller
             - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
@@ -31,6 +31,15 @@ spec:
             - --force-namespace-isolation
             - --update-status
             - --update-status-on-shutdown
+          securityContext:
+            allowPrivilegeEscalation: true
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - NET_BIND_SERVICE
+            # www-data -> 33
+            runAsUser: 33
           env:
             - name: POD_NAME
               valueFrom:
@@ -54,7 +63,7 @@ spec:
             initialDelaySeconds: 10
             periodSeconds: 10
             successThreshold: 1
-            timeoutSeconds: 1
+            timeoutSeconds: 10
           readinessProbe:
             failureThreshold: 3
             httpGet:
@@ -63,7 +72,6 @@ spec:
               scheme: HTTP
             periodSeconds: 10
             successThreshold: 1
-            timeoutSeconds: 1
-          securityContext:
-            runAsNonRoot: false
+            timeoutSeconds: 10
+
 

install/scripts/docker_push

@@ -1,4 +1,4 @@
 #!/bin/bash
 
 echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
-docker push kubesphere/ks-apiserver:latest
+docker push kubespheredev/ks-apiserver:latest

install/swagger-ui/index.html

@@ -0,0 +1,60 @@
+<!-- HTML for static distribution bundle build -->
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8">
+    <title>Swagger UI</title>
+    <link rel="stylesheet" type="text/css" href="./swagger-ui.css" >
+    <link rel="icon" type="image/png" href="./favicon-32x32.png" sizes="32x32" />
+    <link rel="icon" type="image/png" href="./favicon-16x16.png" sizes="16x16" />
+    <style>
+      html
+      {
+        box-sizing: border-box;
+        overflow: -moz-scrollbars-vertical;
+        overflow-y: scroll;
+      }
+
+      *,
+      *:before,
+      *:after
+      {
+        box-sizing: inherit;
+      }
+
+      body
+      {
+        margin:0;
+        background: #fafafa;
+      }
+    </style>
+  </head>
+
+  <body>
+    <div id="swagger-ui"></div>
+
+    <script src="./swagger-ui-bundle.js"> </script>
+    <script src="./swagger-ui-standalone-preset.js"> </script>
+    <script>
+    window.onload = function() {
+
+      // Build a system
+      const ui = SwaggerUIBundle({
+        url: "/swagger-ui/api.json",
+        dom_id: '#swagger-ui',
+        deepLinking: true,
+        presets: [
+          SwaggerUIBundle.presets.apis,
+          SwaggerUIStandalonePreset
+        ],
+        plugins: [
+          SwaggerUIBundle.plugins.DownloadUrl
+        ],
+        layout: "StandaloneLayout"
+      })
+
+      window.ui = ui
+    }
+  </script>
+  </body>
+</html>

install/swagger-ui/oauth2-redirect.html

@@ -0,0 +1,67 @@
+<!doctype html>
+<html lang="en-US">
+<body onload="run()">
+</body>
+</html>
+<script>
+    'use strict';
+    function run () {
+        var oauth2 = window.opener.swaggerUIRedirectOauth2;
+        var sentState = oauth2.state;
+        var redirectUrl = oauth2.redirectUrl;
+        var isValid, qp, arr;
+
+        if (/code|token|error/.test(window.location.hash)) {
+            qp = window.location.hash.substring(1);
+        } else {
+            qp = location.search.substring(1);
+        }
+
+        arr = qp.split("&")
+        arr.forEach(function (v,i,_arr) { _arr[i] = '"' + v.replace('=', '":"') + '"';})
+        qp = qp ? JSON.parse('{' + arr.join() + '}',
+                function (key, value) {
+                    return key === "" ? value : decodeURIComponent(value)
+                }
+        ) : {}
+
+        isValid = qp.state === sentState
+
+        if ((
+          oauth2.auth.schema.get("flow") === "accessCode"||
+          oauth2.auth.schema.get("flow") === "authorizationCode"
+        ) && !oauth2.auth.code) {
+            if (!isValid) {
+                oauth2.errCb({
+                    authId: oauth2.auth.name,
+                    source: "auth",
+                    level: "warning",
+                    message: "Authorization may be unsafe, passed state was changed in server Passed state wasn't returned from auth server"
+                });
+            }
+
+            if (qp.code) {
+                delete oauth2.state;
+                oauth2.auth.code = qp.code;
+                oauth2.callback({auth: oauth2.auth, redirectUrl: redirectUrl});
+            } else {
+                let oauthErrorMsg
+                if (qp.error) {
+                    oauthErrorMsg = "["+qp.error+"]: " +
+                        (qp.error_description ? qp.error_description+ ". " : "no accessCode received from the server. ") +
+                        (qp.error_uri ? "More info: "+qp.error_uri : "");
+                }
+
+                oauth2.errCb({
+                    authId: oauth2.auth.name,
+                    source: "auth",
+                    level: "error",
+                    message: oauthErrorMsg || "[Authorization failed]: no accessCode received from the server"
+                });
+            }
+        } else {
+            oauth2.callback({auth: oauth2.auth, token: qp, isValid: isValid, redirectUrl: redirectUrl});
+        }
+        window.close();
+    }
+</script>

install/swagger-ui/swagger-ui.css.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"names":[],"mappings":"","file":"swagger-ui.css","sourceRoot":""}

pkg/apigateway/caddy-plugin/authenticate/authenticate.go

@@ -0,0 +1,205 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package authenticate
+
+import (
+	"errors"
+	"fmt"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/apiserver/pkg/endpoints/request"
+	"log"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"github.com/dgrijalva/jwt-go"
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+)
+
+type Auth struct {
+	Rule Rule
+	Next httpserver.Handler
+}
+
+type Rule struct {
+	Secret       []byte
+	Path         string
+	ExceptedPath []string
+}
+
+type User struct {
+	Username string                  `json:"username"`
+	UID      string                  `json:"uid"`
+	Groups   *[]string               `json:"groups,omitempty"`
+	Extra    *map[string]interface{} `json:"extra,omitempty"`
+}
+
+var requestInfoFactory = request.RequestInfoFactory{
+	APIPrefixes:          sets.NewString("api", "apis", "kapis", "kapi"),
+	GrouplessAPIPrefixes: sets.NewString("api")}
+
+func (h Auth) ServeHTTP(resp http.ResponseWriter, req *http.Request) (int, error) {
+	for _, path := range h.Rule.ExceptedPath {
+		if httpserver.Path(req.URL.Path).Matches(path) {
+			return h.Next.ServeHTTP(resp, req)
+		}
+	}
+
+	if httpserver.Path(req.URL.Path).Matches(h.Rule.Path) {
+
+		uToken, err := h.ExtractToken(req)
+
+		if err != nil {
+			return h.HandleUnauthorized(resp, err), nil
+		}
+
+		token, err := h.Validate(uToken)
+
+		if err != nil {
+			return h.HandleUnauthorized(resp, err), nil
+		}
+
+		req, err = h.InjectContext(req, token)
+
+		if err != nil {
+			return h.HandleUnauthorized(resp, err), nil
+		}
+	}
+
+	return h.Next.ServeHTTP(resp, req)
+}
+
+func (h Auth) InjectContext(req *http.Request, token *jwt.Token) (*http.Request, error) {
+
+	payLoad, ok := token.Claims.(jwt.MapClaims)
+
+	if !ok {
+		return nil, errors.New("invalid payload")
+	}
+
+	for header := range req.Header {
+		if strings.HasPrefix(header, "X-Token-") {
+			req.Header.Del(header)
+		}
+	}
+
+	usr := &user.DefaultInfo{}
+
+	username, ok := payLoad["username"].(string)
+
+	if ok && username != "" {
+		req.Header.Set("X-Token-Username", username)
+		usr.Name = username
+	}
+
+	uid := payLoad["uid"]
+
+	if uid != nil {
+		switch uid.(type) {
+		case int:
+			req.Header.Set("X-Token-UID", strconv.Itoa(uid.(int)))
+			usr.UID = strconv.Itoa(uid.(int))
+			break
+		case string:
+			req.Header.Set("X-Token-UID", uid.(string))
+			usr.UID = uid.(string)
+			break
+		}
+	}
+
+	groups, ok := payLoad["groups"].([]string)
+	if ok && len(groups) > 0 {
+		req.Header.Set("X-Token-Groups", strings.Join(groups, ","))
+		usr.Groups = groups
+	}
+
+	// hard code, support jenkins auth plugin
+	if httpserver.Path(req.URL.Path).Matches("/kapis/jenkins.kubesphere.io") ||
+		httpserver.Path(req.URL.Path).Matches("job") ||
+		httpserver.Path(req.URL.Path).Matches("/kapis/devops.kubesphere.io/v1alpha2") {
+		req.SetBasicAuth(username, token.Raw)
+	}
+
+	context := request.WithUser(req.Context(), usr)
+
+	requestInfo, err := requestInfoFactory.NewRequestInfo(req)
+
+	if err == nil {
+		context = request.WithRequestInfo(context, requestInfo)
+	} else {
+		return nil, err
+	}
+
+	req = req.WithContext(context)
+
+	return req, nil
+}
+
+func (h Auth) Validate(uToken string) (*jwt.Token, error) {
+
+	if len(uToken) == 0 {
+		return nil, fmt.Errorf("token length is zero")
+	}
+
+	token, err := jwt.Parse(uToken, h.ProvideKey)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return token, nil
+}
+
+func (h Auth) HandleUnauthorized(w http.ResponseWriter, err error) int {
+	message := fmt.Sprintf("Unauthorized,%v", err)
+	w.Header().Add("WWW-Authenticate", message)
+	log.Println(message)
+	return http.StatusUnauthorized
+}
+
+func (h Auth) ExtractToken(r *http.Request) (string, error) {
+
+	jwtHeader := strings.Split(r.Header.Get("Authorization"), " ")
+
+	if jwtHeader[0] == "Bearer" && len(jwtHeader) == 2 {
+		return jwtHeader[1], nil
+	}
+
+	jwtCookie, err := r.Cookie("token")
+
+	if err == nil {
+		return jwtCookie.Value, nil
+	}
+
+	jwtQuery := r.URL.Query().Get("token")
+
+	if jwtQuery != "" {
+		return jwtQuery, nil
+	}
+
+	return "", fmt.Errorf("no token found")
+}
+
+func (h Auth) ProvideKey(token *jwt.Token) (interface{}, error) {
+	if _, ok := token.Method.(*jwt.SigningMethodHMAC); ok {
+		return h.Rule.Secret, nil
+	} else {
+		return nil, fmt.Errorf("expect token signed with HMAC but got %v", token.Header["alg"])
+	}
+}

