Merge pull request #3350 from benyp/release-3.0

fix duplicate args error

.dockerignore

@@ -1 +1,2 @@
 tmp/
+.github

.gitattributes

@@ -1,2 +1,6 @@
 pkg/cmd/api/spec/api.swagger.json linguist-generated=true
 pkg/cmd/api/spec/static.go linguist-generated=true
+pkg/client/* linguist-generated=true
+config/crds/* linguist-generated=true
+config/rbac/* linguist-generated=true
+zz_generated.deepcopy.go linguist-generated=true

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,41 @@
+---
+name: Bug report
+about: Create a report to help us improve
+---
+
+## English only!
+
+**注意！GitHub Issue 仅支持英文，中文 Issue 请在 [论坛](https://kubesphere.com.cn/forum/) 提交。**
+
+**General remarks**
+
+> Please delete this section including header before submitting
+>
+> This form is to report bugs. For general usage questions refer to our Slack channel
+>        [KubeSphere-users](https://join.slack.com/t/kubesphere/shared_invite/enQtNTE3MDIxNzUxNzQ0LTdkNTc3OTdmNzdiODViZjViNTU5ZDY3M2I2MzY4MTI4OGZlOTJmMDg5ZTFiMDAwYzNlZDY5NjA0NzZlNDU5NmY)
+
+**Describe the Bug**
+A clear and concise description of what the bug is.
+
+For UI issues please also add a screenshot that shows the issue.
+
+**Versions Used**
+KubeSphere:
+Kubernetes: (If KubeSphere installer used, you can skip this)
+
+
+**Environment**
+How many nodes and their hardware configuration:
+
+For example: CentOS 7.5 / 3 masters:  8cpu/8g; 3 nodes: 8cpu/16g
+(and other info are welcomed to help us debugging)
+
+**How To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.

.github/ISSUE_TEMPLATE/installation_failure.md

@@ -0,0 +1,23 @@
+---
+name: Installation Issue
+about: Create an issue to help us improve installation
+---
+
+## English only!
+
+**注意！GitHub Issue 仅支持英文，中文 Issue 请在 [论坛](https://kubesphere.com.cn/forum/) 提交。**
+
+**What's your question**
+
+
+**Environment: OS & Hardware Information**
+
+> Important: You must describe your environment clearly, e.g. VMware or Bare Metal, CentOS 7.5, 8 C / 16 G (If you install on Linux), Or Kubernetes v1.16 (If you install on K8s).
+
+
+**Error logs or message (Attach logs or screenshot)**
+
+
+**Installer Version**
+
+> e.g. v2.1.0, v2.1.1

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,38 @@
+**What type of PR is this?**
+> Uncomment only one ` /kind <>` line, hit enter to put that in a new line, and remove leading whitespaces from that line:
+>
+> /kind api-change
+> /kind bug
+> /kind cleanup
+> /kind design
+> /kind documentation
+> /kind failing-test
+> /kind feature
+> /kind flake
+
+**What this PR does / why we need it**:
+
+**Which issue(s) this PR fixes**:
+<!--
+Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`.
+_If PR is about `failing-tests or flakes`, please post the related issues/tests in a comment and do not use `Fixes`_*
+-->
+Fixes #
+
+**Special notes for reviewers**:
+```
+```
+
+**Additional documentation, usage docs, etc.**:
+
+<!--
+This section can be blank if this pull request does not require a release note.
+Please use the following format for linking documentation or pass the
+section below:
+- [KEP]: <link>
+- [Usage]: <link>
+- [Other doc]: <link>
+-->
+```docs
+
+```

.github/stale.yml

@@ -0,0 +1,20 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 90
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 30
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - frozen
+  - kind/feature-request
+  - kind/feature
+  - kind/security
+  - kind/design
+staleLabel: stale
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Any further update will
+  cause the issue/pull request to no longer be considered stale. Thank you for your contributions.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: >
+  This issue is being automatically closed due to inactivity.

.github/workflows/build.yml

@@ -0,0 +1,66 @@
+name: Go
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'release*'
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - 'master'
+      - 'release*'
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
+    steps:
+
+      - name: Set up Go 1.13
+        uses: actions/setup-go@v1
+        with:
+          go-version: 1.13
+        id: go
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+
+      - name: Check pr is properly formatted
+        run: diff -u <(echo -n) <(gofmt -d ./pkg ./cmd ./tools ./test)
+
+      - name: Downloading go dependencies
+        run: go mod vendor
+
+      - name: Install kubebuilder
+        run: bash hack/install_kubebuilder.sh
+
+      - name: Build
+        run: make all
+
+      - name: Make OpenAPI Spec
+        run: make openapi
+
+      - name: Uploading code coverage
+        uses: codecov/codecov-action@v1
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          file: ./coverage.txt
+          flags: unittests
+          name: codecov-umbrella
+          fail_ci_if_error: false
+
+      - name: Get branch name
+        id: extract_branch
+        shell: bash
+        run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+
+      - name: Build and push docker images
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+        if: github.event_name == 'push'
+        run: bash hack/docker_build.sh ${{ steps.extract_branch.outputs.branch }}

.gitignore

@@ -4,6 +4,7 @@
 *.dll
 *.so
 *.dylib
+*.a
 
 # Test binary, build with `go test -c`
 *.test
@@ -19,7 +20,14 @@ bin/
 # Vscode files
 .vscode/
 
-tmp/
-
 # OSX trash
 .DS_Store
+api.json
+*.coverprofile
+cover.out
+coverage.txt
+
+kustomize/network/etcd
+apiserver.local.config
+tmp/
+

.travis.yml

@@ -1,32 +0,0 @@
-sudo: required
-
-services:
-  - docker
-
-language: go
-
-go:
-  - 1.10
-  - tip
-
-go_import_path: kubesphere.io/kubesphere
-
-before_install:
-  - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
-  - curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh
-  - sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
-  - sudo apt-get update
-  - sudo apt-get -y install docker-ce
-  - dep ensure -v
-
-before_script:
-  - docker --version
-
-script:
-  - make fmt-check && make build
-
-deploy:
-  provider: script
-  script: bash install/scripts/docker_push
-  on:
-    branch: master

AUTHORS

@@ -1,13 +0,0 @@
-# This is the official list of KubeSphere authors for copyright purposes.
-# This file is distinct from the CONTRIBUTORS files.
-# See the latter for an explanation.
-
-# Names should be added to this file as one of
-#     Organization's name
-#     Individual's name <submission email address>
-#     Individual's name <submission email address> <email2> <emailN>
-# See CONTRIBUTORS for the meaning of multiple email addresses.
-
-# Please keep the list sorted.
-
-Yunify Inc.

CONTRIBUTING.md

@@ -0,0 +1,3 @@
+# Guide
+
+This [document](https://github.com/kubesphere/community) walks you through how to get started contributing KubeSphere.

CONTRIBUTORS

@@ -1,20 +0,0 @@
-# This is the official list of people who can contribute
-# (and typically have contributed) code to the KubeSphere repository.
-# The AUTHORS file lists the copyright holders; this file
-# lists people.  For example, Yunify employees are listed here
-# but not in AUTHORS, because Yunify holds the copyright.
-#
-# When adding J Random Contributor's name to this file,
-# either J's name or J's organization's name should be
-# added to the AUTHORS file.
-
-# Names should be added to this file like so:
-#     Individual's name <submission email address>
-#     Individual's name <submission email address> <email2> <emailN>
-#
-# An entry with multiple email addresses specifies that the
-# first address should be used in the submit logs.
-
-# Please keep the list sorted.
-
-Ray@qingcloud <ray@yunify.com>

Dockerfile

@@ -1,17 +0,0 @@
-# Copyright 2018 The KubeSphere Authors. All rights reserved.
-# Use of this source code is governed by a Apache license
-# that can be found in the LICENSE file.
-
-FROM kubesphere/kubesphere-builder as builder
-
-WORKDIR /go/src/kubesphere.io/kubesphere/
-COPY . .
-
-RUN go generate kubesphere.io/kubesphere/pkg/version && \
-	go install  kubesphere.io/kubesphere/cmd/...
-
-FROM alpine:3.6
-RUN apk add --update ca-certificates && update-ca-certificates
-COPY --from=builder /go/bin/* /usr/local/bin/
-
-CMD ["sh"]

Dockerfile.dev

@@ -1,10 +0,0 @@
-FROM alpine:3.6
-
-RUN apk add --update ca-certificates \
-    && update-ca-certificates \ 
-    && mkdir -p /etc/kubesphere/ingress-controller
-
-COPY ./bin/* /usr/local/bin/
-COPY ./install/ingress-controller /etc/kubesphere/ingress-controller
-
-CMD ["sh"]