pkg/apigateway/caddy-plugin/authenticate/auto_load.go

@@ -0,0 +1,110 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package authenticate
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/mholt/caddy"
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+)
+
+func init() {
+	caddy.RegisterPlugin("authenticate", caddy.Plugin{
+		ServerType: "http",
+		Action:     Setup,
+	})
+}
+
+func Setup(c *caddy.Controller) error {
+
+	rule, err := parse(c)
+
+	if err != nil {
+		return err
+	}
+
+	c.OnStartup(func() error {
+		fmt.Println("Authenticate middleware is initiated")
+		return nil
+	})
+
+	httpserver.GetConfig(c).AddMiddleware(func(next httpserver.Handler) httpserver.Handler {
+		return &Auth{Next: next, Rule: rule}
+	})
+
+	return nil
+}
+func parse(c *caddy.Controller) (Rule, error) {
+
+	rule := Rule{ExceptedPath: make([]string, 0)}
+
+	if c.Next() {
+		args := c.RemainingArgs()
+		switch len(args) {
+		case 0:
+			for c.NextBlock() {
+				switch c.Val() {
+				case "path":
+					if !c.NextArg() {
+						return rule, c.ArgErr()
+					}
+
+					rule.Path = c.Val()
+
+					if c.NextArg() {
+						return rule, c.ArgErr()
+					}
+				case "secret":
+					if !c.NextArg() {
+						return rule, c.ArgErr()
+					}
+
+					rule.Secret = []byte(c.Val())
+
+					if c.NextArg() {
+						return rule, c.ArgErr()
+					}
+				case "except":
+					if !c.NextArg() {
+						return rule, c.ArgErr()
+					}
+
+					rule.ExceptedPath = strings.Split(c.Val(), ",")
+
+					for i := 0; i < len(rule.ExceptedPath); i++ {
+						rule.ExceptedPath[i] = strings.TrimSpace(rule.ExceptedPath[i])
+					}
+
+					if c.NextArg() {
+						return rule, c.ArgErr()
+					}
+				}
+			}
+		default:
+			return rule, c.ArgErr()
+		}
+	}
+
+	if c.Next() {
+		return rule, c.ArgErr()
+	}
+
+	return rule, nil
+}

pkg/apigateway/caddy-plugin/authentication/authentication.go

@@ -0,0 +1,305 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package authentication
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"k8s.io/apiserver/pkg/endpoints/request"
+	"kubesphere.io/kubesphere/pkg/utils/k8sutil"
+	"log"
+	"net/http"
+	"strings"
+
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"k8s.io/api/rbac/v1"
+	k8serr "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"kubesphere.io/kubesphere/pkg/informers"
+	"kubesphere.io/kubesphere/pkg/utils/sliceutil"
+)
+
+type Authentication struct {
+	Rule Rule
+	Next httpserver.Handler
+}
+
+type Rule struct {
+	Path         string
+	ExceptedPath []string
+}
+
+func (c Authentication) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
+
+	if httpserver.Path(r.URL.Path).Matches(c.Rule.Path) {
+
+		for _, path := range c.Rule.ExceptedPath {
+			if httpserver.Path(r.URL.Path).Matches(path) {
+				return c.Next.ServeHTTP(w, r)
+			}
+		}
+
+		attrs, err := getAuthorizerAttributes(r.Context())
+
+		// without authenticate, no requestInfo found in the context
+		if err != nil {
+			return c.Next.ServeHTTP(w, r)
+		}
+
+		permitted, err := permissionValidate(attrs)
+
+		if err != nil {
+			return http.StatusInternalServerError, err
+		}
+
+		if !permitted {
+			err = k8serr.NewForbidden(schema.GroupResource{Group: attrs.GetAPIGroup(), Resource: attrs.GetResource()}, attrs.GetName(), fmt.Errorf("permission undefined"))
+			return handleForbidden(w, err), nil
+		}
+	}
+
+	return c.Next.ServeHTTP(w, r)
+
+}
+
+func handleForbidden(w http.ResponseWriter, err error) int {
+	message := fmt.Sprintf("Forbidden,%s", err.Error())
+	w.Header().Add("WWW-Authenticate", message)
+	log.Println(message)
+	return http.StatusForbidden
+}
+
+func permissionValidate(attrs authorizer.Attributes) (bool, error) {
+
+	if attrs.GetResource() == "users" && attrs.GetUser().GetName() == attrs.GetName() {
+		return true, nil
+	}
+
+	permitted, err := clusterRoleValidate(attrs)
+
+	if err != nil {
+		log.Println("lister error", err)
+		return false, err
+	}
+
+	if permitted {
+		return true, nil
+	}
+
+	if attrs.GetNamespace() != "" {
+		permitted, err = roleValidate(attrs)
+
+		if err != nil {
+			log.Println("lister error", err)
+			return false, err
+		}
+
+		if permitted {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
+func roleValidate(attrs authorizer.Attributes) (bool, error) {
+	roleBindingLister := informers.SharedInformerFactory().Rbac().V1().RoleBindings().Lister()
+	roleLister := informers.SharedInformerFactory().Rbac().V1().Roles().Lister()
+	roleBindings, err := roleBindingLister.RoleBindings(attrs.GetNamespace()).List(labels.Everything())
+
+	if err != nil {
+		return false, err
+	}
+
+	fullSource := attrs.GetResource()
+
+	if attrs.GetSubresource() != "" {
+		fullSource = fullSource + "/" + attrs.GetSubresource()
+	}
+
+	for _, roleBinding := range roleBindings {
+		if k8sutil.ContainsUser(roleBinding.Subjects, attrs.GetUser().GetName()) {
+			role, err := roleLister.Roles(attrs.GetNamespace()).Get(roleBinding.RoleRef.Name)
+
+			if err != nil {
+				if k8serr.IsNotFound(err) {
+					continue
+				}
+				return false, err
+			}
+
+			for _, rule := range role.Rules {
+				if ruleMatchesRequest(rule, attrs.GetAPIGroup(), "", attrs.GetResource(), attrs.GetSubresource(), attrs.GetName(), attrs.GetVerb()) {
+					return true, nil
+				}
+			}
+		}
+	}
+
+	return false, nil
+}
+
+func clusterRoleValidate(attrs authorizer.Attributes) (bool, error) {
+	clusterRoleBindingLister := informers.SharedInformerFactory().Rbac().V1().ClusterRoleBindings().Lister()
+	clusterRoleBindings, err := clusterRoleBindingLister.List(labels.Everything())
+	clusterRoleLister := informers.SharedInformerFactory().Rbac().V1().ClusterRoles().Lister()
+	if err != nil {
+		return false, err
+	}
+
+	for _, clusterRoleBinding := range clusterRoleBindings {
+
+		if k8sutil.ContainsUser(clusterRoleBinding.Subjects, attrs.GetUser().GetName()) {
+			clusterRole, err := clusterRoleLister.Get(clusterRoleBinding.RoleRef.Name)
+
+			if err != nil {
+				if k8serr.IsNotFound(err) {
+					continue
+				}
+				return false, err
+			}
+
+			for _, rule := range clusterRole.Rules {
+				if attrs.IsResourceRequest() {
+					if ruleMatchesRequest(rule, attrs.GetAPIGroup(), "", attrs.GetResource(), attrs.GetSubresource(), attrs.GetName(), attrs.GetVerb()) {
+						return true, nil
+					}
+				} else {
+					if ruleMatchesRequest(rule, "", attrs.GetPath(), "", "", "", attrs.GetVerb()) {
+						return true, nil
+					}
+				}
+			}
+
+		}
+	}
+
+	return false, nil
+}
+
+func ruleMatchesResources(rule v1.PolicyRule, apiGroup string, resource string, subresource string, resourceName string) bool {
+
+	if resource == "" {
+		return false
+	}
+
+	if !sliceutil.HasString(rule.APIGroups, apiGroup) && !sliceutil.HasString(rule.APIGroups, v1.ResourceAll) {
+		return false
+	}
+
+	if len(rule.ResourceNames) > 0 && !sliceutil.HasString(rule.ResourceNames, resourceName) {
+		return false
+	}
+
+	combinedResource := resource
+
+	if subresource != "" {
+		combinedResource = combinedResource + "/" + subresource
+	}
+
+	for _, res := range rule.Resources {
+
+		// match "*"
+		if res == v1.ResourceAll || res == combinedResource {
+			return true
+		}
+
+		// match "*/subresource"
+		if len(subresource) > 0 && strings.HasPrefix(res, "*/") && subresource == strings.TrimLeft(res, "*/") {
+			return true
+		}
+		// match "resource/*"
+		if strings.HasSuffix(res, "/*") && resource == strings.TrimRight(res, "/*") {
+			return true
+		}
+	}
+
+	return false
+}
+
+func ruleMatchesRequest(rule v1.PolicyRule, apiGroup string, nonResourceURL string, resource string, subresource string, resourceName string, verb string) bool {
+
+	if !sliceutil.HasString(rule.Verbs, verb) && !sliceutil.HasString(rule.Verbs, v1.VerbAll) {
+		return false
+	}
+
+	if nonResourceURL == "" {
+		return ruleMatchesResources(rule, apiGroup, resource, subresource, resourceName)
+	} else {
+		return ruleMatchesNonResource(rule, nonResourceURL)
+	}
+}
+
+func ruleMatchesNonResource(rule v1.PolicyRule, nonResourceURL string) bool {
+
+	if nonResourceURL == "" {
+		return false
+	}
+
+	for _, spec := range rule.NonResourceURLs {
+		if pathMatches(nonResourceURL, spec) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func pathMatches(path, spec string) bool {
+	if spec == "*" {
+		return true
+	}
+	if spec == path {
+		return true
+	}
+	if strings.HasSuffix(spec, "*") && strings.HasPrefix(path, strings.TrimRight(spec, "*")) {
+		return true
+	}
+	return false
+}
+
+func getAuthorizerAttributes(ctx context.Context) (authorizer.Attributes, error) {
+	attribs := authorizer.AttributesRecord{}
+
+	user, ok := request.UserFrom(ctx)
+	if ok {
+		attribs.User = user
+	}
+
+	requestInfo, found := request.RequestInfoFrom(ctx)
+	if !found {
+		return nil, errors.New("no RequestInfo found in the context")
+	}
+
+	// Start with common attributes that apply to resource and non-resource requests
+	attribs.ResourceRequest = requestInfo.IsResourceRequest
+	attribs.Path = requestInfo.Path
+	attribs.Verb = requestInfo.Verb
+
+	attribs.APIGroup = requestInfo.APIGroup
+	attribs.APIVersion = requestInfo.APIVersion
+	attribs.Resource = requestInfo.Resource
+	attribs.Subresource = requestInfo.Subresource
+	attribs.Namespace = requestInfo.Namespace
+	attribs.Name = requestInfo.Name
+
+	return &attribs, nil
+}