Gopkg.lock

@@ -1,596 +0,0 @@
-# This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'.
-
-
-[[projects]]
-  name = "github.com/Microsoft/go-winio"
-  packages = ["."]
-  revision = "7da180ee92d8bd8bb8c37fc560e673e6557c392f"
-  version = "v0.4.7"
-
-[[projects]]
-  name = "github.com/Sirupsen/logrus"
-  packages = ["."]
-  revision = "c155da19408a8799da419ed3eeb0cb5db0ad5dbc"
-  version = "v1.0.5"
-
-[[projects]]
-  name = "github.com/antonholmquist/jason"
-  packages = ["."]
-  revision = "c23cef7eaa75a6a5b8810120e167bd590d8fd2ab"
-  version = "v1.0.0"
-
-[[projects]]
-  name = "github.com/coreos/etcd"
-  packages = [
-    "auth/authpb",
-    "clientv3",
-    "etcdserver/api/v3rpc/rpctypes",
-    "etcdserver/etcdserverpb",
-    "mvcc/mvccpb",
-    "pkg/tlsutil",
-    "pkg/transport",
-    "pkg/types"
-  ]
-  revision = "33245c6b5b49130ca99280408fadfab01aac0e48"
-  version = "v3.3.8"
-
-[[projects]]
-  name = "github.com/davecgh/go-spew"
-  packages = ["spew"]
-  revision = "346938d642f2ec3594ed81d874461961cd0faa76"
-  version = "v1.1.0"
-
-[[projects]]
-  branch = "master"
-  name = "github.com/docker/distribution"
-  packages = [
-    "digestset",
-    "reference"
-  ]
-  revision = "749f6afb4572201e3c37325d0ffedb6f32be8950"
-
-[[projects]]
-  name = "github.com/docker/docker"
-  packages = [
-    "api",
-    "api/types",
-    "api/types/blkiodev",
-    "api/types/container",
-    "api/types/events",
-    "api/types/filters",
-    "api/types/image",
-    "api/types/mount",
-    "api/types/network",
-    "api/types/registry",
-    "api/types/strslice",
-    "api/types/swarm",
-    "api/types/time",
-    "api/types/versions",
-    "api/types/volume",
-    "client",
-    "pkg/ioutils",
-    "pkg/longpath",
-    "pkg/system",
-    "pkg/tlsconfig"
-  ]
-  revision = "90d35abf7b3535c1c319c872900fbd76374e521c"
-  version = "v17.05.0-ce-rc3"
-
-[[projects]]
-  branch = "master"
-  name = "github.com/docker/go-connections"
-  packages = [
-    "nat",
-    "sockets",
-    "tlsconfig"
-  ]
-  revision = "7395e3f8aa162843a74ed6d48e79627d9792ac55"
-
-[[projects]]
-  name = "github.com/docker/go-units"
-  packages = ["."]
-  revision = "47565b4f722fb6ceae66b95f853feed578a4a51c"
-  version = "v0.3.3"
-
-[[projects]]
-  branch = "master"
-  name = "github.com/docker/libtrust"
-  packages = ["."]
-  revision = "aabc10ec26b754e797f9028f4589c5b7bd90dc20"
-
-[[projects]]
-  branch = "master"
-  name = "github.com/docker/spdystream"
-  packages = [
-    ".",
-    "spdy"
-  ]
-  revision = "bc6354cbbc295e925e4c611ffe90c1f287ee54db"
-
-[[projects]]
-  name = "github.com/emicklei/go-restful"
-  packages = [
-    ".",
-    "log"
-  ]
-  revision = "3658237ded108b4134956c1b3050349d93e7b895"
-  version = "v2.7.1"
-
-[[projects]]
-  name = "github.com/ghodss/yaml"
-  packages = ["."]
-  revision = "0ca9ea5df5451ffdf184b4428c902747c2c11cd7"
-  version = "v1.0.0"
-
-[[projects]]
-  name = "github.com/go-sql-driver/mysql"
-  packages = ["."]
-  revision = "d523deb1b23d913de5bdada721a6071e71283618"
-  version = "v1.4.0"
-
-[[projects]]
-  name = "github.com/gogo/protobuf"
-  packages = [
-    "gogoproto",
-    "proto",
-    "protoc-gen-gogo/descriptor",
-    "sortkeys"
-  ]
-  revision = "1adfc126b41513cc696b209667c8656ea7aac67c"
-  version = "v1.0.0"
-
-[[projects]]
-  branch = "master"
-  name = "github.com/golang/glog"
-  packages = ["."]
-  revision = "23def4e6c14b4da8ac2ed8007337bc5eb5007998"
-
-[[projects]]
-  name = "github.com/golang/protobuf"
-  packages = [
-    "proto",
-    "ptypes",
-    "ptypes/any",
-    "ptypes/duration",
-    "ptypes/timestamp"
-  ]
-  revision = "b4deda0973fb4c70b50d226b1af49f3da59f5265"
-  version = "v1.1.0"
-
-[[projects]]
-  branch = "master"
-  name = "github.com/google/gofuzz"
-  packages = ["."]
-  revision = "24818f796faf91cd76ec7bddd72458fbced7a6c1"
-
-[[projects]]
-  name = "github.com/googleapis/gnostic"
-  packages = [
-    "OpenAPIv2",
-    "compiler",
-    "extensions"
-  ]
-  revision = "7c663266750e7d82587642f65e60bc4083f1f84e"
-  version = "v0.2.0"
-
-[[projects]]
-  name = "github.com/gorilla/websocket"
-  packages = ["."]
-  revision = "ea4d1f681babbce9545c9c5f3d5194a789c89f5b"
-  version = "v1.2.0"
-
-[[projects]]
-  branch = "master"
-  name = "github.com/hashicorp/golang-lru"
-  packages = [
-    ".",
-    "simplelru"
-  ]
-  revision = "0fb14efe8c47ae851c0034ed7a448854d3d34cf3"
-
-[[projects]]
-  branch = "master"
-  name = "github.com/howeyc/gopass"
-  packages = ["."]
-  revision = "bf9dde6d0d2c004a008c27aaee91170c786f6db8"
-
-[[projects]]
-  name = "github.com/imdario/mergo"
-  packages = ["."]
-  revision = "9316a62528ac99aaecb4e47eadd6dc8aa6533d58"
-  version = "v0.3.5"
-
-[[projects]]
-  name = "github.com/jinzhu/gorm"
-  packages = ["."]
-  revision = "6ed508ec6a4ecb3531899a69cbc746ccf65a4166"
-  version = "v1.9.1"
-
-[[projects]]
-  branch = "master"
-  name = "github.com/jinzhu/inflection"
-  packages = ["."]
-  revision = "04140366298a54a039076d798123ffa108fff46c"
-
-[[projects]]
-  name = "github.com/json-iterator/go"
-  packages = ["."]
-  revision = "ca39e5af3ece67bbcda3d0f4f56a8e24d9f2dad4"
-  version = "1.1.3"
-
-[[projects]]
-  name = "github.com/modern-go/concurrent"
-  packages = ["."]
-  revision = "bacd9c7ef1dd9b15be4a9909b8ac7a4e313eec94"
-  version = "1.0.3"
-
-[[projects]]
-  name = "github.com/modern-go/reflect2"
-  packages = ["."]
-  revision = "1df9eeb2bb81f327b96228865c5687bc2194af3f"
-  version = "1.0.0"
-
-[[projects]]
-  name = "github.com/opencontainers/go-digest"
-  packages = ["."]
-  revision = "279bed98673dd5bef374d3b6e4b09e2af76183bf"
-  version = "v1.0.0-rc1"
-
-[[projects]]
-  name = "github.com/pkg/errors"
-  packages = ["."]
-  revision = "645ef00459ed84a119197bfb8d8205042c6df63d"
-  version = "v0.8.0"
-
-[[projects]]
-  name = "github.com/spf13/pflag"
-  packages = ["."]
-  revision = "583c0c0531f06d5278b7d917446061adc344b5cd"
-  version = "v1.0.1"
-
-[[projects]]
-  branch = "master"
-  name = "golang.org/x/crypto"
-  packages = ["ssh/terminal"]
-  revision = "7f39a6fea4fe9364fb61e1def6a268a51b4f3a06"
-
-[[projects]]
-  branch = "master"
-  name = "golang.org/x/net"
-  packages = [
-    "context",
-    "context/ctxhttp",
-    "http/httpguts",
-    "http2",
-    "http2/hpack",
-    "idna",
-    "internal/socks",
-    "internal/timeseries",
-    "proxy",
-    "trace"
-  ]
-  revision = "db08ff08e8622530d9ed3a0e8ac279f6d4c02196"
-
-[[projects]]
-  branch = "master"
-  name = "golang.org/x/sys"
-  packages = [
-    "unix",
-    "windows"
-  ]
-  revision = "fc8bd948cf46f9c7af0f07d34151ce25fe90e477"
-
-[[projects]]
-  name = "golang.org/x/text"
-  packages = [
-    "collate",
-    "collate/build",
-    "internal/colltab",
-    "internal/gen",
-    "internal/tag",
-    "internal/triegen",
-    "internal/ucd",
-    "language",
-    "secure/bidirule",
-    "transform",
-    "unicode/bidi",
-    "unicode/cldr",
-    "unicode/norm",
-    "unicode/rangetable"
-  ]
-  revision = "f21a4dfb5e38f5895301dc265a8def02365cc3d0"
-  version = "v0.3.0"
-
-[[projects]]
-  branch = "master"
-  name = "golang.org/x/time"
-  packages = ["rate"]
-  revision = "fbb02b2291d28baffd63558aa44b4b56f178d650"
-
-[[projects]]
-  name = "google.golang.org/appengine"
-  packages = ["cloudsql"]
-  revision = "b1f26356af11148e710935ed1ac8a7f5702c7612"
-  version = "v1.1.0"
-
-[[projects]]
-  branch = "master"
-  name = "google.golang.org/genproto"
-  packages = ["googleapis/rpc/status"]
-  revision = "32ee49c4dd805befd833990acba36cb75042378c"
-
-[[projects]]
-  name = "google.golang.org/grpc"
-  packages = [
-    ".",
-    "balancer",
-    "balancer/base",
-    "balancer/roundrobin",
-    "codes",
-    "connectivity",
-    "credentials",
-    "encoding",
-    "encoding/proto",
-    "grpclog",
-    "health/grpc_health_v1",
-    "internal",
-    "internal/backoff",
-    "internal/channelz",
-    "internal/grpcrand",
-    "keepalive",
-    "metadata",
-    "naming",
-    "peer",
-    "resolver",
-    "resolver/dns",
-    "resolver/passthrough",
-    "stats",
-    "status",
-    "tap",
-    "transport"
-  ]
-  revision = "168a6198bcb0ef175f7dacec0b8691fc141dc9b8"
-  version = "v1.13.0"
-
-[[projects]]
-  name = "gopkg.in/igm/sockjs-go.v2"
-  packages = ["sockjs"]
-  revision = "d276e9ffe5cc5c271b81198cc77a2adf6c4482d2"
-  version = "v2.0.0"
-
-[[projects]]
-  name = "gopkg.in/inf.v0"
-  packages = ["."]
-  revision = "d2d2541c53f18d2a059457998ce2876cc8e67cbf"
-  version = "v0.9.1"
-
-[[projects]]
-  name = "gopkg.in/yaml.v2"
-  packages = ["."]
-  revision = "5420a8b6744d3b0345ab293f6fcba19c978f1183"
-  version = "v2.2.1"
-
-[[projects]]
-  name = "k8s.io/api"
-  packages = [
-    "admissionregistration/v1alpha1",
-    "admissionregistration/v1beta1",
-    "apps/v1",
-    "apps/v1beta1",
-    "apps/v1beta2",
-    "authentication/v1",
-    "authentication/v1beta1",
-    "authorization/v1",
-    "authorization/v1beta1",
-    "autoscaling/v1",
-    "autoscaling/v2beta1",
-    "batch/v1",
-    "batch/v1beta1",
-    "batch/v2alpha1",
-    "certificates/v1beta1",
-    "core/v1",
-    "events/v1beta1",
-    "extensions/v1beta1",
-    "networking/v1",
-    "policy/v1beta1",
-    "rbac/v1",
-    "rbac/v1alpha1",
-    "rbac/v1beta1",
-    "scheduling/v1alpha1",
-    "settings/v1alpha1",
-    "storage/v1",
-    "storage/v1alpha1",
-    "storage/v1beta1"
-  ]
-  revision = "73d903622b7391f3312dcbac6483fed484e185f8"
-  version = "kubernetes-1.10.0"
-
-[[projects]]
-  name = "k8s.io/apimachinery"
-  packages = [
-    "pkg/api/errors",
-    "pkg/api/meta",
-    "pkg/api/resource",
-    "pkg/apis/meta/internalversion",
-    "pkg/apis/meta/v1",
-    "pkg/apis/meta/v1/unstructured",
-    "pkg/apis/meta/v1beta1",
-    "pkg/conversion",
-    "pkg/conversion/queryparams",
-    "pkg/fields",
-    "pkg/labels",
-    "pkg/runtime",
-    "pkg/runtime/schema",
-    "pkg/runtime/serializer",
-    "pkg/runtime/serializer/json",
-    "pkg/runtime/serializer/protobuf",
-    "pkg/runtime/serializer/recognizer",
-    "pkg/runtime/serializer/streaming",
-    "pkg/runtime/serializer/versioning",
-    "pkg/selection",
-    "pkg/types",
-    "pkg/util/cache",
-    "pkg/util/clock",
-    "pkg/util/diff",
-    "pkg/util/errors",
-    "pkg/util/framer",
-    "pkg/util/httpstream",
-    "pkg/util/httpstream/spdy",
-    "pkg/util/intstr",
-    "pkg/util/json",
-    "pkg/util/net",
-    "pkg/util/rand",
-    "pkg/util/remotecommand",
-    "pkg/util/runtime",
-    "pkg/util/sets",
-    "pkg/util/validation",
-    "pkg/util/validation/field",
-    "pkg/util/wait",
-    "pkg/util/yaml",
-    "pkg/version",
-    "pkg/watch",
-    "third_party/forked/golang/netutil",
-    "third_party/forked/golang/reflect"
-  ]
-  revision = "302974c03f7e50f16561ba237db776ab93594ef6"
-  version = "kubernetes-1.10.0"
-
-[[projects]]
-  name = "k8s.io/client-go"
-  packages = [
-    "discovery",
-    "informers",
-    "informers/admissionregistration",
-    "informers/admissionregistration/v1alpha1",
-    "informers/admissionregistration/v1beta1",
-    "informers/apps",
-    "informers/apps/v1",
-    "informers/apps/v1beta1",
-    "informers/apps/v1beta2",
-    "informers/autoscaling",
-    "informers/autoscaling/v1",
-    "informers/autoscaling/v2beta1",
-    "informers/batch",
-    "informers/batch/v1",
-    "informers/batch/v1beta1",
-    "informers/batch/v2alpha1",
-    "informers/certificates",
-    "informers/certificates/v1beta1",
-    "informers/core",
-    "informers/core/v1",
-    "informers/events",
-    "informers/events/v1beta1",
-    "informers/extensions",
-    "informers/extensions/v1beta1",
-    "informers/internalinterfaces",
-    "informers/networking",
-    "informers/networking/v1",
-    "informers/policy",
-    "informers/policy/v1beta1",
-    "informers/rbac",
-    "informers/rbac/v1",
-    "informers/rbac/v1alpha1",
-    "informers/rbac/v1beta1",
-    "informers/scheduling",
-    "informers/scheduling/v1alpha1",
-    "informers/settings",
-    "informers/settings/v1alpha1",
-    "informers/storage",
-    "informers/storage/v1",
-    "informers/storage/v1alpha1",
-    "informers/storage/v1beta1",
-    "kubernetes",
-    "kubernetes/scheme",
-    "kubernetes/typed/admissionregistration/v1alpha1",
-    "kubernetes/typed/admissionregistration/v1beta1",
-    "kubernetes/typed/apps/v1",
-    "kubernetes/typed/apps/v1beta1",
-    "kubernetes/typed/apps/v1beta2",
-    "kubernetes/typed/authentication/v1",
-    "kubernetes/typed/authentication/v1beta1",
-    "kubernetes/typed/authorization/v1",
-    "kubernetes/typed/authorization/v1beta1",
-    "kubernetes/typed/autoscaling/v1",
-    "kubernetes/typed/autoscaling/v2beta1",
-    "kubernetes/typed/batch/v1",
-    "kubernetes/typed/batch/v1beta1",
-    "kubernetes/typed/batch/v2alpha1",
-    "kubernetes/typed/certificates/v1beta1",
-    "kubernetes/typed/core/v1",
-    "kubernetes/typed/events/v1beta1",
-    "kubernetes/typed/extensions/v1beta1",
-    "kubernetes/typed/networking/v1",
-    "kubernetes/typed/policy/v1beta1",
-    "kubernetes/typed/rbac/v1",
-    "kubernetes/typed/rbac/v1alpha1",
-    "kubernetes/typed/rbac/v1beta1",
-    "kubernetes/typed/scheduling/v1alpha1",
-    "kubernetes/typed/settings/v1alpha1",
-    "kubernetes/typed/storage/v1",
-    "kubernetes/typed/storage/v1alpha1",
-    "kubernetes/typed/storage/v1beta1",
-    "listers/admissionregistration/v1alpha1",
-    "listers/admissionregistration/v1beta1",
-    "listers/apps/v1",
-    "listers/apps/v1beta1",
-    "listers/apps/v1beta2",
-    "listers/autoscaling/v1",
-    "listers/autoscaling/v2beta1",
-    "listers/batch/v1",
-    "listers/batch/v1beta1",
-    "listers/batch/v2alpha1",
-    "listers/certificates/v1beta1",
-    "listers/core/v1",
-    "listers/events/v1beta1",
-    "listers/extensions/v1beta1",
-    "listers/networking/v1",
-    "listers/policy/v1beta1",
-    "listers/rbac/v1",
-    "listers/rbac/v1alpha1",
-    "listers/rbac/v1beta1",
-    "listers/scheduling/v1alpha1",
-    "listers/settings/v1alpha1",
-    "listers/storage/v1",
-    "listers/storage/v1alpha1",
-    "listers/storage/v1beta1",
-    "pkg/apis/clientauthentication",
-    "pkg/apis/clientauthentication/v1alpha1",
-    "pkg/version",
-    "plugin/pkg/client/auth/exec",
-    "rest",
-    "rest/watch",
-    "tools/auth",
-    "tools/cache",
-    "tools/clientcmd",
-    "tools/clientcmd/api",
-    "tools/clientcmd/api/latest",
-    "tools/clientcmd/api/v1",
-    "tools/metrics",
-    "tools/pager",
-    "tools/reference",
-    "tools/remotecommand",
-    "transport",
-    "transport/spdy",
-    "util/buffer",
-    "util/cert",
-    "util/exec",
-    "util/flowcontrol",
-    "util/homedir",
-    "util/integer",
-    "util/retry"
-  ]
-  revision = "23781f4d6632d88e869066eaebb743857aa1ef9b"
-  version = "v7.0.0"
-
-[[projects]]
-  name = "k8s.io/kubernetes"
-  packages = ["pkg/util/slice"]
-  revision = "5ca598b4ba5abb89bb773071ce452e33fb66339d"
-  version = "v1.10.4"
-
-[solve-meta]
-  analyzer-name = "dep"
-  analyzer-version = 1
-  inputs-digest = "afd0a3a0e96a5054e6b99afd53b78888125726fc89c62f121984cd73a6ca4fb3"
-  solver-name = "gps-cdcl"
-  solver-version = 1

Gopkg.toml

@@ -1,90 +0,0 @@
-# Gopkg.toml example
-#
-# Refer to https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md
-# for detailed Gopkg.toml documentation.
-#
-# required = ["github.com/user/thing/cmd/thing"]
-# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"]
-#
-# [[constraint]]
-#   name = "github.com/user/project"
-#   version = "1.0.0"
-#
-# [[constraint]]
-#   name = "github.com/user/project2"
-#   branch = "dev"
-#   source = "github.com/myfork/project2"
-#
-# [[override]]
-#   name = "github.com/x/y"
-#   version = "2.4.0"
-#
-# [prune]
-#   non-go = false
-#   go-tests = true
-#   unused-packages = true
-
-[[constraint]]
-  name = "github.com/coreos/etcd"
-  version = "3.3.7"
-
-[[constraint]]
-  name = "github.com/docker/docker"
-  version = "v17.05.0-ce"
-
-[[constraint]]
-  name = "github.com/emicklei/go-restful"
-  version = "2.7.1"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/golang/glog"
-
-[[constraint]]
-  name = "github.com/spf13/pflag"
-  version = "1.0.1"
-
-[[constraint]]
-  name = "gopkg.in/igm/sockjs-go.v2"
-  version = "2.0.0"
-
-[[constraint]]
-  name = "gopkg.in/yaml.v2"
-  version = "2.2.1"
-
-[[constraint]]
-  name = "k8s.io/api"
-  version = "kubernetes-1.10.0"
-
-[[constraint]]
-  name = "k8s.io/apimachinery"
-  version = "kubernetes-1.10.0"
-
-[[constraint]]
-  name = "k8s.io/client-go"
-  version = "7.0.0"
-
-[[constraint]]
-  name = "k8s.io/kubernetes"
-  version = "1.10.4"
-
-[prune]
-  go-tests = true
-  unused-packages = true
-
-# To use reference package:
-#   vendor/github.com/docker/docker/client/container_commit.go:17: undefined: reference.ParseNormalizedNamed
-#   vendor/github.com/docker/docker/client/container_commit.go:25: undefined: reference.TagNameOnly
-#   vendor/github.com/docker/docker/client/container_commit.go:30: undefined: reference.FamiliarNam
-[[override]]
-  name = "github.com/docker/distribution"
-  branch = "master"
-
-# To use reference package:
-#   vendor/github.com/docker/docker/registry/registry.go:30: cannot call non-function tlsconfig.ServerDefault (type tls.Config)
-#   vendor/github.com/docker/docker/registry/registry.go:66: undefined: tlsconfig.SystemCertPool
-#   vendor/github.com/docker/docker/registry/registry.go:168: cannot call non-function tlsconfig.ServerDefault (type tls.Config)
-#   vendor/github.com/docker/docker/registry/service_v2.go:11: cannot call non-function tlsconfig.ServerDefault (type tls.Config)
-[[override]]
-  name = "github.com/docker/go-connections"
-  branch = "master"

Makefile

@@ -2,105 +2,122 @@
 # Use of this source code is governed by a Apache license
 # that can be found in the LICENSE file.
 
-TRAG.Org:=kubesphere
-TRAG.Name:=ks-apiserver
-TRAG.Gopkg:=kubesphere.io/kubesphere
-TRAG.Version:=$(TRAG.Gopkg)/pkg/version
+# Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
+CRD_OPTIONS ?= "crd:trivialVersions=true"
 
-DOCKER_TAGS=latest
-RUN_IN_DOCKER:=docker run -it --rm -v `pwd`:/go/src/$(TRAG.Gopkg) -v `pwd`/tmp/cache:/root/.cache/go-build  -w /go/src/$(TRAG.Gopkg) -e GOBIN=/go/src/$(TRAG.Gopkg)/tmp/bin -e USER_ID=`id -u` -e GROUP_ID=`id -g` kubesphere/kubesphere-builder
-GO_FMT:=goimports -l -w -e -local=kubesphere -srcdir=/go/src/$(TRAG.Gopkg)
-GO_FILES:=./cmd ./pkg
+# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
+ifeq (,$(shell go env GOBIN))
+GOBIN=$(shell go env GOPATH)/bin
+else
+GOBIN=$(shell go env GOBIN)
+endif
 
-define get_diff_files
-    $(eval DIFF_FILES=$(shell git diff --name-only --diff-filter=ad | grep -E "^(test|cmd|pkg)/.+\.go"))
+OUTPUT_DIR=bin
+GOFLAGS=-mod=vendor
+define ALL_HELP_INFO
+# Build code.
+#
+# Args:
+#   WHAT: Directory names to build.  If any of these directories has a 'main'
+#     package, the build will produce executable files under $(OUT_DIR).
+#     If not specified, "everything" will be built.
+#   GOFLAGS: Extra flags to pass to 'go' when building.
+#   GOLDFLAGS: Extra linking flags passed to 'go' when building.
+#   GOGCFLAGS: Additional go compile flags passed to 'go' when building.
+#
+# Example:
+#   make
+#   make all
+#   make all WHAT=cmd/ks-apiserver
+#     Note: Use the -N -l options to disable compiler optimizations an inlining.
+#           Using these build options allows you to subsequently use source
+#           debugging tools like delve.
 endef
-define get_build_flags
-    $(eval SHORT_VERSION=$(shell git describe --tags --always --dirty="-dev"))
-    $(eval SHA1_VERSION=$(shell git show --quiet --pretty=format:%H))
-	$(eval DATE=$(shell date +'%Y-%m-%dT%H:%M:%S'))
-	$(eval BUILD_FLAG= -X $(TRAG.Version).ShortVersion="$(SHORT_VERSION)" \
-		-X $(TRAG.Version).GitSha1Version="$(SHA1_VERSION)" \
-		-X $(TRAG.Version).BuildDate="$(DATE)")
-endef
-
 .PHONY: all
-all: generate build
+all: test ks-apiserver controller-manager
 
-.PHONY: help
-help:
-# TODO: update help info to last version
-	@echo "TODO"
+# Build ks-apiserver binary
+ks-apiserver: fmt vet
+	hack/gobuild.sh cmd/ks-apiserver
 
-.PHONY: init-vendor
-init-vendor:
-	@if [[ ! -f "$$(which govendor)" ]]; then \
-		go get -u github.com/kardianos/govendor; \
-	fi
-	govendor init
-	govendor add +external
-	@echo "init-vendor done"
+# Build controller-manager binary
+controller-manager: fmt vet
+	hack/gobuild.sh cmd/controller-manager
 
-.PHONY: update-vendor
-update-vendor:
-	@if [[ ! -f "$$(which govendor)" ]]; then \
-		go get -u github.com/kardianos/govendor; \
-	fi
-	govendor update +external
-	govendor list
-	@echo "update-vendor done"
+# Run go fmt against code 
+fmt: generate
+	gofmt -w ./pkg ./cmd ./tools ./api
 
-.PHONY: update-builder
-update-builder:
-	docker pull kubesphere/kubesphere-builder
-	@echo "update-builder done"
+# Run go vet against code
+vet: generate
+	go vet ./pkg/... ./cmd/...
 
-.PHONY: generate-in-local
-generate-in-local:
-	go generate ./pkg/version/
+# Generate manifests e.g. CRD, RBAC etc.
+manifests:
+	go run ./vendor/sigs.k8s.io/controller-tools/cmd/controller-gen/main.go object:headerFile=./hack/boilerplate.go.txt paths=./pkg/apis/... rbac:roleName=controller-perms ${CRD_OPTIONS} output:crd:artifacts:config=config/crds
 
-.PHONY: generate
+deploy: manifests
+	kubectl apply -f config/crds
+	kustomize build config/default | kubectl apply -f -
+
+# generate will generate crds' deepcopy & go openapi structs
+# Futher more about go:genreate . https://blog.golang.org/generate
 generate:
-	$(RUN_IN_DOCKER) make generate-in-local
-	@echo "generate done"
+	go generate ./pkg/... ./cmd/...
 