pkg/apigateway/caddy-plugin/authentication/auto_load.go

@@ -0,0 +1,123 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package authentication
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/mholt/caddy"
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+
+	"kubesphere.io/kubesphere/pkg/informers"
+)
+
+func init() {
+	caddy.RegisterPlugin("authentication", caddy.Plugin{
+		ServerType: "http",
+		Action:     Setup,
+	})
+}
+
+// Setup is called by Caddy to parse the config block
+func Setup(c *caddy.Controller) error {
+
+	rule, err := parse(c)
+
+	if err != nil {
+		return err
+	}
+	stopChan := make(chan struct{}, 0)
+	c.OnStartup(func() error {
+		informerFactory := informers.SharedInformerFactory()
+		informerFactory.Rbac().V1().Roles().Lister()
+		informerFactory.Rbac().V1().RoleBindings().Lister()
+		informerFactory.Rbac().V1().ClusterRoles().Lister()
+		informerFactory.Rbac().V1().ClusterRoleBindings().Lister()
+		informerFactory.Start(stopChan)
+		informerFactory.WaitForCacheSync(stopChan)
+		fmt.Println("Authentication middleware is initiated")
+		return nil
+	})
+
+	c.OnShutdown(func() error {
+		close(stopChan)
+		return nil
+	})
+
+	httpserver.GetConfig(c).AddMiddleware(func(next httpserver.Handler) httpserver.Handler {
+		return &Authentication{Next: next, Rule: rule}
+	})
+	return nil
+}
+
+func parse(c *caddy.Controller) (Rule, error) {
+
+	rule := Rule{ExceptedPath: make([]string, 0)}
+
+	if c.Next() {
+		args := c.RemainingArgs()
+		switch len(args) {
+		case 0:
+			for c.NextBlock() {
+				switch c.Val() {
+				case "path":
+					if !c.NextArg() {
+						return rule, c.ArgErr()
+					}
+
+					rule.Path = c.Val()
+
+					if c.NextArg() {
+						return rule, c.ArgErr()
+					}
+
+					break
+				case "except":
+					if !c.NextArg() {
+						return rule, c.ArgErr()
+					}
+
+					rule.ExceptedPath = strings.Split(c.Val(), ",")
+
+					for i := 0; i < len(rule.ExceptedPath); i++ {
+						rule.ExceptedPath[i] = strings.TrimSpace(rule.ExceptedPath[i])
+					}
+
+					if c.NextArg() {
+						return rule, c.ArgErr()
+					}
+					break
+				}
+			}
+		case 1:
+			rule.Path = args[0]
+			if c.NextBlock() {
+				return rule, c.ArgErr()
+			}
+		default:
+			return rule, c.ArgErr()
+		}
+	}
+
+	if c.Next() {
+		return rule, c.ArgErr()
+	}
+
+	return rule, nil
+}

pkg/apigateway/caddy-plugin/swagger/auto_load.go

@@ -0,0 +1,100 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package authenticate
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/mholt/caddy"
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+)
+
+func init() {
+	caddy.RegisterPlugin("swagger", caddy.Plugin{
+		ServerType: "http",
+		Action:     Setup,
+	})
+}
+
+func Setup(c *caddy.Controller) error {
+
+	handler, err := parse(c)
+
+	if err != nil {
+		return err
+	}
+
+	c.OnStartup(func() error {
+		fmt.Println("Swagger middleware is initiated")
+		return nil
+	})
+
+	httpserver.GetConfig(c).AddMiddleware(func(next httpserver.Handler) httpserver.Handler {
+		return &Swagger{Next: next, Handler: handler}
+	})
+
+	return nil
+}
+func parse(c *caddy.Controller) (Handler, error) {
+
+	handler := Handler{URL: "/swagger-ui", FilePath: "/var/static/swagger-ui"}
+
+	if c.Next() {
+		args := c.RemainingArgs()
+		switch len(args) {
+		case 0:
+			for c.NextBlock() {
+				switch c.Val() {
+				case "url":
+					if !c.NextArg() {
+						return handler, c.ArgErr()
+					}
+
+					handler.URL = c.Val()
+
+					if c.NextArg() {
+						return handler, c.ArgErr()
+					}
+				case "filePath":
+					if !c.NextArg() {
+						return handler, c.ArgErr()
+					}
+
+					handler.FilePath = c.Val()
+
+					if c.NextArg() {
+						return handler, c.ArgErr()
+					}
+				default:
+					return handler, c.ArgErr()
+				}
+			}
+		default:
+			return handler, c.ArgErr()
+		}
+	}
+
+	if c.Next() {
+		return handler, c.ArgErr()
+	}
+
+	handler.Handler = http.StripPrefix(handler.URL, http.FileServer(http.Dir(handler.FilePath)))
+
+	return handler, nil
+}

pkg/apigateway/caddy-plugin/swagger/swagger.go

@@ -0,0 +1,45 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package authenticate
+
+import (
+	"net/http"
+
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+)
+
+type Swagger struct {
+	Handler Handler
+	Next    httpserver.Handler
+}
+
+type Handler struct {
+	URL      string
+	FilePath string
+	Handler  http.Handler
+}
+
+func (h Swagger) ServeHTTP(resp http.ResponseWriter, req *http.Request) (int, error) {
+
+	if httpserver.Path(req.URL.Path).Matches(h.Handler.URL) {
+		h.Handler.Handler.ServeHTTP(resp, req)
+		return http.StatusOK, nil
+	}
+
+	return h.Next.ServeHTTP(resp, req)
+}

pkg/apis/addtoscheme_servicemesh_v1alpha2.go

@@ -0,0 +1,35 @@
+/*
+Copyright 2019 The KubeSphere authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apis
+
+import (
+	"github.com/knative/pkg/apis/istio/v1alpha3"
+	"kubesphere.io/kubesphere/pkg/apis/servicemesh/v1alpha2"
+
+	"github.com/kubernetes-sigs/application/pkg/apis/app/v1beta1"
+)
+
+func init() {
+	// Register the types with the Scheme so the components can map objects to GroupVersionKinds and back
+	AddToSchemes = append(AddToSchemes, v1alpha2.SchemeBuilder.AddToScheme)
+
+	// Register networking.istio.io/v1alpha3
+	AddToSchemes = append(AddToSchemes, v1alpha3.SchemeBuilder.AddToScheme)
+
+	// Register application scheme
+	AddToSchemes = append(AddToSchemes, v1beta1.SchemeBuilder.AddToScheme)
+}

pkg/apis/addtoscheme_tenant_v1alpha1.go

@@ -0,0 +1,10 @@
+package apis
+
+import (
+	"kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha1"
+)
+
+func init() {
+	// Register the types with the Scheme so the components can map objects to GroupVersionKinds and back
+	AddToSchemes = append(AddToSchemes, v1alpha1.SchemeBuilder.AddToScheme)
+}

pkg/apis/apis.go

@@ -0,0 +1,30 @@
+/*
+Copyright 2019 The KubeSphere authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package apis contains KubeSphere API groups.
+package apis
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// AddToSchemes may be used to add all resources defined in the project to a Scheme
+var AddToSchemes runtime.SchemeBuilder
+
+// AddToScheme adds all Resources to the Scheme
+func AddToScheme(s *runtime.Scheme) error {
+	return AddToSchemes.AddToScheme(s)
+}

pkg/apis/devops/install/install.go

@@ -0,0 +1,34 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package install
+
+import (
+	"github.com/emicklei/go-restful"
+	urlruntime "k8s.io/apimachinery/pkg/util/runtime"
+	devopsv1alpha2 "kubesphere.io/kubesphere/pkg/apis/devops/v1alpha2"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+)
+
+func init() {
+	Install(runtime.Container)
+}
+
+func Install(container *restful.Container) {
+	urlruntime.Must(devopsv1alpha2.AddToContainer(container))
+}