-.PHONY: fmt-all
-fmt-all:
-	mkdir -p ./tmp/bin && cp -r ./install ./tmp/
-	$(RUN_IN_DOCKER) $(GO_FMT) $(GO_FILES)
-	@echo "fmt done"
+mockgen:
+	mockgen -package=openpitrix -source=pkg/simple/client/openpitrix/openpitrix.go -destination=pkg/simple/client/openpitrix/mock.go
 
-.PHONY: fmt
-fmt:
-	$(call get_diff_files)
-	$(if $(DIFF_FILES), \
-		$(RUN_IN_DOCKER) $(GO_FMT) ${DIFF_FILES}, \
-		$(info cannot find modified files from git) \
-	)
-	@echo "fmt done"
+deepcopy:
+	GO111MODULE=on go install -mod=vendor k8s.io/code-generator/cmd/deepcopy-gen
+	${GOPATH}/bin/deepcopy-gen -i kubesphere.io/kubesphere/pkg/apis/... -h ./hack/boilerplate.go.txt -O zz_generated.deepcopy
 
-.PHONY: fmt-check
-fmt-check: fmt-all
-	$(call get_diff_files)
-	$(if $(DIFF_FILES), \
-		exit 2 \
-	)
+openapi:
+	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./pkg/apis/tenant/v1alpha1 -p kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha1 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list
+	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./pkg/apis/servicemesh/v1alpha2 -p kubesphere.io/kubesphere/pkg/apis/servicemesh/v1alpha2 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list
+	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/api/networking/v1,./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./vendor/k8s.io/apimachinery/pkg/util/intstr,./pkg/apis/network/v1alpha1 -p kubesphere.io/kubesphere/pkg/apis/network/v1alpha1 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list
+	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./pkg/apis/devops/v1alpha1,./vendor/k8s.io/apimachinery/pkg/runtime,./vendor/k8s.io/api/core/v1 -p kubesphere.io/kubesphere/pkg/apis/devops/v1alpha1 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list
+	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./pkg/apis/cluster/v1alpha1,./vendor/k8s.io/apimachinery/pkg/runtime,./vendor/k8s.io/api/core/v1 -p kubesphere.io/kubesphere/pkg/apis/cluster/v1alpha1 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list
+	go run ./vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go -O openapi_generated -i ./vendor/k8s.io/apimachinery/pkg/apis/meta/v1,./pkg/apis/devops/v1alpha3,./vendor/k8s.io/apimachinery/pkg/runtime -p kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3 -h ./hack/boilerplate.go.txt --report-filename ./api/api-rules/violation_exceptions.list
+	go run ./tools/cmd/crd-doc-gen/main.go
+	go run ./tools/cmd/doc-gen/main.go
+# Build the docker image
+docker-build: all
+	hack/docker_build.sh
 
-.PHONY: build
-build: fmt
-	mkdir -p ./tmp/bin && cp -r ./install/ ./tmp/
-	$(call get_build_flags)
-	$(RUN_IN_DOCKER) time go install -ldflags '$(BUILD_FLAG)' $(TRAG.Gopkg)/cmd/...
-	mv ./tmp/bin/cmd ./tmp/bin/$(TRAG.Name)
-	@docker build -t $(TRAG.Org)/$(TRAG.Name) -f ./Dockerfile.dev ./tmp
-	@docker image prune -f 1>/dev/null 2>&1
-	@echo "build done"
-
-.PHONY: release
-release:
-	@echo "TODO"
+# Run tests
+test: fmt vet
+	export KUBEBUILDER_CONTROLPLANE_START_TIMEOUT=1m; go test ./pkg/... ./cmd/... -covermode=atomic -coverprofile=coverage.txt
 
 .PHONY: clean
 clean:
 	-make -C ./pkg/version clean
 	@echo "ok"
+
+# find or download controller-gen
+# download controller-gen if necessary
+clientset: 
+	./hack/generate_client.sh
+
+
+# Currently in the upgrade phase of controller tools.
+# But the new controller tools are not compatible with the old version.
+# With these commands you may need to manually modify the generated code
+# So don't use it unless you know it very deeply
+internal-crds:
+	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./pkg/apis/network/..." output:crd:artifacts:config=config/crd/bases
+
+internal-generate-apis: internal-controller-gen
+	$(CONTROLLER_GEN) object:headerFile=./hack/boilerplate.go.txt paths=./pkg/apis/network/...
+
+internal-controller-gen:
+ifeq (, $(shell which controller-gen))
+	go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.2.0-beta.4
+CONTROLLER_GEN=$(GOBIN)/controller-gen
+else
+CONTROLLER_GEN=$(shell which controller-gen)
+endif
+
+network-rbac:
+	$(CONTROLLER_GEN) paths=./pkg/controller/network/provider/ paths=./pkg/controller/network/ rbac:roleName=network-manager output:rbac:artifacts:config=kustomize/network/calico-k8s
+	$(CONTROLLER_GEN) paths=./pkg/controller/network/ rbac:roleName=network-manager output:rbac:artifacts:config=kustomize/network/calico-etcd

OWNERS

@@ -0,0 +1,21 @@
+approvers:
+    - zryfish #oncall
+    - rayzhou2017
+
+reviewers:
+    - rayzhou2017
+    - zryfish
+    - benjaminhuo
+    - calvinyv
+    - FeynmanZhou
+    - huanggze
+    - huojiao2006
+    - Ma-Dan
+    - magicsong
+    - pixiake
+    - runzexia
+    - wansir
+    - wnxn
+    - zheng1
+    - soulseen
+    - shaowenchen

PROJECT

@@ -0,0 +1,3 @@
+version: "1"
+domain: kubesphere.io
+repo: kubesphere.io/kubesphere

README.md

@@ -1,38 +1,170 @@
-# KubeSphere
+# KubeSphere Container Platform
+
 [![License](http://img.shields.io/badge/license-apache%20v2-blue.svg)](https://github.com/KubeSphere/KubeSphere/blob/master/LICENSE)
 [![Build Status](https://travis-ci.org/kubesphere/kubesphere.svg?branch=master)](https://travis-ci.org/kubesphere/kubesphere)
+[![Go Report Card](https://goreportcard.com/badge/github.com/kubesphere/kubesphere)](https://goreportcard.com/report/github.com/kubesphere/kubesphere)
+[![KubeSphere release](https://img.shields.io/github/release/kubesphere/kubesphere.svg?color=release&label=release&logo=release&logoColor=release)](https://github.com/kubesphere/kubesphere/releases/tag/v2.1.1)
+
+![logo](docs/images/kubesphere-logo.png)
 
 ----
-***KubeSphere*** is a distribution of [Kubernetes](https://kubernetes.io), aimed to provide quick setup, friendly and easily use, and powerful management features for Kubernetes clusters, which could help both personal and enterprise users, reduce their learning curve of Kubernetes, accelerate their transform process from other container platforms to Kubernetes.   
 
-**Features:**
- - Multiple IaaS platform support, including baremetal/KVM/QingCloud, and more will be supported in future release.  
- - Easy setup of Kubernetes standalone(only one master node) and cluster environment(including High Availability support).  
- - Powerful management console to help business users to manage and monitor the Kubernetes environment.  
- - Integrate with [OpenPitrix](https://github.com/openpitrix) to provide full life cycle of application management and be compatible of helm package.  
- - Support popular open source network solutions, including calico and flannel, also could use [qingcloud hostnic solution](https://github.com/yunify/hostnic-cni) if the Kubernetes is deployed on QingCloud platform.  
- - Support popular open source storage solutions, including Glusterfs and Cephfs, also could use [qingcloud storage solution](https://github.com/yunify/qingcloud-volume-provisioner) if the Kubernetes is deployed on QingCloud platform.  
- - CI/CD support.  
- - Service Mesh support.  
- - Multiple image registries support.  
- - Federation support.  
- - Integrate with QingCloud IAM.  
+## What is KubeSphere
+
+> English | [中文](README_zh.md)
+
+[KubeSphere](https://kubesphere.io/) is a **distributed operating system providing cloud native stack** with [Kubernetes](https://kubernetes.io) as its kernel, and aims to be plug-and-play architecture for third-party applications seamless integration to boost its ecosystem. KubeSphere is also a multi-tenant enterprise-grade container platform with full-stack automated IT operation and streamlined DevOps workflows. It provides developer-friendly wizard web UI, helping enterprises to build out a more robust and feature-rich platform, which includes most common functionalities needed for enterprise Kubernetes strategy, see [Feature List](#features) for details.
+
+The following screenshots give a close insight into KubeSphere. Please check [What is KubeSphere](https://kubesphere.io/docs/introduction/what-is-kubesphere/) for further information.
+
+<table>
+  <tr>
+      <td width="50%" align="center"><b>Workbench</b></td>
+      <td width="50%" align="center"><b>Project Resources</b></td>
+  </tr>
+  <tr>
+     <td><img src="docs/images/console.png"/></td>
+     <td><img src="docs/images/project.png"/></td>
+  </tr>
+  <tr>
+      <td width="50%" align="center"><b>CI/CD Pipeline</b></td>
+      <td width="50%" align="center"><b>App Store</b></td>
+  </tr>
+  <tr>
+     <td><img src="docs/images/cicd.png"/></td>
+     <td><img src="docs/images/app-store.png"/></td>
+  </tr>
+</table>
+
+## Demo Environment
+
+Using the account `demo1 / Demo123` to log in the [demo environment](https://demo.kubesphere.io/). Please note the account is granted view access. You can also have a quick view of [KubeSphere Demo Video](https://youtu.be/u5lQvhi_Xlc).
+
+## Architecture
+
+KubeSphere uses a loosely-coupled architecture that separates the [frontend](https://github.com/kubesphere/console) from the [backend](https://github.com/kubesphere/kubesphere). External systems can access the components of the backend which are delivered as Docker containers through the REST APIs. See [Architecture](https://kubesphere.io/docs/introduction/architecture/) for details.
+
+![Architecture](docs/images/architecture.png)
+
+## Features
+
+|Feature|Description|
+|---|---|
+| Provisioning Kubernetes Cluster|Support deploy Kubernetes on your infrastructure out of box, including online and air gapped installation|
+| Kubernetes Resource Management | Provide web console for creating and managing Kubernetes resources, with powerful observability including monitoring, logging, events, alerting and notification |
+| DevOps System | Provide out-of-box CI/CD based on Jenkins, and offers automated workflow tools including binary-to-image (B2I) and source-to-image (S2I) |
+| Application Store | Provide application store for Helm-based applications, and offers application lifecycle management |
+| Service Mesh (Istio-based) | Provide fine-grained traffic management, observability and tracing for distributed microservice applications, provides visualization for traffic topology |
+| Rich Observability | Provide multi-dimensional monitoring metrics, and provides multi-tenant log query and collection, support alerting and notification for both application and infrastructure |
+| Multi-tenant Management | Provide unified authentication with fine-grained roles and three-tier authorization system, supports AD/LDAP authentication |
+| Infrastructure Management | Support node management and monitoring, and supports adding new nodes for Kubernetes cluster |
+| Storage Support | Support GlusterFS, CephRBD, NFS, Local (default) etc. open source storage solutions, provide CSI plugins to consume storage from cloud providers |
+| Network Support | Support Calico, Flannel, etc. open source network solutions, provides load balancer plug-in [Porter](https://github.com/kubesphere/porter) for Kubernetes installed on physical machines |
+| GPU Support | Support add GPU node, support vGPU, enables running ML applications on Kubernetes, e.g. TensorFlow |
+
+Please See the [Feature and Benefits](https://kubesphere.io/docs/introduction/features/) for further information.
+
 ----
 
-## Motivation
+## Latest Release
 
-The project originates from the requirement and pains we heard from our customers on public and private QingCloud platform, who have strong will to deploy Kubernetes in their IT system but struggle on completed setup process and long learning curve. With help of KubeSphere, their IT operators could setup Kubernetes environment quickly and use an easy management UI interface to mange their applications.
+KubeSphere 2.1.1 was released on **February 23rd, 2020**. See the [Release Notes For 2.1.1](https://kubesphere.io/docs/release/release-v211/) for the updates.
 
-Getting Started
----------------
-**TBD**
+## Installation
 
-## Design
+KubeSphere can run anywhere from on-premise datacenter to any cloud to edge. In addition, it can be deployed on any version-compatible running Kubernetes cluster.
 
-## Contributing to the project
+### Deploy on Existing Kubernetes Cluster
 
-All [members](docs/members.md) of the KubeSphere community must abide by [Code of Conduct](code-of-conduct.md). Only by respecting each other can we develop a productive, collaborative community.
+#### Prerequisites
 
-You can then check out how to [setup for development](docs/development.md).
+- `Kubernetes version`： `1.15.x, 1.16.x, 1.17.x`
+- `2.10.0 ≤ Helm Version ＜ 3.0.0` excluding 2.16.0 because of [#6894](https://github.com/helm/helm/issues/6894). Please see [Install and Configure Helm in Kubernetes](https://devopscube.com/install-configure-helm-kubernetes/). Helm v3 will be supported in KubeSphere 3.0.0.
+- An existing Storage Class in your Kubernetes cluster, use `kubectl get sc` to verify it
+- The CSR signing feature is activated in kube-apiserver, see [RKE installation issue](https://github.com/kubesphere/kubesphere/issues/1925#issuecomment-591698309).
 
+Install KubeSphere using kubectl.
 
+- If there are 1 Core and 2 GB RAM available in your cluster, use the command below to set up a default minimal installation only. You can enable other components after installation if more resource added in later on. See [Pluggable Components Installation](https://kubesphere.io/docs/installation/pluggable-components/) for detailed information.
+
+```bash
+kubectl apply -f https://raw.githubusercontent.com/kubesphere/ks-installer/master/kubesphere-minimal.yaml
+```
+
+- If there are 8 Cores and 16 GB RAM available in your cluster, use the command below to install a complete KubeSphere, i.e. with all components enabled:
+
+```bash
+kubectl apply -f https://raw.githubusercontent.com/kubesphere/ks-installer/master/kubesphere-complete-setup.yaml
+```
+
+Wait the installation logs using the following command till showing `"Successful"`, then you can log in the console using the default username and password.
+
+```bash
+kubectl logs -n kubesphere-system $(kubectl get pod -n kubesphere-system -l app=ks-install -o jsonpath='{.items[0].metadata.name}') -f
+```
+
+### Deploy on Linux
+
+KubeSphere Installer can help you to install KubeSphere and Kubernetes on your linux machines. It provides [All-in-One](https://kubesphere.io/docs/installation/all-in-one/) and [Multi-Node](https://kubesphere.io/docs/installation/multi-node/) installation options.
+
+#### Minimum Requirements
+
+- Operating Systems
+  - CentOS 7.4~7.7 (64 bit)
+  - Ubuntu 16.04/18.04 LTS (64 bit)
+  - Red Hat Enterprise Linux Server 7.4 (64 bit)
+  - Debian Stretch 9.5 (64 bit)
+- Hardware
+  - CPU：2 Cores,  Memory：4 GB, Disk Space：100 GB
+
+> Note:  Please disable the firewall, or ensure your firewall meets the [port requirements](https://kubesphere.io/docs/installation/port-firewall/).
+
+#### All-in-One (QuickStart)
+
+```bash
+curl -L https://kubesphere.io/download/stable/latest > installer.tar.gz \
+&& tar -zxf installer.tar.gz && cd kubesphere-all-v2.1.1/scripts
+$ ./install.sh
+```
+
+Choose `"1) All-in-one"` to start the default minimal installation.
+
+You can enable other components after installation, see [Pluggable Components Installation](https://kubesphere.io/docs/installation/pluggable-components/).
+
+## To start using KubeSphere
+
+- KubeSphere Documentation ([En](https://kubesphere.io/docs/)/[中](https://kubesphere.io/docs/zh-CN/)）
+- [API Documentation](https://kubesphere.io/docs/api-reference/api-docs/)
+
+## Contributing, Support, Discussion, and Community
+
+This [community](https://github.com/kubesphere/community) walks you through how to get started contributing KubeSphere. The [development guide](https://github.com/kubesphere/community/tree/master/developer-guide/development) explains how to set up development environment.
+
+If you need any help with KubeSphere, please join us at [Slack Channel](https://join.slack.com/t/kubesphere/shared_invite/enQtNTE3MDIxNzUxNzQ0LTZkNTdkYWNiYTVkMTM5ZThhODY1MjAyZmVlYWEwZmQ3ODQ1NmM1MGVkNWEzZTRhNzk0MzM5MmY4NDc3ZWVhMjE).
+
+We also communicate through [Google Group](https://groups.google.com/forum/#!forum/kubesphere).
+
+Please submit any KubeSphere bugs, issues, and feature requests to [KubeSphere GitHub Issue](https://github.com/kubesphere/kubesphere/issues).
+
+## Who are using KubeSphere
+
+The [Powered by KubeSphere](https://kubesphere.io/case/) page includes the user list of the project. You can submit your institution name and homepage if you are using KubeSphere.
+
+## RoadMap
+
+Currently, KubeSphere has released the following 5 major editions. The future releases include multicluster, big data, AI, SDN, etc. See [Plans for 2.1.1 and 3.0.0](https://github.com/kubesphere/kubesphere/issues/1368) for more details.
+
+**Express Edition** => **v1.0.x** => **v2.0.x**  => **v2.1.0** => **v2.1.1** => **v3.0.0**
+
+![Roadmap](https://pek3b.qingstor.com/kubesphere-docs/png/20190926000413.png)
+
+## Landscapes
+
+<p align="center">
+<br/><br/>
+<img src="https://landscape.cncf.io/images/left-logo.svg" width="150"/>&nbsp;&nbsp;<img src="https://landscape.cncf.io/images/right-logo.svg" width="200"/>&nbsp;&nbsp;<img src="https://www.cncf.io/wp-content/uploads/2017/11/certified_kubernetes_color.png" height="40" width="30"/>
+<br/><br/>
+KubeSphere is a member of CNCF and a <a href="https://www.cncf.io/certification/software-conformance/#logos">Kubernetes Conformance Certified platform
+</a>, which enriches the <a href="https://landscape.cncf.io/landscape=observability-and-analysis&license=apache-license-2-0">CNCF CLOUD NATIVE Landscape.
+</a>
+</p>

README_zh.md

@@ -0,0 +1,166 @@
+# KubeSphere 容器平台
+
+[![License](http://img.shields.io/badge/license-apache%20v2-blue.svg)](https://github.com/KubeSphere/KubeSphere/blob/master/LICENSE)
+[![Build Status](https://travis-ci.org/kubesphere/kubesphere.svg?branch=master)](https://travis-ci.org/kubesphere/kubesphere)
+[![KubeSphere release](https://img.shields.io/github/release/kubesphere/kubesphere.svg?color=release&label=release&logo=release&logoColor=release)](https://github.com/kubesphere/kubesphere/releases/tag/v2.1.1)
+
+![logo](docs/images/kubesphere-logo.png)
+
+----
+
+## KubeSphere 是什么
+
+> [English](README.md) | 中文
+
+[KubeSphere](https://kubesphere.com.cn) 是在 [Kubernetes](https://kubernetes.io) 之上构建的以**应用为中心的**多租户容器平台，提供全栈的 IT 自动化运维的能力，简化企业的 DevOps 工作流。KubeSphere 提供了运维友好的向导式操作界面，帮助企业快速构建一个强大和功能丰富的容器云平台。KubeSphere 愿景是打造一个基于 Kubernetes 的云原生分布式操作系统，它的架构可以很方便地与云原生生态进行即插即用（plug-and-play）的集成。
+
+KubeSphere 目前最新的版本为 2.1.1，所有版本 100% 开源，关于 KubeSphere 更详细的介绍与说明请参阅 [什么是 KubeSphere](https://kubesphere.com.cn/docs/zh-CN/introduction/what-is-kubesphere/)。
+
+<table>
+  <tr>
+      <td width="50%" align="center"><b>工作台</b></td>
+      <td width="50%" align="center"><b>项目资源</b></td>
+  </tr>
+  <tr>
+     <td><img src="docs/images/console.png"/></td>
+     <td><img src="docs/images/project.png"/></td>
+  </tr>
+  <tr>
+      <td width="50%" align="center"><b>CI/CD 流水线</b></td>
+      <td width="50%" align="center"><b>应用商店</b></td>
+  </tr>
+  <tr>
+     <td><img src="docs/images/cicd.png"/></td>
+     <td><img src="docs/images/app-store.png"/></td>
+  </tr>
+</table>
+
+## 快速体验
+
+使用体验账号 `demo1 / Demo123` 登录 [Demo 环境](https://demo.kubesphere.io/)，该账号仅授予了 view 权限，建议自行安装体验完整的管理功能。您还可以访问 Youtube 查看 [KubeSphere Demo 视频](https://youtu.be/u5lQvhi_Xlc)。
+
+## 架构
+
+KubeSphere 采用了前后端分离的架构设计，后端的各个功能组件可通过 REST API 对接外部系统，详见 [架构说明](https://kubesphere.com.cn/docs/zh-CN/introduction/architecture/)。本仓库仅包含后端代码，前端代码参考 [Console 项目](https://github.com/kubesphere/console)。
+
+![Architecture](docs/images/architecture.png)
+
+## 核心功能
+
+|功能 |介绍 |
+| --- | ---|
+| Kubernetes 集群搭建与运维 | 支持在线 & 离线安装、升级与扩容 K8s 集群，支持安装 “云原生全家桶” |
+| Kubernetes 资源可视化管理 | 可视化纳管原生 Kubernetes 资源，支持向导式创建与管理 K8s 资源 |
+| 基于 Jenkins 的 DevOps 系统 | 支持图形化与脚本两种方式构建 CI/CD 流水线，内置 Source to Image（S2I）和 Binary to Image（B2I）等 CD 工具 |
+| 应用商店与应用生命周期管理 | 提供应用商店，内置 Redis、MySQL 等九个常用应用，支持应用的生命周期管理 |
+| 基于 Istio 的微服务治理 (Service Mesh) | 提供可视化无代码侵入的 **灰度发布、熔断、流量治理与流量拓扑、分布式 Tracing** |
+| 多租户管理 | 提供基于角色的细粒度多租户统一认证，支持 **对接企业 LDAP/AD**，提供多层级的权限管理 |
+| 丰富的可观察性功能 | 提供集群/工作负载/Pod/容器等多维度的监控，提供基于多租户的日志查询与日志收集，支持节点与应用层级的告警与通知 |
+|基础设施管理|支持 Kubernetes 节点管理，支持节点扩容与集群升级，提供基于节点的多项监控指标与告警规则 |
+| 存储管理 | 支持对接 Ceph、GlusterFS、NFS、Local PV，支持可视化管理 PVC、PV、StorageClass，提供 CSI 插件对接云平台存储 |
+| 网络管理 | 支持 Calico、Flannel，提供 Porter LB 插件用于暴露物理环境 K8s 集群的 LoadBalancer 服务 |
+| GPU support | 集群支持添加 GPU 与 vGPU，可运行 TensorFlow 等 ML 框架 |
+
+以上功能说明详见 [产品功能](https://kubesphere.com.cn/docs/zh-CN/introduction/features/)。
+
+----
+
+## 最新发布
+
+KubeSphere 2.1.1 已于 2020 年 02 月 23 日 正式发布，点击 [Release Notes For 2.1.1](https://kubesphere.com.cn/docs/zh-CN/release/release-v211/) 查看 2.1.1 版本的更新详情。
+
+## 快速安装
+
+### 部署在 Linux
+
+- 操作系统
+  - CentOS 7.5 (64 bit)
+  - Ubuntu 16.04/18.04 LTS (64 bit)
+  - Red Hat Enterprise Linux Server 7.4 (64 bit)
+  - Debian Stretch 9.5 (64 bit)
+- 配置规格（最低）
+  - CPU：2 Cores， 内存：4 GB， 硬盘：100 GB
+
+#### All-in-One
+
+执行以下命令下载 Installer，请关闭防火墙或 [开放指定的端口](https://kubesphere.com.cn/docs/zh-CN/installation/port-firewall/)，建议使用干净的机器并使用 `root` 用户安装：
+
+```bash
+curl -L https://kubesphere.io/download/stable/latest > installer.tar.gz \
+&& tar -zxf installer.tar.gz && cd kubesphere-all-v2.1.1/scripts
+
+./install.sh
+```
+
+直接选择 `"1) All-in-one"` 即可开始快速安装。默认仅开启最小安装，请参考 [开启可插拔功能功能组件](https://kubesphere.com.cn/docs/zh-CN/installation/pluggable-components/) 按需开启其它功能组件。
+
+> 注意：All-in-One 仅适用于**测试环境**，**正式环境** 安装和使用请参考 [安装说明](https://kubesphere.com.cn/docs/zh-CN/installation/intro/)。
+
+### 部署在已有 Kubernetes 集群上
+
+可参考 [前提条件](https://kubesphere.com.cn/docs/zh-CN/installation/prerequisites/) 验证是否满足以下条件：
+
+#### 前提条件
+
+- `Kubernetes` 版本： `1.15.x、1.16.x、1.17.x`；
+- `Helm`版本： `2.10.0 ≤ Helm Version ＜ 3.0.0`（不支持 helm 2.16.0 [#6894](https://github.com/helm/helm/issues/6894)），且已安装了 Tiller，参考 [如何安装与配置 Helm](https://devopscube.com/install-configure-helm-kubernetes/) （预计 3.0 支持 Helm v3）；
+- 集群已有默认的存储类型（StorageClass），若还没有准备存储请参考 [安装 OpenEBS 创建 LocalPV 存储类型](../../appendix/install-openebs) 用作开发测试环境。
+
+用 kubectl 安装
+
+- 若您的集群可用的资源符合 CPU >= 1 Core，可用内存 >= 2 G，可参考以下命令开启 KubeSphere 最小化安装。后续如果您的集群资源足够可以参考 [开启可插拔功能功能组件](https://kubesphere.com.cn/docs/zh-CN/installation/pluggable-components/) 按需开启其它功能组件。
+
+```yaml
+kubectl apply -f https://raw.githubusercontent.com/kubesphere/ks-installer/master/kubesphere-minimal.yaml
+```
+
+- 若您的集群可用的资源符合 CPU ≥ 8 Core，可用内存 ≥ 16 G，建议参考以下命令开启 KubeSphere 完整安装，即开启所有功能组件的安装：
+
+```yaml
+kubectl apply -f https://raw.githubusercontent.com/kubesphere/ks-installer/master/kubesphere-complete-setup.yaml
+```
+
+查看滚动刷新的安装日志，请耐心等待安装成功。当看到 `"Successful"` 的日志与登录信息提示，则说明 KubeSphere 安装成功，请使用日志提示的管理员账号登陆控制台。
+
+```bash
+kubectl logs -n kubesphere-system $(kubectl get pod -n kubesphere-system -l app=ks-install -o jsonpath='{.items[0].metadata.name}') -f
+```
+
+## 开始使用 KubeSphere
+
+- KubeSphere 文档中心 ([En](https://kubesphere.com.cn/docs/)/[中](https://kubesphere.com.cn/docs/zh-CN/))
+- [API 文档](https://kubesphere.com.cn/docs/zh-CN/api-reference/api-docs/)
+
+## 技术社区
+
+[KubeSphere 社区](https://github.com/kubesphere/community)包含所有社区的信息，包括如何开发，兴趣小组(SIG)等。比如[开发指南](https://github.com/kubesphere/community/tree/master/developer-guide/development) 详细说明了如何从源码编译、KubeSphere 的 GitHub 工作流、如何贡献代码以及如何测试等。
+
+- [论坛](https://kubesphere.com.cn/forum/)
+- [Slack Channel](https://join.slack.com/t/kubesphere/shared_invite/enQtNTE3MDIxNzUxNzQ0LTZkNTdkYWNiYTVkMTM5ZThhODY1MjAyZmVlYWEwZmQ3ODQ1NmM1MGVkNWEzZTRhNzk0MzM5MmY4NDc3ZWVhMjE)
+
+## Bug 与建议反馈
+
+欢迎在 [GitHub Issue](https://github.com/kubesphere/kubesphere/issues) 提交 Issue。
+
+## 谁在使用 KubeSphere
+
+[Powered by KubeSphere](docs/powered-by-kubesphere.md) 列出了哪些企业在使用 KubeSphere，如果您所在的企业已安装使用了 KubeSphere，欢迎提交 PR 至该页面。
+
+## 路线图
+
+目前，KubeSphere 已发布了 3 个大版本和 1 个小版本和 4 个 fixpack，所有版本都是完全开源的，参考 [Plans for 2.1.1 and 3.0.0](https://github.com/kubesphere/kubesphere/issues/1368) 了解后续版本的规划，欢迎在 GitHub issue 中提交需求。
+
+**Express Edition** => **v1.0.x** => **v2.0.x**  => **v2.1.0** => **v2.1.1** => **v3.0.0**
+
+![Roadmap](https://pek3b.qingstor.com/kubesphere-docs/png/20190926000514.png)
+
+## Landscapes
+
+<p align="center">
+<br/><br/>
+<img src="https://landscape.cncf.io/images/left-logo.svg" width="150"/>&nbsp;&nbsp;<img src="https://landscape.cncf.io/images/right-logo.svg" width="200"/>&nbsp;&nbsp;<img src="https://www.cncf.io/wp-content/uploads/2017/11/certified_kubernetes_color.png" height="40" width="30"/>
+<br/><br/>
+KubeSphere 是 CNCF 基金会成员并且通过了 <a href="https://www.cncf.io/certification/software-conformance/#logos">Kubernetes 一致性认证
+</a>，进一步丰富了 <a href="https://landscape.cncf.io/landscape=observability-and-analysis&license=apache-license-2-0">CNCF 云原生的生态。
+</a>
+</p>