pkg/apis/devops/v1alpha2/register.go

@@ -0,0 +1,754 @@
+/*
+
+  Copyright 2019 The KubeSphere Authors.
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+
+*/
+
+package v1alpha2
+
+import (
+	"github.com/emicklei/go-restful"
+	"github.com/emicklei/go-restful-openapi"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	devopsapi "kubesphere.io/kubesphere/pkg/apiserver/devops"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+	"kubesphere.io/kubesphere/pkg/constants"
+	"kubesphere.io/kubesphere/pkg/models/devops"
+
+	"kubesphere.io/kubesphere/pkg/params"
+	"net/http"
+)
+
+const (
+	GroupName = "devops.kubesphere.io"
+	RespOK    = "ok"
+)
+
+var GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha2"}
+
+var (
+	WebServiceBuilder = runtime.NewContainerBuilder(addWebService)
+	AddToContainer    = WebServiceBuilder.AddToContainer
+)
+
+func addWebService(c *restful.Container) error {
+
+	webservice := runtime.NewWebService(GroupVersion)
+
+	webservice.Route(webservice.GET("/devops/{devops}").
+		To(devopsapi.GetDevOpsProjectHandler).
+		Doc("Get the specified DevOps Project").
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsProjectTag}).
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Returns(http.StatusOK, RespOK, devops.DevOpsProject{}).
+		Writes(devops.DevOpsProject{}))
+
+	webservice.Route(webservice.PATCH("/devops/{devops}").
+		To(devopsapi.UpdateProjectHandler).
+		Doc("Update the specified DevOps Project").
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsProjectTag}).
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Reads(devops.DevOpsProject{}).
+		Returns(http.StatusOK, RespOK, devops.DevOpsProject{}).
+		Writes(devops.DevOpsProject{}))
+
+	webservice.Route(webservice.GET("/devops/{devops}/defaultroles").
+		To(devopsapi.GetDevOpsProjectDefaultRoles).
+		Doc("Get the build-in roles info of the specified DevOps project").
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsProjectMemberTag}).
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Returns(http.StatusOK, RespOK, []devops.Role{}).
+		Writes([]devops.Role{}))
+
+	webservice.Route(webservice.GET("/devops/{devops}/members").
+		To(devopsapi.GetDevOpsProjectMembersHandler).
+		Doc("Get the members of the specified DevOps project").
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsProjectMemberTag}).
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.QueryParameter(params.PagingParam, "page").
+			Required(false).
+			DataFormat("limit=%d,page=%d").
+			DefaultValue("limit=10,page=1")).
+		Param(webservice.QueryParameter(params.ConditionsParam, "query conditions, support using key-value pairs separated by comma to search, like 'conditions:somekey=somevalue,anotherkey=anothervalue'").
+			Required(false).
+			DataFormat("key=%s,key~%s")).
+		Returns(http.StatusOK, RespOK, []devops.DevOpsProjectMembership{}).
+		Writes([]devops.DevOpsProjectMembership{}))
+
+	webservice.Route(webservice.GET("/devops/{devops}/members/{member}").
+		To(devopsapi.GetDevOpsProjectMemberHandler).
+		Doc("Get the specified member of the DevOps project").
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsProjectMemberTag}).
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("member", "member's username, e.g. admin")).
+		Returns(http.StatusOK, RespOK, devops.DevOpsProjectMembership{}).
+		Writes(devops.DevOpsProjectMembership{}))
+
+	webservice.Route(webservice.POST("/devops/{devops}/members").
+		To(devopsapi.AddDevOpsProjectMemberHandler).
+		Doc("Add a member to the specified DevOps project").
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsProjectMemberTag}).
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Returns(http.StatusOK, RespOK, devops.DevOpsProjectMembership{}).
+		Writes(devops.DevOpsProjectMembership{}).
+		Reads(devops.DevOpsProjectMembership{}))
+
+	webservice.Route(webservice.PATCH("/devops/{devops}/members/{member}").
+		To(devopsapi.UpdateDevOpsProjectMemberHandler).
+		Doc("Update the specified member of the DevOps project").
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsProjectMemberTag}).
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("member", "member's username, e.g. admin")).
+		Returns(http.StatusOK, RespOK, devops.DevOpsProjectMembership{}).
+		Reads(devops.DevOpsProjectMembership{}).
+		Writes(devops.DevOpsProjectMembership{}))
+
+	webservice.Route(webservice.DELETE("/devops/{devops}/members/{member}").
+		To(devopsapi.DeleteDevOpsProjectMemberHandler).
+		Doc("Delete the specified member of the DevOps project").
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsProjectMemberTag}).
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("member", "member's username, e.g. admin")).
+		Writes(devops.DevOpsProjectMembership{}))
+
+	webservice.Route(webservice.POST("/devops/{devops}/pipelines").
+		To(devopsapi.CreateDevOpsProjectPipelineHandler).
+		Doc("Create a DevOps project pipeline").
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Returns(http.StatusOK, RespOK, devops.ProjectPipeline{}).
+		Writes(devops.ProjectPipeline{}).
+		Reads(devops.ProjectPipeline{}))
+
+	webservice.Route(webservice.PUT("/devops/{devops}/pipelines/{pipeline}").
+		To(devopsapi.UpdateDevOpsProjectPipelineHandler).
+		Doc("Update the specified pipeline of the DevOps project").
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of pipeline, e.g. sample-pipeline")).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Writes(devops.ProjectPipeline{}).
+		Reads(devops.ProjectPipeline{}))
+
+	webservice.Route(webservice.DELETE("/devops/{devops}/pipelines/{pipeline}").
+		To(devopsapi.DeleteDevOpsProjectPipelineHandler).
+		Doc("Delete the specified pipeline of the DevOps project").
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of pipeline, e.g. sample-pipeline")))
+
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipeline}/config").
+		To(devopsapi.GetDevOpsProjectPipelineHandler).
+		Doc("Get the configuration information of the specified pipeline of the DevOps Project").
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of pipeline, e.g. sample-pipeline")).
+		Returns(http.StatusOK, RespOK, devops.ProjectPipeline{}).
+		Writes(devops.ProjectPipeline{}))
+
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipeline}/sonarstatus").
+		To(devopsapi.GetPipelineSonarStatusHandler).
+		Doc("Get the sonar quality information for the specified pipeline of the DevOps project. More info: https://docs.sonarqube.org/7.4/user-guide/metric-definitions/").
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of pipeline, e.g. sample-pipeline")).
+		Returns(http.StatusOK, RespOK, []devops.SonarStatus{}).
+		Writes([]devops.SonarStatus{}))
+
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipeline}/branches/{branch}/sonarstatus").
+		To(devopsapi.GetMultiBranchesPipelineSonarStatusHandler).
+		Doc("Get the sonar quality check information for the specified pipeline branch of the DevOps project. More info: https://docs.sonarqube.org/7.4/user-guide/metric-definitions/").
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of pipeline, e.g. sample-pipeline")).
+		Param(webservice.PathParameter("branch", "branch name, e.g. master")).
+		Returns(http.StatusOK, RespOK, []devops.SonarStatus{}).
+		Writes([]devops.SonarStatus{}))
+
+	webservice.Route(webservice.POST("/devops/{devops}/credentials").
+		To(devopsapi.CreateDevOpsProjectCredentialHandler).
+		Doc("Create a credential in the specified DevOps project").
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsProjectCredentialTag}).
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Reads(devops.JenkinsCredential{}))
+
+	webservice.Route(webservice.PUT("/devops/{devops}/credentials/{credential}").
+		To(devopsapi.UpdateDevOpsProjectCredentialHandler).
+		Doc("Update the specified credential of the DevOps project").
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsProjectCredentialTag}).
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("credential", "credential's ID, e.g. dockerhub-id")).
+		Reads(devops.JenkinsCredential{}))
+
+	webservice.Route(webservice.DELETE("/devops/{devops}/credentials/{credential}").
+		To(devopsapi.DeleteDevOpsProjectCredentialHandler).
+		Doc("Delete the specified credential of the DevOps project").
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsProjectCredentialTag}).
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("credential", "credential's ID, e.g. dockerhub-id")))
+
+	webservice.Route(webservice.GET("/devops/{devops}/credentials/{credential}").
+		To(devopsapi.GetDevOpsProjectCredentialHandler).
+		Doc("Get the specified credential of the DevOps project").
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsProjectCredentialTag}).
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("credential", "credential's ID, e.g. dockerhub-id")).
+		Param(webservice.QueryParameter("content", `
+Get extra credential content if this query parameter is set. 
+Specifically, there are three types of info in a credential. One is the basic info that must be returned for each query such as name, id, etc.
+The second one is non-encrypted info such as the username of the username-password type of credential, which returns when the "content" parameter is set to non-empty.
+The last one is encrypted info, such as the password of the username-password type of credential, which never returns.
+`)).
+		Returns(http.StatusOK, RespOK, devops.JenkinsCredential{}))
+
+	webservice.Route(webservice.GET("/devops/{devops}/credentials").