api/api-rules/violation_exceptions.list

@@ -0,0 +1,84 @@
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIGroup,ServerAddressByClientCIDRs
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIGroup,Versions
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIGroupList,Groups
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIResource,Categories
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIResource,ShortNames
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIResourceList,APIResources
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIVersions,ServerAddressByClientCIDRs
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIVersions,Versions
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,CreateOptions,DryRun
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,DeleteOptions,DryRun
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,FieldsV1,Raw
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,LabelSelector,MatchExpressions
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,LabelSelectorRequirement,Values
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,List,Items
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,ObjectMeta,Finalizers
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,ObjectMeta,ManagedFields
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,ObjectMeta,OwnerReferences
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,PartialObjectMetadataList,Items
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,PatchOptions,DryRun
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,RootPaths,Paths
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,StatusDetails,Causes
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,Table,ColumnDefinitions
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,Table,Rows
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,TableRow,Cells
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,TableRow,Conditions
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,UpdateOptions,DryRun
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/runtime,RawExtension,Raw
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/runtime,Unknown,Raw
+API rule violation: list_type_missing,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,DevOpsProjectList,Items
+API rule violation: list_type_missing,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,NoScmPipeline,Parameters
+API rule violation: list_type_missing,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,PipelineList,Items
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,APIResourceList,APIResources
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,Duration,Duration
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,InternalEvent,Object
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,InternalEvent,Type
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,MicroTime,Time
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,StatusCause,Type
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,Time,Time
+API rule violation: names_match,k8s.io/apimachinery/pkg/runtime,Unknown,ContentEncoding
+API rule violation: names_match,k8s.io/apimachinery/pkg/runtime,Unknown,ContentType
+API rule violation: names_match,k8s.io/apimachinery/pkg/runtime,Unknown,Raw
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,BitbucketServerSource,ApiUri
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,BitbucketServerSource,CloneOption
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,BitbucketServerSource,CredentialId
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,BitbucketServerSource,DiscoverBranches
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,BitbucketServerSource,DiscoverPRFromForks
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,BitbucketServerSource,DiscoverPRFromOrigin
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,BitbucketServerSource,RegexFilter
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,BitbucketServerSource,ScmId
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,DiscarderProperty,DaysToKeep
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,DiscarderProperty,NumToKeep
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,GitSource,CloneOption
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,GitSource,CredentialId
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,GitSource,DiscoverBranches
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,GitSource,RegexFilter
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,GitSource,ScmId
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,GithubSource,ApiUri
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,GithubSource,CloneOption
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,GithubSource,CredentialId
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,GithubSource,DiscoverBranches
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,GithubSource,DiscoverPRFromForks
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,GithubSource,DiscoverPRFromOrigin
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,GithubSource,RegexFilter
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,GithubSource,ScmId
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,MultiBranchJobTrigger,CreateActionJobsToTrigger
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,MultiBranchJobTrigger,DeleteActionJobsToTrigger
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,MultiBranchPipeline,BitbucketServerSource
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,MultiBranchPipeline,GitHubSource
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,MultiBranchPipeline,GitSource
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,MultiBranchPipeline,MultiBranchJobTrigger
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,MultiBranchPipeline,ScriptPath
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,MultiBranchPipeline,SingleSvnSource
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,MultiBranchPipeline,SourceType
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,MultiBranchPipeline,SvnSource
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,MultiBranchPipeline,TimerTrigger
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,NoScmPipeline,DisableConcurrent
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,NoScmPipeline,RemoteTrigger
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,NoScmPipeline,TimerTrigger
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,Parameter,DefaultValue
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,PipelineSpec,MultiBranchPipeline
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,SingleSvnSource,CredentialId
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,SingleSvnSource,ScmId
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,SvnSource,CredentialId
+API rule violation: names_match,kubesphere.io/kubesphere/pkg/apis/devops/v1alpha3,SvnSource,ScmId

build/builder-docker/.ash_history

@@ -1,3 +0,0 @@
-ls /go/bin
-go version
-exit

build/builder-docker/Dockerfile

@@ -1,19 +0,0 @@
-# Copyright 2018 The KubeSphere Authors. All rights reserved.
-# Use of this source code is governed by a Apache license
-# that can be found in the LICENSE file.
-
-FROM golang:1.10.2-alpine3.7 as builder
-
-RUN apk add --no-cache git curl openssl
-
-RUN go get github.com/tools/godep
-#RUN go get github.com/emicklei/go-restful
-#RUN go get github.com/golang/glog
-#RUN go get github.com/spf13/pflag
-RUN go get golang.org/x/tools/cmd/goimports
-
-FROM golang:1.10.2-alpine3.7
-
-RUN apk add --no-cache git make curl openssl jq rsync godep
-
-COPY --from=builder /go/bin /go/bin

build/builder-docker/Makefile

@@ -1,17 +0,0 @@
-# Copyright 2018 The KubeSphere Authors. All rights reserved.
-# Use of this source code is governed by a Apache license
-# that can be found in the LICENSE file.
-
-default:
-	docker build -t kubesphere/kubesphere-builder .
-	@echo "ok"
-
-pull:
-	docker pull kubesphere/kubesphere-builder
-	@echo "ok"
-
-run:
-	docker run --rm -it -v `pwd`:/root kubesphere/kubesphere-builder
-
-clean:
-	@echo "ok"

build/ks-apiserver/Dockerfile

@@ -0,0 +1,16 @@
+# Copyright 2020 The KubeSphere Authors. All rights reserved.
+# Use of this source code is governed by an Apache license
+# that can be found in the LICENSE file.
+FROM alpine:3.11
+
+RUN apk add --no-cache ca-certificates 
+
+# To speed up building process, we copy binary directly from make
+# result instead of building it again, so make sure you run the 
+# following command first before building docker image
+#   make ks-apiserver
+#
+COPY  /bin/cmd/ks-apiserver /usr/local/bin/
+
+EXPOSE 9090
+CMD ["sh"]

build/ks-controller-manager/Dockerfile

@@ -0,0 +1,12 @@
+# Copyright 2020 The KubeSphere Authors. All rights reserved.
+# Use of this source code is governed by an Apache license
+# that can be found in the LICENSE file.
+FROM alpine:3.11
+
+COPY  /bin/cmd/controller-manager /usr/local/bin/
+
+RUN apk add --no-cache ca-certificates
+
+EXPOSE 8443 8080
+
+CMD ["sh"]