+		To(devopsapi.GetDevOpsProjectCredentialsHandler).
+		Doc("Get all credentials of the specified DevOps project").
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsProjectCredentialTag}).
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Returns(http.StatusOK, RespOK, []devops.JenkinsCredential{}))
+
+	// match Jenkisn api "/blue/rest/organizations/jenkins/pipelines/{devops}/{pipeline}"
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipeline}").
+		To(devopsapi.GetPipeline).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("Get the specified pipeline of the DevOps project").
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Returns(http.StatusOK, RespOK, devops.Pipeline{}).
+		Writes(devops.Pipeline{}))
+
+	// match Jenkisn api: "jenkins_api/blue/rest/search"
+	webservice.Route(webservice.GET("/search").
+		To(devopsapi.SearchPipelines).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("Search DevOps resource. More info: https://github.com/jenkinsci/blueocean-plugin/tree/master/blueocean-rest#get-pipelines-across-organization").
+		Param(webservice.QueryParameter("q", "query pipelines, condition for filtering.").
+			Required(true).
+			DataFormat("q=%s")).
+		Param(webservice.QueryParameter("filter", "Filter some types of jobs. e.g. no-folder，will not get a job of type folder").
+			Required(false).
+			DataFormat("filter=%s")).
+		Param(webservice.QueryParameter("start", "the item number that the search starts from.").
+			Required(false).
+			DataFormat("start=%d")).
+		Param(webservice.QueryParameter("limit", "the limit item count of the search.").
+			Required(false).
+			DataFormat("limit=%d")).
+		Returns(http.StatusOK, RespOK, []devops.Pipeline{}).
+		Writes([]devops.Pipeline{}))
+
+	// match Jenkisn api "/blue/rest/organizations/jenkins/pipelines/{devops}/{pipeline}/runs/"
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipeline}/runs").
+		To(devopsapi.SearchPipelineRuns).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("Get all runs of the specified pipeline").
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.QueryParameter("start", "the item number that the search starts from").
+			Required(false).
+			DataFormat("start=%d")).
+		Param(webservice.QueryParameter("limit", "the limit item count of the search").
+			Required(false).
+			DataFormat("limit=%d")).
+		Param(webservice.QueryParameter("branch", "the name of branch, same as repository branch, will be filtered by branch.").
+			Required(false).
+			DataFormat("branch=%s")).
+		Returns(http.StatusOK, RespOK, []devops.BranchPipelineRun{}).
+		Writes([]devops.BranchPipelineRun{}))
+
+	// match Jenkins api "/blue/rest/organizations/jenkins/pipelines/{devops}/{pipeline}/branches/{branch}/runs/{run}/"
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipeline}/branches/{branch}/runs/{run}").
+		To(devopsapi.GetBranchPipelineRun).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("(MultiBranchesPipeline) Get all runs in the specified branch").
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.PathParameter("branch", "the name of branch, same as repository branch.")).
+		Param(webservice.PathParameter("run", "pipeline run id, the unique id for a pipeline once build.")).
+		Returns(http.StatusOK, RespOK, devops.BranchPipelineRun{}).
+		Writes(devops.BranchPipelineRun{}))
+
+	// match Jenkins api "/blue/rest/organizations/jenkins/pipelines/{devops}/{pipeline}/branches/{branch}/runs/{run}/nodes"
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipeline}/branches/{branch}/runs/{run}/nodes").
+		To(devopsapi.GetPipelineRunNodesbyBranch).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("(MultiBranchesPipeline) Get run nodes.").
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.PathParameter("branch", "the name of branch, same as repository branch.")).
+		Param(webservice.PathParameter("run", "pipeline run id, the unique id for a pipeline once build.")).
+		Param(webservice.QueryParameter("limit", "the limit item count of the search.").
+			Required(false).
+			DataFormat("limit=%d").
+			DefaultValue("limit=10000")).
+		Returns(http.StatusOK, RespOK, []devops.BranchPipelineRunNodes{}).
+		Writes([]devops.BranchPipelineRunNodes{}))
+
+	// match "/blue/rest/organizations/jenkins/pipelines/{devops}/{pipeline}/branches/{branch}/runs/{run}/nodes/{node}/steps/{step}/log/?start=0"
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipeline}/branches/{branch}/runs/{run}/nodes/{node}/steps/{step}/log").
+		To(devopsapi.GetBranchStepLog).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("(MultiBranchesPipeline) Get the step logs in the specified pipeline activity.").
+		Produces("text/plain; charset=utf-8").
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.PathParameter("branch", "the name of branch, same as repository branch.")).
+		Param(webservice.PathParameter("run", "pipeline run id, the unique id for a pipeline once build.")).
+		Param(webservice.PathParameter("node", "pipeline node id, the stage in pipeline.")).
+		Param(webservice.PathParameter("step", "pipeline step id, the step in pipeline.")).
+		Param(webservice.QueryParameter("start", "the item number that the search starts from.").
+			Required(false).
+			DataFormat("start=%d").
+			DefaultValue("start=0")))
+
+	// match "/blue/rest/organizations/jenkins/pipelines/{devops}/{pipeline}/runs/{run}/nodes/{node}/steps/{step}/log/?start=0"
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipeline}/runs/{run}/nodes/{node}/steps/{step}/log").
+		To(devopsapi.GetStepLog).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("Get pipelines step log.").
+		Produces("text/plain; charset=utf-8").
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.PathParameter("run", "pipeline run ID, the unique ID for a pipeline once build.")).
+		Param(webservice.PathParameter("node", "pipeline node ID, the stage in pipeline.")).
+		Param(webservice.PathParameter("step", "pipeline step ID, the step in pipeline.")).
+		Param(webservice.QueryParameter("start", "the item number that the search starts from.").
+			Required(false).
+			DataFormat("start=%d").
+			DefaultValue("start=0")))
+
+	// match "/blue/rest/organizations/jenkins/scm/github/validate/"
+	webservice.Route(webservice.POST("/scms/{scm}/verify").
+		To(devopsapi.Validate).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsScmTag}).
+		Doc("Validate the access token of the specified source configuration management (SCM) such as Github").
+		Param(webservice.PathParameter("scm", "the ID of the source configuration management (SCM).")).
+		Returns(http.StatusOK, RespOK, devops.Validates{}).
+		Writes(devops.Validates{}))
+
+	// match "/blue/rest/organizations/jenkins/scm/{scm}/organizations/?credentialId=github"
+	webservice.Route(webservice.GET("/scms/{scm}/organizations").
+		To(devopsapi.GetSCMOrg).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsScmTag}).
+		Doc("List all organizations of the specified source configuration management (SCM) such as Github.").
+		Param(webservice.PathParameter("scm", "the ID of the source configuration management (SCM).")).
+		Param(webservice.QueryParameter("credentialId", "credential ID for source configuration management (SCM).").
+			Required(true).
+			DataFormat("credentialId=%s")).
+		Returns(http.StatusOK, RespOK, []devops.SCMOrg{}).
+		Writes([]devops.SCMOrg{}))
+
+	// match "/blue/rest/organizations/jenkins/scm/{scm}/organizations/{organization}/repositories/?credentialId=&pageNumber&pageSize="
+	webservice.Route(webservice.GET("/scms/{scm}/organizations/{organization}/repositories").
+		To(devopsapi.GetOrgRepo).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsScmTag}).
+		Doc("List all repositories in the specified organization.").
+		Param(webservice.PathParameter("scm", "The ID of the source configuration management (SCM).")).
+		Param(webservice.PathParameter("organization", "organization ID, such as github username.")).
+		Param(webservice.QueryParameter("credentialId", "credential ID for SCM.").
+			Required(true).
+			DataFormat("credentialId=%s")).
+		Param(webservice.QueryParameter("pageNumber", "page number.").
+			Required(true).
+			DataFormat("pageNumber=%d")).
+		Param(webservice.QueryParameter("pageSize", "the item count of one page.").
+			Required(true).
+			DataFormat("pageSize=%d")).
+		Returns(http.StatusOK, RespOK, []devops.OrgRepo{}).
+		Writes([]devops.OrgRepo{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{devops}/pipelines/{pipeline}/branches/{branch}/runs/{run}/stop/
+	webservice.Route(webservice.POST("/devops/{devops}/pipelines/{pipeline}/branches/{branch}/runs/{run}/stop").
+		To(devopsapi.StopBranchPipeline).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("(MultiBranchesPipeline) Stop the specified pipeline of the DevOps project.").
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.PathParameter("branch", "the name of branch, same as repository branch.")).
+		Param(webservice.PathParameter("run", "pipeline run ID, the unique ID for a pipeline once build.")).
+		Param(webservice.QueryParameter("blocking", "stop and between each retries will sleep.").
+			Required(false).
+			DataFormat("blocking=%t").
+			DefaultValue("blocking=false")).
+		Param(webservice.QueryParameter("timeOutInSecs", "the time of stop and between each retries sleep.").
+			Required(false).
+			DataFormat("timeOutInSecs=%d").
+			DefaultValue("timeOutInSecs=10")).
+		Returns(http.StatusOK, RespOK, devops.StopPipe{}).
+		Writes(devops.StopPipe{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{devops}/pipelines/{pipeline}/runs/{run}/stop/
+	webservice.Route(webservice.POST("/devops/{devops}/pipelines/{pipeline}/runs/{run}/stop").
+		To(devopsapi.StopPipeline).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("Stop pipeline").
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.PathParameter("run", "pipeline run ID, the unique ID for a pipeline once build.")).
+		Param(webservice.QueryParameter("blocking", "stop and between each retries will sleep.").
+			Required(false).
+			DataFormat("blocking=%t").
+			DefaultValue("blocking=false")).
+		Param(webservice.QueryParameter("timeOutInSecs", "the time of stop and between each retries sleep.").
+			Required(false).
+			DataFormat("timeOutInSecs=%d").
+			DefaultValue("timeOutInSecs=10")).
+		Returns(http.StatusOK, RespOK, devops.StopPipe{}).
+		Writes(devops.StopPipe{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{devops}/pipelines/{pipeline}/branches/{branch}/runs/{run}/Replay/
+	webservice.Route(webservice.POST("/devops/{devops}/pipelines/{pipeline}/branches/{branch}/runs/{run}/replay").
+		To(devopsapi.ReplayBranchPipeline).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("(MultiBranchesPipeline) Replay the specified pipeline of the DevOps project").
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.PathParameter("branch", "the name of branch, same as repository branch.")).
+		Param(webservice.PathParameter("run", "pipeline run ID, the unique ID for a pipeline once build.")).
+		Returns(http.StatusOK, RespOK, devops.ReplayPipe{}).
+		Writes(devops.ReplayPipe{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{devops}/pipelines/{pipeline}/runs/{run}/Replay/
+	webservice.Route(webservice.POST("/devops/{devops}/pipelines/{pipeline}/runs/{run}/replay").
+		To(devopsapi.ReplayPipeline).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("Replay pipeline").
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.PathParameter("run", "pipeline run ID, the unique ID for a pipeline once build.")).
+		Returns(http.StatusOK, RespOK, devops.ReplayPipe{}).
+		Writes(devops.ReplayPipe{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{devops}/{pipeline}/branches/{branch}/runs/{run}/log/?start=0
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipeline}/branches/{branch}/runs/{run}/log").
+		To(devopsapi.GetBranchRunLog).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("(MultiBranchesPipeline) Get run logs of the specified pipeline activity.").
+		Produces("text/plain; charset=utf-8").
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.PathParameter("branch", "the name of branch, same as repository branch.")).
+		Param(webservice.PathParameter("run", "pipeline run ID, the unique ID for a pipeline once build.")).
+		Param(webservice.QueryParameter("start", "the item number that the search starts from.").
+			Required(false).
+			DataFormat("start=%d").
+			DefaultValue("start=0")))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{devops}/{pipeline}/runs/{run}/log/?start=0
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipeline}/runs/{run}/log").
+		To(devopsapi.GetRunLog).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("Get run logs of the specified pipeline activity.").
+		Produces("text/plain; charset=utf-8").
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.PathParameter("run", "pipeline run ID, the unique ID for a pipeline once build.")).
+		Param(webservice.QueryParameter("start", "the item number that the search starts from.").
+			Required(false).
+			DataFormat("start=%d").
+			DefaultValue("start=0")))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{devops}/{pipeline}/branches/{branch}/runs/{run}/artifacts
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipeline}/branches/{branch}/runs/{run}/artifacts").
+		To(devopsapi.GetBranchArtifacts).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("(MultiBranchesPipeline) Get all artifacts generated from the specified run of the pipeline branch.").
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.PathParameter("branch", "the name of branch, same as repository branch.")).
+		Param(webservice.PathParameter("run", "pipeline run ID, the unique ID for a pipeline once build.")).
+		Param(webservice.QueryParameter("start", "the item number that the search starts from.").
+			Required(false).
+			DataFormat("start=%d")).
+		Param(webservice.QueryParameter("limit", "the limit item count of the search.").
+			Required(false).
+			DataFormat("limit=%d")).
+		Returns(http.StatusOK, "The filed of \"Url\" in response can download artifacts", []devops.Artifacts{}).
+		Writes([]devops.Artifacts{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{devops}/{pipeline}/runs/{run}/artifacts
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipeline}/runs/{run}/artifacts").
+		To(devopsapi.GetArtifacts).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("Get all artifacts in the specified pipeline.").
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.PathParameter("run", "pipeline run ID, the unique ID for a pipeline once build.")).
+		Param(webservice.QueryParameter("start", "the item number that the search starts from.").
+			Required(false).
+			DataFormat("start=%d")).
+		Param(webservice.QueryParameter("limit", "the limit item count of the search.").
+			Required(false).
+			DataFormat("limit=%d")).
+		Returns(http.StatusOK, "The filed of \"Url\" in response can download artifacts", []devops.Artifacts{}).
+		Writes([]devops.Artifacts{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{devops}/{pipeline}/branches/?filter=&start&limit=
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipeline}/branches").
+		To(devopsapi.GetPipeBranch).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("(MultiBranchesPipeline) Get all branches in the specified pipeline.").
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.QueryParameter("filter", "filter remote scm. e.g. origin").
+			Required(false).
+			DataFormat("filter=%s")).
+		Param(webservice.QueryParameter("start", "the count of branches start.").
+			Required(false).
+			DataFormat("start=%d").DefaultValue("start=0")).
+		Param(webservice.QueryParameter("limit", "the count of branches limit.").
+			Required(false).
+			DataFormat("limit=%d").DefaultValue("limit=100")).
+		Returns(http.StatusOK, RespOK, []devops.PipeBranch{}).
+		Writes([]devops.PipeBranch{}))
+
+	// /blue/rest/organizations/jenkins/pipelines/{devops}/pipelines/{pipeline}/branches/{branch}/runs/{run}/nodes/{node}/steps/{step}
+	webservice.Route(webservice.POST("/devops/{devops}/pipelines/{pipeline}/branches/{branch}/runs/{run}/nodes/{node}/steps/{step}").
+		To(devopsapi.SubmitBranchInputStep).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("(MultiBranchesPipeline) Proceed or Break the paused pipeline which waiting for user input.").
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.PathParameter("branch", "the name of branch, same as repository branch.")).
+		Param(webservice.PathParameter("run", "pipeline run ID, the unique ID for a pipeline once build.")).
+		Param(webservice.PathParameter("node", "pipeline node ID, the stage in pipeline.")).
+		Param(webservice.PathParameter("step", "pipeline step ID, the step in pipeline.")).
+		Reads(devops.CheckPlayload{}).
+		Produces("text/plain; charset=utf-8"))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{devops}/pipelines/{pipeline}/runs/{run}/nodes/{node}/steps/{step}
+	webservice.Route(webservice.POST("/devops/{devops}/pipelines/{pipeline}/runs/{run}/nodes/{node}/steps/{step}").
+		To(devopsapi.SubmitInputStep).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("Proceed or Break the paused pipeline which is waiting for user input.").
+		Reads(devops.CheckPlayload{}).
+		Produces("text/plain; charset=utf-8").
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.PathParameter("run", "pipeline run ID, the unique ID for a pipeline once build.")).
+		Param(webservice.PathParameter("node", "pipeline node ID, the stage in pipeline.")).
+		Param(webservice.PathParameter("step", "pipeline step ID")))
+
+	// match /job/project-8QnvykoJw4wZ/job/test-1/indexing/consoleText
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipeline}/consolelog").
+		To(devopsapi.GetConsoleLog).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("Get scan reponsitory logs in the specified pipeline.").
+		Produces("text/plain; charset=utf-8").
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")))
+
+	// match /job/{devops}/job/{pipeline}/build?delay=0
+	webservice.Route(webservice.POST("/devops/{devops}/pipelines/{pipeline}/scan").
+		To(devopsapi.ScanBranch).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("Scan remote Repository, Start a build if have new branch.").
+		Produces("text/html; charset=utf-8").
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.QueryParameter("delay", "the delay time to scan").
+			Required(false).
+			DataFormat("delay=%d")))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{devops}/{pipeline}/branches/{}/runs/
+	webservice.Route(webservice.POST("/devops/{devops}/pipelines/{pipeline}/branches/{branch}/runs").
+		To(devopsapi.RunBranchPipeline).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("(MultiBranchesPipeline) Run the specified pipeline of the DevOps project.").
+		Reads(devops.RunPayload{}).
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.PathParameter("branch", "the name of branch, same as repository branch.")).