cmd/controller-manager/app/controllers.go

@@ -0,0 +1,327 @@
+/*
+Copyright 2019 The KubeSphere Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/klog"
+	iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
+	authoptions "kubesphere.io/kubesphere/pkg/apiserver/authentication/options"
+	"kubesphere.io/kubesphere/pkg/controller/application"
+	"kubesphere.io/kubesphere/pkg/controller/certificatesigningrequest"
+	"kubesphere.io/kubesphere/pkg/controller/cluster"
+	"kubesphere.io/kubesphere/pkg/controller/clusterrolebinding"
+	"kubesphere.io/kubesphere/pkg/controller/destinationrule"
+	"kubesphere.io/kubesphere/pkg/controller/devopscredential"
+	"kubesphere.io/kubesphere/pkg/controller/devopsproject"
+	"kubesphere.io/kubesphere/pkg/controller/globalrole"
+	"kubesphere.io/kubesphere/pkg/controller/globalrolebinding"
+	"kubesphere.io/kubesphere/pkg/controller/job"
+	"kubesphere.io/kubesphere/pkg/controller/network/nsnetworkpolicy"
+	"kubesphere.io/kubesphere/pkg/controller/network/provider"
+	"kubesphere.io/kubesphere/pkg/controller/pipeline"
+	"kubesphere.io/kubesphere/pkg/controller/s2ibinary"
+	"kubesphere.io/kubesphere/pkg/controller/s2irun"
+	"kubesphere.io/kubesphere/pkg/controller/storage/capability"
+	"kubesphere.io/kubesphere/pkg/controller/storage/expansion"
+	"kubesphere.io/kubesphere/pkg/controller/user"
+	"kubesphere.io/kubesphere/pkg/controller/virtualservice"
+	"kubesphere.io/kubesphere/pkg/controller/workspacerole"
+	"kubesphere.io/kubesphere/pkg/controller/workspacerolebinding"
+	"kubesphere.io/kubesphere/pkg/controller/workspacetemplate"
+	"kubesphere.io/kubesphere/pkg/informers"
+	"kubesphere.io/kubesphere/pkg/simple/client/devops"
+	"kubesphere.io/kubesphere/pkg/simple/client/k8s"
+	ldapclient "kubesphere.io/kubesphere/pkg/simple/client/ldap"
+	"kubesphere.io/kubesphere/pkg/simple/client/network"
+	"kubesphere.io/kubesphere/pkg/simple/client/openpitrix"
+	"kubesphere.io/kubesphere/pkg/simple/client/s3"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/kubefed/pkg/controller/util"
+)
+
+func addControllers(
+	mgr manager.Manager,
+	client k8s.Client,
+	informerFactory informers.InformerFactory,
+	devopsClient devops.Interface,
+	s3Client s3.Interface,
+	ldapClient ldapclient.Interface,
+	authenticationOptions *authoptions.AuthenticationOptions,
+	openpitrixClient openpitrix.Client,
+	multiClusterEnabled bool,
+	networkOptions *network.Options,
+	serviceMeshEnabled bool,
+	kubectlImage string,
+	stopCh <-chan struct{}) error {
+
+	kubernetesInformer := informerFactory.KubernetesSharedInformerFactory()
+	istioInformer := informerFactory.IstioSharedInformerFactory()
+	kubesphereInformer := informerFactory.KubeSphereSharedInformerFactory()
+	applicationInformer := informerFactory.ApplicationSharedInformerFactory()
+
+	var vsController, drController manager.Runnable
+	if serviceMeshEnabled {
+		vsController = virtualservice.NewVirtualServiceController(kubernetesInformer.Core().V1().Services(),
+			istioInformer.Networking().V1alpha3().VirtualServices(),
+			istioInformer.Networking().V1alpha3().DestinationRules(),
+			kubesphereInformer.Servicemesh().V1alpha2().Strategies(),
+			client.Kubernetes(),
+			client.Istio(),
+			client.KubeSphere())
+
+		drController = destinationrule.NewDestinationRuleController(kubernetesInformer.Apps().V1().Deployments(),
+			istioInformer.Networking().V1alpha3().DestinationRules(),
+			kubernetesInformer.Core().V1().Services(),
+			kubesphereInformer.Servicemesh().V1alpha2().ServicePolicies(),
+			client.Kubernetes(),
+			client.Istio(),
+			client.KubeSphere())
+	}
+
+	apController := application.NewApplicationController(kubernetesInformer.Core().V1().Services(),
+		kubernetesInformer.Apps().V1().Deployments(),
+		kubernetesInformer.Apps().V1().StatefulSets(),
+		kubesphereInformer.Servicemesh().V1alpha2().Strategies(),
+		kubesphereInformer.Servicemesh().V1alpha2().ServicePolicies(),
+		applicationInformer.App().V1beta1().Applications(),
+		client.Kubernetes(),
+		client.Application())
+
+	jobController := job.NewJobController(kubernetesInformer.Batch().V1().Jobs(), client.Kubernetes())
+
+	var s2iBinaryController, s2iRunController, devopsProjectController, devopsPipelineController, devopsCredentialController manager.Runnable
+	if devopsClient != nil {
+		s2iBinaryController = s2ibinary.NewController(client.Kubernetes(),
+			client.KubeSphere(),
+			kubesphereInformer.Devops().V1alpha1().S2iBinaries(),
+			s3Client,
+		)
+
+		s2iRunController = s2irun.NewS2iRunController(client.Kubernetes(),
+			client.KubeSphere(),
+			kubesphereInformer.Devops().V1alpha1().S2iBinaries(),
+			kubesphereInformer.Devops().V1alpha1().S2iRuns())
+
+		devopsProjectController = devopsproject.NewController(client.Kubernetes(),
+			client.KubeSphere(), devopsClient,
+			informerFactory.KubernetesSharedInformerFactory().Core().V1().Namespaces(),
+			informerFactory.KubeSphereSharedInformerFactory().Devops().V1alpha3().DevOpsProjects(),
+			informerFactory.KubeSphereSharedInformerFactory().Tenant().V1alpha1().Workspaces())
+
+		devopsPipelineController = pipeline.NewController(client.Kubernetes(),
+			client.KubeSphere(),
+			devopsClient,
+			informerFactory.KubernetesSharedInformerFactory().Core().V1().Namespaces(),
+			informerFactory.KubeSphereSharedInformerFactory().Devops().V1alpha3().Pipelines())
+
+		devopsCredentialController = devopscredential.NewController(client.Kubernetes(),
+			devopsClient,
+			informerFactory.KubernetesSharedInformerFactory().Core().V1().Namespaces(),
+			informerFactory.KubernetesSharedInformerFactory().Core().V1().Secrets())
+
+	}
+
+	storageCapabilityController := capability.NewController(
+		client.KubeSphere().StorageV1alpha1().StorageClassCapabilities(),
+		kubesphereInformer.Storage().V1alpha1(),
+		client.Kubernetes().StorageV1().StorageClasses(),
+		kubernetesInformer.Storage().V1().StorageClasses(),
+		capability.SnapshotSupported(client.Kubernetes().Discovery()),
+		client.Snapshot().SnapshotV1beta1().VolumeSnapshotClasses(),
+		informerFactory.SnapshotSharedInformerFactory().Snapshot().V1beta1().VolumeSnapshotClasses(),
+		kubernetesInformer.Storage().V1beta1().CSIDrivers(),
+	)
+
+	volumeExpansionController := expansion.NewVolumeExpansionController(
+		client.Kubernetes(),
+		kubernetesInformer.Core().V1().PersistentVolumeClaims(),
+		kubernetesInformer.Storage().V1().StorageClasses(),
+		kubernetesInformer.Core().V1().Pods(),
+		kubernetesInformer.Apps().V1().Deployments(),
+		kubernetesInformer.Apps().V1().ReplicaSets(),
+		kubernetesInformer.Apps().V1().StatefulSets())
+
+	var fedUserCache, fedGlobalRoleBindingCache, fedGlobalRoleCache,
+		fedWorkspaceRoleCache, fedWorkspaceRoleBindingCache cache.Store
+	var fedUserCacheController, fedGlobalRoleBindingCacheController, fedGlobalRoleCacheController,
+		fedWorkspaceRoleCacheController, fedWorkspaceRoleBindingCacheController cache.Controller
+
+	if multiClusterEnabled {
+		fedUserClient, err := util.NewResourceClient(client.Config(), &iamv1alpha2.FedUserResource)
+		if err != nil {
+			klog.Error(err)
+			return err
+		}
+		fedGlobalRoleClient, err := util.NewResourceClient(client.Config(), &iamv1alpha2.FedGlobalRoleResource)
+		if err != nil {
+			klog.Error(err)
+			return err
+		}
+		fedGlobalRoleBindingClient, err := util.NewResourceClient(client.Config(), &iamv1alpha2.FedGlobalRoleBindingResource)
+		if err != nil {
+			klog.Error(err)
+			return err
+		}
+		fedWorkspaceRoleClient, err := util.NewResourceClient(client.Config(), &iamv1alpha2.FedWorkspaceRoleResource)
+		if err != nil {
+			klog.Error(err)
+			return err
+		}
+		fedWorkspaceRoleBindingClient, err := util.NewResourceClient(client.Config(), &iamv1alpha2.FedWorkspaceRoleBindingResource)
+		if err != nil {
+			klog.Error(err)
+			return err
+		}
+
+		fedUserCache, fedUserCacheController = util.NewResourceInformer(fedUserClient, "", &iamv1alpha2.FedUserResource, func(object runtime.Object) {})
+		fedGlobalRoleCache, fedGlobalRoleCacheController = util.NewResourceInformer(fedGlobalRoleClient, "", &iamv1alpha2.FedGlobalRoleResource, func(object runtime.Object) {})
+		fedGlobalRoleBindingCache, fedGlobalRoleBindingCacheController = util.NewResourceInformer(fedGlobalRoleBindingClient, "", &iamv1alpha2.FedGlobalRoleBindingResource, func(object runtime.Object) {})
+		fedWorkspaceRoleCache, fedWorkspaceRoleCacheController = util.NewResourceInformer(fedWorkspaceRoleClient, "", &iamv1alpha2.FedWorkspaceRoleResource, func(object runtime.Object) {})
+		fedWorkspaceRoleBindingCache, fedWorkspaceRoleBindingCacheController = util.NewResourceInformer(fedWorkspaceRoleBindingClient, "", &iamv1alpha2.FedWorkspaceRoleBindingResource, func(object runtime.Object) {})
+
+		go fedUserCacheController.Run(stopCh)
+		go fedGlobalRoleCacheController.Run(stopCh)
+		go fedGlobalRoleBindingCacheController.Run(stopCh)
+		go fedWorkspaceRoleCacheController.Run(stopCh)
+		go fedWorkspaceRoleBindingCacheController.Run(stopCh)
+	}
+
+	userController := user.NewUserController(client.Kubernetes(), client.KubeSphere(),
+		client.Config(),
+		kubesphereInformer.Iam().V1alpha2().Users(),
+		fedUserCache, fedUserCacheController,
+		kubesphereInformer.Iam().V1alpha2().LoginRecords(),
+		kubernetesInformer.Core().V1().ConfigMaps(),
+		ldapClient, devopsClient,
+		authenticationOptions, multiClusterEnabled)
+
+	loginRecordController := user.NewLoginRecordController(
+		client.Kubernetes(),
+		client.KubeSphere(),
+		kubesphereInformer.Iam().V1alpha2().LoginRecords(),
+		authenticationOptions.LoginHistoryRetentionPeriod)
+
+	csrController := certificatesigningrequest.NewController(client.Kubernetes(),
+		kubernetesInformer.Certificates().V1beta1().CertificateSigningRequests(),
+		kubernetesInformer.Core().V1().ConfigMaps(), client.Config())
+
+	clusterRoleBindingController := clusterrolebinding.NewController(client.Kubernetes(),
+		kubernetesInformer.Rbac().V1().ClusterRoleBindings(),
+		kubernetesInformer.Apps().V1().Deployments(),
+		kubernetesInformer.Core().V1().Pods(),
+		kubesphereInformer.Iam().V1alpha2().Users(),
+		kubectlImage)
+
+	globalRoleController := globalrole.NewController(client.Kubernetes(), client.KubeSphere(),
+		kubesphereInformer.Iam().V1alpha2().GlobalRoles(), fedGlobalRoleCache, fedGlobalRoleCacheController)
+
+	workspaceRoleController := workspacerole.NewController(client.Kubernetes(), client.KubeSphere(),
+		kubesphereInformer.Iam().V1alpha2().WorkspaceRoles(),
+		fedWorkspaceRoleCache, fedWorkspaceRoleCacheController,
+		kubesphereInformer.Tenant().V1alpha2().WorkspaceTemplates(), multiClusterEnabled)
+
+	globalRoleBindingController := globalrolebinding.NewController(client.Kubernetes(), client.KubeSphere(),
+		kubesphereInformer.Iam().V1alpha2().GlobalRoleBindings(),
+		fedGlobalRoleBindingCache, fedGlobalRoleBindingCacheController,
+		multiClusterEnabled)
+
+	workspaceRoleBindingController := workspacerolebinding.NewController(client.Kubernetes(), client.KubeSphere(),
+		kubesphereInformer.Iam().V1alpha2().WorkspaceRoleBindings(),
+		fedWorkspaceRoleBindingCache, fedWorkspaceRoleBindingCacheController,
+		kubesphereInformer.Tenant().V1alpha2().WorkspaceTemplates(), multiClusterEnabled)
+
+	workspaceTemplateController := workspacetemplate.NewController(client.Kubernetes(), client.KubeSphere(),
+		kubesphereInformer.Tenant().V1alpha2().WorkspaceTemplates(),
+		kubesphereInformer.Tenant().V1alpha1().Workspaces(),
+		kubesphereInformer.Iam().V1alpha2().RoleBases(),
+		kubesphereInformer.Iam().V1alpha2().WorkspaceRoles(),
+		kubesphereInformer.Types().V1beta1().FederatedWorkspaces(),
+		multiClusterEnabled)
+
+	var clusterController manager.Runnable
+	if multiClusterEnabled {
+		clusterController = cluster.NewClusterController(
+			client.Kubernetes(),
+			client.Config(),
+			kubesphereInformer.Cluster().V1alpha1().Clusters(),
+			client.KubeSphere().ClusterV1alpha1().Clusters(),
+			openpitrixClient)
+	}
+
+	var nsnpController manager.Runnable
+	if networkOptions.EnableNetworkPolicy {
+		nsnpProvider, err := provider.NewNsNetworkPolicyProvider(client.Kubernetes(), kubernetesInformer.Networking().V1().NetworkPolicies())
+		if err != nil {
+			return err
+		}
+
+		nsnpController = nsnetworkpolicy.NewNSNetworkPolicyController(client.Kubernetes(),
+			client.KubeSphere().NetworkV1alpha1(),
+			kubesphereInformer.Network().V1alpha1().NamespaceNetworkPolicies(),
+			kubernetesInformer.Core().V1().Services(),
+			kubernetesInformer.Core().V1().Nodes(),
+			kubesphereInformer.Tenant().V1alpha1().Workspaces(),
+			kubernetesInformer.Core().V1().Namespaces(), nsnpProvider, networkOptions.NSNPOptions)
+	}
+
+	controllers := map[string]manager.Runnable{
+		"virtualservice-controller":       vsController,
+		"destinationrule-controller":      drController,
+		"application-controller":          apController,
+		"job-controller":                  jobController,
+		"s2ibinary-controller":            s2iBinaryController,
+		"s2irun-controller":               s2iRunController,
+		"storagecapability-controller":    storageCapabilityController,
+		"volumeexpansion-controller":      volumeExpansionController,
+		"user-controller":                 userController,
+		"loginrecord-controller":          loginRecordController,
+		"cluster-controller":              clusterController,
+		"nsnp-controller":                 nsnpController,
+		"csr-controller":                  csrController,
+		"clusterrolebinding-controller":   clusterRoleBindingController,
+		"globalrolebinding-controller":    globalRoleBindingController,
+		"workspacetemplate-controller":    workspaceTemplateController,
+		"workspacerole-controller":        workspaceRoleController,
+		"workspacerolebinding-controller": workspaceRoleBindingController,
+	}
+
+	if devopsClient != nil {
+		controllers["pipeline-controller"] = devopsPipelineController
+		controllers["devopsprojects-controller"] = devopsProjectController
+		controllers["devopscredential-controller"] = devopsCredentialController
+	}
+
+	if multiClusterEnabled {
+		controllers["globalrole-controller"] = globalRoleController
+	}
+
+	for name, ctrl := range controllers {
+		if ctrl == nil {
+			klog.V(4).Infof("%s is not going to run due to dependent component disabled.", name)
+			continue
+		}
+
+		if err := mgr.Add(ctrl); err != nil {
+			klog.Error(err, "add controller to manager failed", "name", name)
+			return err
+		}
+	}
+
+	return nil
+}