+		Returns(http.StatusOK, RespOK, devops.QueuedBlueRun{}).
+		Writes(devops.QueuedBlueRun{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{devops}/{pipeline}/runs/
+	webservice.Route(webservice.POST("/devops/{devops}/pipelines/{pipeline}/runs").
+		To(devopsapi.RunPipeline).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("Run pipeline.").
+		Reads(devops.RunPayload{}).
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Returns(http.StatusOK, RespOK, devops.QueuedBlueRun{}).
+		Writes(devops.QueuedBlueRun{}))
+
+	// match /crumbIssuer/api/json/
+	webservice.Route(webservice.GET("/crumbissuer").
+		To(devopsapi.GetCrumb).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("Get crumb issuer. A CrumbIssuer represents an algorithm to generate a nonce value, known as a crumb, to counter cross site request forgery exploits. Crumbs are typically hashes incorporating information that uniquely identifies an agent that sends a request, along with a guarded secret so that the crumb value cannot be forged by a third party.").
+		Returns(http.StatusOK, RespOK, devops.Crumb{}).
+		Writes(devops.Crumb{}))
+
+	// TODO are not used in this version. will be added in 2.1.0
+	//// match /job/init-job/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile
+	//webservice.Route(webservice.POST("/devops/check/scriptcompile").
+	//	To(devopsapi.CheckScriptCompile).
+	//	Metadata(restfulspec.KeyOpenAPITags, tags).
+	//	Consumes("application/x-www-form-urlencoded", "charset=utf-8").
+	//	Produces("application/json", "charset=utf-8").
+	//	Doc("Check pipeline script compile.").
+	//	Reads(devops.ReqScript{}).
+	//	Returns(http.StatusOK, RespOK, devops.CheckScript{}).
+	//	Writes(devops.CheckScript{}))
+
+	// match /job/init-job/descriptorByName/hudson.triggers.TimerTrigger/checkSpec
+	//webservice.Route(webservice.GET("/devops/check/cron").
+	//	To(devopsapi.CheckCron).
+	//	Metadata(restfulspec.KeyOpenAPITags, tags).
+	//	Produces("application/json", "charset=utf-8").
+	//	Doc("Check cron script compile.").
+	//	Param(webservice.QueryParameter("value", "string of cron script.").
+	//		Required(true).
+	//		DataFormat("value=%s")).
+	//	Returns(http.StatusOK, RespOK, []devops.QueuedBlueRun{}).
+	//	Returns(http.StatusOK, RespOK, devops.CheckCronRes{}).
+	//	Writes(devops.CheckCronRes{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{devops}/{pipeline}/runs/{run}/
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipeline}/runs/{run}").
+		To(devopsapi.GetPipelineRun).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("Get all activities in the specified pipeline.").
+		Param(webservice.PathParameter("devops", "the name of devops project")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.PathParameter("run", "pipeline run ID, the unique ID for a pipeline once build.")).
+		Returns(http.StatusOK, RespOK, devops.PipelineRun{}).
+		Writes(devops.PipelineRun{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{devops}/pipelines/{pipeline}/branches/{branch}
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipeline}/branches/{branch}").
+		To(devopsapi.GetBranchPipeline).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("(MultiBranchesPipeline) Get all activities in the specified pipeline.").
+		Param(webservice.PathParameter("devops", "the name of devops project")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.PathParameter("branch", "the name of branch, same as repository branch")).
+		Returns(http.StatusOK, RespOK, devops.BranchPipeline{}).
+		Writes(devops.BranchPipeline{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/{devops}/pipelines/{pipeline}/runs/{run}/nodes/?limit=10000
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipeline}/runs/{run}/nodes").
+		To(devopsapi.GetPipelineRunNodes).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("Get all nodes in the specified activity. node is the stage in the pipeline task").
+		Param(webservice.PathParameter("devops", "the name of devops project")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.PathParameter("run", "pipeline run ID, the unique ID for a pipeline once build")).
+		Returns(http.StatusOK, RespOK, []devops.PipelineRunNodes{}).
+		Writes([]devops.PipelineRunNodes{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/%s/%s/branches/%s/runs/%s/nodes/%s/steps/?limit=
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipeline}/branches/{branch}/runs/{run}/nodes/{node}/steps").
+		To(devopsapi.GetBranchNodeSteps).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("(MultiBranchesPipeline) Get all steps in the specified node.").
+		Param(webservice.PathParameter("devops", "the name of devops project")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.PathParameter("branch", "the name of branch, same as repository branch.")).
+		Param(webservice.PathParameter("run", "pipeline run ID, the unique ID for a pipeline once build.")).
+		Param(webservice.PathParameter("node", "pipeline node ID, the stage in pipeline.")).
+		Returns(http.StatusOK, RespOK, []devops.NodeSteps{}).
+		Writes([]devops.NodeSteps{}))
+
+	// match /blue/rest/organizations/jenkins/pipelines/%s/%s/runs/%s/nodes/%s/steps/?limit=
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipeline}/runs/{run}/nodes/{node}/steps").
+		To(devopsapi.GetNodeSteps).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("Get all steps in the specified node.").
+		Param(webservice.PathParameter("devops", "the name of devops project")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.PathParameter("run", "pipeline run ID, the unique ID for a pipeline once build")).
+		Param(webservice.PathParameter("node", "pipeline node ID, the stage in pipeline.")).
+		Returns(http.StatusOK, RespOK, []devops.NodeSteps{}).
+		Writes([]devops.NodeSteps{}))
+
+	// match /pipeline-model-converter/toJenkinsfile
+	webservice.Route(webservice.POST("/tojenkinsfile").
+		To(devopsapi.ToJenkinsfile).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsJenkinsfileTag}).
+		Consumes("application/x-www-form-urlencoded").
+		Produces("application/json", "charset=utf-8").
+		Doc("Convert json to jenkinsfile format.").
+		Reads(devops.ReqJson{}).
+		Returns(http.StatusOK, RespOK, devops.ResJenkinsfile{}).
+		Writes(devops.ResJenkinsfile{}))
+
+	// match /pipeline-model-converter/toJson
+	webservice.Route(webservice.POST("/tojson").
+		To(devopsapi.ToJson).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsJenkinsfileTag}).
+		Consumes("application/x-www-form-urlencoded").
+		Produces("application/json", "charset=utf-8").
+		Doc("Convert jenkinsfile to json format. Usually the frontend uses json to show or edit pipeline").
+		Reads(devops.ReqJenkinsfile{}).
+		Returns(http.StatusOK, RespOK, devops.ResJson{}).
+		Writes(devops.ResJson{}))
+
+	// match /git/notifyCommit/?url=
+	webservice.Route(webservice.GET("/webhook/git").
+		To(devopsapi.GetNotifyCommit).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsWebhookTag}).
+		Doc("Get commit notification by HTTP GET method. Git webhook will request here.").
+		Produces("text/plain; charset=utf-8").
+		Param(webservice.QueryParameter("url", "Git url").
+			Required(true).
+			DataFormat("url=%s")))
+
+	// Gitlab or some other scm managers can only use HTTP method. match /git/notifyCommit/?url=
+	webservice.Route(webservice.POST("/webhook/git").
+		To(devopsapi.PostNotifyCommit).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsWebhookTag}).
+		Doc("Get commit notification by HTTP POST method. Git webhook will request here.").
+		Consumes("application/json").
+		Produces("text/plain; charset=utf-8").
+		Param(webservice.QueryParameter("url", "Git url").
+			Required(true).
+			DataFormat("url=%s")))
+
+	webservice.Route(webservice.POST("/webhook/github").
+		To(devopsapi.GithubWebhook).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsWebhookTag}).
+		Doc("Get commit notification. Github webhook will request here."))
+
+	// in scm get all steps in nodes.
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipeline}/branches/{branch}/runs/{run}/nodesdetail").
+		To(devopsapi.GetBranchNodesDetail).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("(MultiBranchesPipeline) Get steps details in an activity node. For a node, the steps which is defined inside the node.").
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.PathParameter("branch", "the name of branch, same as repository branch.")).
+		Param(webservice.PathParameter("run", "pipeline run ID, the unique ID for a pipeline once build.")).
+		Returns(http.StatusOK, RespOK, []devops.NodesDetail{}).
+		Writes(devops.NodesDetail{}))
+
+	// out of scm get all steps in nodes.
+	webservice.Route(webservice.GET("/devops/{devops}/pipelines/{pipeline}/runs/{run}/nodesdetail").
+		To(devopsapi.GetNodesDetail).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.DevOpsPipelineTag}).
+		Doc("Get steps details inside a activity node. For a node, the steps which defined inside the node.").
+		Param(webservice.PathParameter("devops", "DevOps project's ID, e.g. project-RRRRAzLBlLEm")).
+		Param(webservice.PathParameter("pipeline", "the name of the CI/CD pipeline")).
+		Param(webservice.PathParameter("branch", "the name of branch, same as repository branch.")).
+		Param(webservice.PathParameter("run", "pipeline run ID, the unique ID for a pipeline once build.")).
+		Returns(http.StatusOK, RespOK, []devops.NodesDetail{}).
+		Writes(devops.NodesDetail{}))
+
+	c.Add(webservice)
+
+	return nil
+}

pkg/apis/iam/install/install.go

@@ -0,0 +1,33 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package install
+
+import (
+	"github.com/emicklei/go-restful"
+	urlruntime "k8s.io/apimachinery/pkg/util/runtime"
+	iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+)
+
+func init() {
+	Install(runtime.Container)
+}
+
+func Install(container *restful.Container) {
+	urlruntime.Must(iamv1alpha2.AddToContainer(container))
+}

pkg/apis/iam/v1alpha2/register.go

@@ -0,0 +1,286 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+package v1alpha2
+
+import (
+	"github.com/emicklei/go-restful"
+	"github.com/emicklei/go-restful-openapi"
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"kubesphere.io/kubesphere/pkg/apiserver/iam"
+	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
+	"kubesphere.io/kubesphere/pkg/constants"
+	"kubesphere.io/kubesphere/pkg/errors"
+	"kubesphere.io/kubesphere/pkg/models"
+	"kubesphere.io/kubesphere/pkg/models/iam/policy"
+	"net/http"
+	"time"
+)
+
+const GroupName = "iam.kubesphere.io"
+
+var GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha2"}
+
+var (
+	WebServiceBuilder = runtime.NewContainerBuilder(addWebService)
+	AddToContainer    = WebServiceBuilder.AddToContainer
+)
+
+type UserUpdateRequest struct {
+	Username        string `json:"username" description:"username"`
+	Email           string `json:"email" description:"email address"`
+	Lang            string `json:"lang" description:"user's language setting, default is zh-CN"`
+	Description     string `json:"description" description:"user's description"`
+	Password        string `json:"password,omitempty" description:"this is necessary if you need to change your password"`
+	CurrentPassword string `json:"current_password,omitempty" description:"this is necessary if you need to change your password"`
+	ClusterRole     string `json:"cluster_role" description:"user's cluster role"`
+}
+
+type CreateUserRequest struct {
+	Username    string `json:"username" description:"username"`
+	Email       string `json:"email" description:"email address"`
+	Lang        string `json:"lang,omitempty" description:"user's language setting, default is zh-CN"`
+	Description string `json:"description" description:"user's description"`
+	Password    string `json:"password" description:"password'"`
+	ClusterRole string `json:"cluster_role" description:"user's cluster role"`
+}
+
+type UserList struct {
+	Items []struct {
+		Username      string    `json:"username" description:"username"`
+		Email         string    `json:"email" description:"email address"`
+		Lang          string    `json:"lang,omitempty" description:"user's language setting, default is zh-CN"`
+		Description   string    `json:"description" description:"user's description"`
+		ClusterRole   string    `json:"cluster_role" description:"user's cluster role"`
+		CreateTime    time.Time `json:"create_time" description:"user creation time"`
+		LastLoginTime time.Time `json:"last_login_time" description:"last login time"`
+	} `json:"items" description:"paging data"`
+	TotalCount int `json:"total_count" description:"total count"`
+}
+type NamespacedUser struct {
+	Username      string    `json:"username" description:"username"`
+	Email         string    `json:"email" description:"email address"`
+	Lang          string    `json:"lang,omitempty" description:"user's language setting, default is zh-CN"`
+	Description   string    `json:"description" description:"user's description"`
+	Role          string    `json:"role" description:"user's role in the specified namespace"`
+	RoleBinding   string    `json:"role_binding" description:"user's role binding name in the specified namespace"`
+	RoleBindTime  string    `json:"role_bind_time" description:"user's role binding time"`
+	CreateTime    time.Time `json:"create_time" description:"user creation time"`
+	LastLoginTime time.Time `json:"last_login_time" description:"last login time"`
+}
+
+type ClusterRoleList struct {
+	Items      []rbacv1.ClusterRole `json:"items" description:"paging data"`
+	TotalCount int                  `json:"total_count" description:"total count"`
+}
+
+type LoginLog struct {
+	LoginTime string `json:"login_time" description:"last login time"`
+	LoginIP   string `json:"login_ip" description:"last login ip"`
+}
+
+type RoleList struct {
+	Items      []rbacv1.Role `json:"items" description:"paging data"`
+	TotalCount int           `json:"total_count" description:"total count"`
+}
+
+type InviteUserRequest struct {
+	Username      string `json:"username" description:"username"`
+	WorkspaceRole string `json:"workspace_role" description:"user's workspace role'"`
+}
+
+type DescribeWorkspaceUserResponse struct {
+	Username      string    `json:"username" description:"username"`
+	Email         string    `json:"email" description:"email address"`
+	Lang          string    `json:"lang" description:"user's language setting, default is zh-CN"`
+	Description   string    `json:"description" description:"user's description"`
+	ClusterRole   string    `json:"cluster_role" description:"user's cluster role"`
+	WorkspaceRole string    `json:"workspace_role" description:"user's workspace role"`
+	CreateTime    time.Time `json:"create_time" description:"user creation time"`
+	LastLoginTime time.Time `json:"last_login_time" description:"last login time"`
+}
+
+func addWebService(c *restful.Container) error {
+	ws := runtime.NewWebService(GroupVersion)
+
+	ok := "ok"
+
+	ws.Route(ws.POST("/authenticate").
+		To(iam.TokenReviewHandler).
+		Doc("TokenReview attempts to authenticate a token to a known user. Note: TokenReview requests may be cached by the webhook token authenticator plugin in the kube-apiserver.").
+		Reads(iam.TokenReview{}).
+		Returns(http.StatusOK, ok, iam.TokenReview{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.IdentityManagementTag}))
+	ws.Route(ws.POST("/login").
+		To(iam.Login).
+		Doc("KubeSphere APIs support token-based authentication via the Authtoken request header. The POST Login API is used to retrieve the authentication token. After the authentication token is obtained, it must be inserted into the Authtoken header for all requests.").
+		Reads(iam.LoginRequest{}).
+		Returns(http.StatusOK, ok, models.Token{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.IdentityManagementTag}))
+	ws.Route(ws.GET("/users/{user}").
+		To(iam.DescribeUser).
+		Doc("Describe the specified user.").
+		Param(ws.PathParameter("user", "username")).
+		Returns(http.StatusOK, ok, models.User{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.IdentityManagementTag}))
+	ws.Route(ws.POST("/users").
+		To(iam.CreateUser).
+		Doc("Create a user account.").
+		Reads(CreateUserRequest{}).
+		Returns(http.StatusOK, ok, errors.Error{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.IdentityManagementTag}))
+	ws.Route(ws.DELETE("/users/{user}").
+		To(iam.DeleteUser).
+		Doc("Delete the specified user.").
+		Param(ws.PathParameter("user", "username")).
+		Returns(http.StatusOK, ok, errors.Error{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.IdentityManagementTag}))
+	ws.Route(ws.PUT("/users/{user}").
+		To(iam.UpdateUser).
+		Doc("Update information about the specified user.").
+		Param(ws.PathParameter("user", "username")).
+		Reads(UserUpdateRequest{}).
+		Returns(http.StatusOK, ok, errors.Error{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.IdentityManagementTag}))
+	ws.Route(ws.GET("/users/{user}/logs").
+		To(iam.UserLoginLogs).
+		Doc("Retrieve the \"login logs\" for the specified user.").
+		Param(ws.PathParameter("user", "username")).
+		Returns(http.StatusOK, ok, LoginLog{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.IdentityManagementTag}))
+	ws.Route(ws.GET("/users").
+		To(iam.ListUsers).
+		Doc("List all users.").
+		Returns(http.StatusOK, ok, UserList{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.IdentityManagementTag}))
+	ws.Route(ws.GET("/users/{user}/roles").
+		To(iam.ListUserRoles).
+		Doc("Retrieve all the roles that are assigned to the specified user.").
+		Param(ws.PathParameter("user", "username")).
+		Returns(http.StatusOK, ok, iam.RoleList{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
+	ws.Route(ws.GET("/namespaces/{namespace}/roles").
+		To(iam.ListRoles).
+		Doc("Retrieve the roles that are assigned to the user in the specified namespace.").
+		Param(ws.PathParameter("namespace", "kubernetes namespace")).
+		Returns(http.StatusOK, ok, RoleList{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
+	ws.Route(ws.GET("/clusterroles").
+		To(iam.ListClusterRoles).
+		Doc("List all cluster roles.").
+		Returns(http.StatusOK, ok, ClusterRoleList{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
+	ws.Route(ws.GET("/namespaces/{namespace}/roles/{role}/users").
+		To(iam.ListRoleUsers).
+		Doc("Retrieve the users that are bound to the role in the specified namespace.").
+		Param(ws.PathParameter("namespace", "kubernetes namespace")).
+		Param(ws.PathParameter("role", "role name")).
+		Returns(http.StatusOK, ok, []NamespacedUser{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
+	ws.Route(ws.GET("/namespaces/{namespace}/users").
+		To(iam.ListNamespaceUsers).
+		Doc("List all users in the specified namespace.").
+		Param(ws.PathParameter("namespace", "kubernetes namespace")).
+		Returns(http.StatusOK, ok, []NamespacedUser{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
+	ws.Route(ws.GET("/clusterroles/{clusterrole}/users").
+		To(iam.ListClusterRoleUsers).
+		Doc("List all users that are bound to the specified cluster role.").
+		Param(ws.PathParameter("clusterrole", "cluster role name")).
+		Returns(http.StatusOK, ok, UserList{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
+	ws.Route(ws.GET("/clusterroles/{clusterrole}/rules").
+		To(iam.ListClusterRoleRules).
+		Doc("List all policy rules of the specified cluster role.").
+		Param(ws.PathParameter("clusterrole", "cluster role name")).
+		Returns(http.StatusOK, ok, []models.SimpleRule{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
+	ws.Route(ws.GET("/namespaces/{namespace}/roles/{role}/rules").
+		To(iam.ListRoleRules).
+		Doc("List all policy rules of the specified role in the given namespace.").
+		Param(ws.PathParameter("namespace", "kubernetes namespace")).
+		Param(ws.PathParameter("role", "role name")).
+		Returns(http.StatusOK, ok, []models.SimpleRule{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
+	ws.Route(ws.GET("/devops/{devops}/roles/{role}/rules").
+		To(iam.ListDevopsRoleRules).
+		Doc("List all policy rules of the specified role in the given devops project.").
+		Param(ws.PathParameter("devops", "devops project ID")).
+		Param(ws.PathParameter("role", "devops role name")).
+		Returns(http.StatusOK, ok, []models.SimpleRule{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
+	ws.Route(ws.GET("/rulesmapping/clusterroles").
+		To(iam.ClusterRulesMapping).
+		Doc("Get the mapping relationships between cluster roles and policy rules.").
+		Returns(http.StatusOK, ok, policy.ClusterRoleRuleMapping).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
+	ws.Route(ws.GET("/rulesmapping/roles").
+		To(iam.RulesMapping).
+		Doc("Get the mapping relationships between namespaced roles and policy rules.").
+		Returns(http.StatusOK, ok, policy.RoleRuleMapping).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
+	ws.Route(ws.GET("/workspaces/{workspace}/roles").
+		To(iam.ListWorkspaceRoles).
+		Doc("List all workspace roles.").
+		Param(ws.PathParameter("workspace", "workspace name")).
+		Returns(http.StatusOK, ok, ClusterRoleList{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
+	ws.Route(ws.GET("/workspaces/{workspace}/roles/{role}").
+		To(iam.DescribeWorkspaceRole).
+		Doc("Describe the workspace role.").
+		Param(ws.PathParameter("workspace", "workspace name")).
+		Param(ws.PathParameter("role", "workspace role name")).
+		Returns(http.StatusOK, ok, rbacv1.ClusterRole{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
+	ws.Route(ws.GET("/workspaces/{workspace}/roles/{role}/rules").
+		To(iam.ListWorkspaceRoleRules).
+		Doc("List all policy rules of the specified workspace role.").
+		Param(ws.PathParameter("workspace", "workspace name")).
+		Param(ws.PathParameter("role", "workspace role name")).
+		Returns(http.StatusOK, ok, []models.SimpleRule{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
+	ws.Route(ws.GET("/workspaces/{workspace}/members").
+		To(iam.ListWorkspaceUsers).
+		Doc("List all members in the specified workspace.").
+		Param(ws.PathParameter("workspace", "workspace name")).
+		Returns(http.StatusOK, ok, UserList{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
+	ws.Route(ws.POST("/workspaces/{workspace}/members").
+		To(iam.InviteUser).
+		Doc("Invite a member to the specified workspace.").
+		Param(ws.PathParameter("workspace", "workspace name")).
+		Reads(InviteUserRequest{}).
+		Returns(http.StatusOK, ok, errors.Error{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
+	ws.Route(ws.DELETE("/workspaces/{workspace}/members/{member}").
+		To(iam.RemoveUser).
+		Doc("Remove the specified member from the workspace.").
+		Param(ws.PathParameter("workspace", "workspace name")).
+		Param(ws.PathParameter("member", "username")).
+		Returns(http.StatusOK, ok, errors.Error{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
+	ws.Route(ws.GET("/workspaces/{workspace}/members/{member}").
+		To(iam.DescribeWorkspaceUser).
+		Doc("Describe the specified user in the given workspace.").
+		Param(ws.PathParameter("workspace", "workspace name")).
+		Param(ws.PathParameter("member", "username")).
+		Returns(http.StatusOK, ok, DescribeWorkspaceUserResponse{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
+	c.Add(ws)
+	return nil
+}