cmd/controller-manager/app/helper.go

@@ -0,0 +1,54 @@
+/*
+Copyright 2020 KubeSphere Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+	"fmt"
+	"k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/klog"
+	"net/http"
+	"time"
+)
+
+// WaitForAPIServer waits for the API Server's /healthz endpoint to report "ok" before timeout.
+func WaitForAPIServer(client clientset.Interface, timeout time.Duration) error {
+	var lastErr error
+
+	err := wait.PollImmediate(time.Second, timeout, func() (bool, error) {
+		healthStatus := 0
+		result := client.Discovery().RESTClient().Get().AbsPath("/healthz").Do().StatusCode(&healthStatus)
+		if result.Error() != nil {
+			lastErr = fmt.Errorf("failed to get apiserver /healthz status: %v", result.Error())
+			return false, nil
+		}
+		if healthStatus != http.StatusOK {
+			content, _ := result.Raw()
+			lastErr = fmt.Errorf("APIServer isn't healthy: %v", string(content))
+			klog.Warningf("APIServer isn't healthy yet: %v. Waiting a little while.", string(content))
+			return false, nil
+		}
+
+		return true, nil
+	})
+
+	if err != nil {
+		return fmt.Errorf("%v: %v", err, lastErr)
+	}
+
+	return nil
+}

cmd/controller-manager/app/options/options.go

@@ -0,0 +1,137 @@
+/*
+Copyright 2020 KubeSphere Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"flag"
+	"github.com/spf13/pflag"
+	"k8s.io/client-go/tools/leaderelection"
+	cliflag "k8s.io/component-base/cli/flag"
+	"k8s.io/klog"
+	authoptions "kubesphere.io/kubesphere/pkg/apiserver/authentication/options"
+	"kubesphere.io/kubesphere/pkg/simple/client/devops/jenkins"
+	"kubesphere.io/kubesphere/pkg/simple/client/k8s"
+	ldapclient "kubesphere.io/kubesphere/pkg/simple/client/ldap"
+	"kubesphere.io/kubesphere/pkg/simple/client/multicluster"
+	"kubesphere.io/kubesphere/pkg/simple/client/network"
+	"kubesphere.io/kubesphere/pkg/simple/client/openpitrix"
+	"kubesphere.io/kubesphere/pkg/simple/client/s3"
+	"kubesphere.io/kubesphere/pkg/simple/client/servicemesh"
+	"strings"
+	"time"
+)
+
+type KubeSphereControllerManagerOptions struct {
+	KubernetesOptions     *k8s.KubernetesOptions
+	DevopsOptions         *jenkins.Options
+	S3Options             *s3.Options
+	AuthenticationOptions *authoptions.AuthenticationOptions
+	LdapOptions           *ldapclient.Options
+	OpenPitrixOptions     *openpitrix.Options
+	NetworkOptions        *network.Options
+	MultiClusterOptions   *multicluster.Options
+	ServiceMeshOptions    *servicemesh.Options
+	LeaderElect           bool
+	LeaderElection        *leaderelection.LeaderElectionConfig
+	WebhookCertDir        string
+}
+
+func NewKubeSphereControllerManagerOptions() *KubeSphereControllerManagerOptions {
+	s := &KubeSphereControllerManagerOptions{
+		KubernetesOptions:     k8s.NewKubernetesOptions(),
+		DevopsOptions:         jenkins.NewDevopsOptions(),
+		S3Options:             s3.NewS3Options(),
+		LdapOptions:           ldapclient.NewOptions(),
+		OpenPitrixOptions:     openpitrix.NewOptions(),
+		NetworkOptions:        network.NewNetworkOptions(),
+		MultiClusterOptions:   multicluster.NewOptions(),
+		ServiceMeshOptions:    servicemesh.NewServiceMeshOptions(),
+		AuthenticationOptions: authoptions.NewAuthenticateOptions(),
+		LeaderElection: &leaderelection.LeaderElectionConfig{
+			LeaseDuration: 30 * time.Second,
+			RenewDeadline: 15 * time.Second,
+			RetryPeriod:   5 * time.Second,
+		},
+		LeaderElect:    false,
+		WebhookCertDir: "",
+	}
+
+	return s
+}
+
+func (s *KubeSphereControllerManagerOptions) Flags() cliflag.NamedFlagSets {
+	fss := cliflag.NamedFlagSets{}
+
+	s.KubernetesOptions.AddFlags(fss.FlagSet("kubernetes"), s.KubernetesOptions)
+	s.DevopsOptions.AddFlags(fss.FlagSet("devops"), s.DevopsOptions)
+	s.S3Options.AddFlags(fss.FlagSet("s3"), s.S3Options)
+	s.AuthenticationOptions.AddFlags(fss.FlagSet("authentication"), s.AuthenticationOptions)
+	s.LdapOptions.AddFlags(fss.FlagSet("ldap"), s.LdapOptions)
+	s.OpenPitrixOptions.AddFlags(fss.FlagSet("openpitrix"), s.OpenPitrixOptions)
+	s.NetworkOptions.AddFlags(fss.FlagSet("network"), s.NetworkOptions)
+	s.MultiClusterOptions.AddFlags(fss.FlagSet("multicluster"), s.MultiClusterOptions)
+	s.ServiceMeshOptions.AddFlags(fss.FlagSet("servicemesh"), s.ServiceMeshOptions)
+
+	fs := fss.FlagSet("leaderelection")
+	s.bindLeaderElectionFlags(s.LeaderElection, fs)
+
+	fs.BoolVar(&s.LeaderElect, "leader-elect", s.LeaderElect, ""+
+		"Whether to enable leader election. This field should be enabled when controller manager"+
+		"deployed with multiple replicas.")
+
+	fs.StringVar(&s.WebhookCertDir, "webhook-cert-dir", s.WebhookCertDir, ""+
+		"Certificate directory used to setup webhooks, need tls.crt and tls.key placed inside."+
+		"if not set, webhook server would look up the server key and certificate in"+
+		"{TempDir}/k8s-webhook-server/serving-certs")
+
+	kfs := fss.FlagSet("klog")
+	local := flag.NewFlagSet("klog", flag.ExitOnError)
+	klog.InitFlags(local)
+	local.VisitAll(func(fl *flag.Flag) {
+		fl.Name = strings.Replace(fl.Name, "_", "-", -1)
+		kfs.AddGoFlag(fl)
+	})
+
+	return fss
+}
+
+func (s *KubeSphereControllerManagerOptions) Validate() []error {
+	var errs []error
+	errs = append(errs, s.DevopsOptions.Validate()...)
+	errs = append(errs, s.KubernetesOptions.Validate()...)
+	errs = append(errs, s.S3Options.Validate()...)
+	errs = append(errs, s.OpenPitrixOptions.Validate()...)
+	errs = append(errs, s.NetworkOptions.Validate()...)
+	errs = append(errs, s.LdapOptions.Validate()...)
+	return errs
+}
+
+func (s *KubeSphereControllerManagerOptions) bindLeaderElectionFlags(l *leaderelection.LeaderElectionConfig, fs *pflag.FlagSet) {
+	fs.DurationVar(&l.LeaseDuration, "leader-elect-lease-duration", l.LeaseDuration, ""+
+		"The duration that non-leader candidates will wait after observing a leadership "+
+		"renewal until attempting to acquire leadership of a led but unrenewed leader "+
+		"slot. This is effectively the maximum duration that a leader can be stopped "+
+		"before it is replaced by another candidate. This is only applicable if leader "+
+		"election is enabled.")
+	fs.DurationVar(&l.RenewDeadline, "leader-elect-renew-deadline", l.RenewDeadline, ""+
+		"The interval between attempts by the acting master to renew a leadership slot "+
+		"before it stops leading. This must be less than or equal to the lease duration. "+
+		"This is only applicable if leader election is enabled.")
+	fs.DurationVar(&l.RetryPeriod, "leader-elect-retry-period", l.RetryPeriod, ""+
+		"The duration the clients should wait between attempting acquisition and renewal "+
+		"of a leadership. This is only applicable if leader election is enabled.")
+}

cmd/controller-manager/app/server.go

@@ -0,0 +1,242 @@
+/*
+Copyright 2019 The KubeSphere Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+	"fmt"
+	"github.com/spf13/cobra"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	cliflag "k8s.io/component-base/cli/flag"
+	"k8s.io/klog"
+	"k8s.io/klog/klogr"
+	"kubesphere.io/kubesphere/cmd/controller-manager/app/options"
+	"kubesphere.io/kubesphere/pkg/apis"
+	controllerconfig "kubesphere.io/kubesphere/pkg/apiserver/config"
+	"kubesphere.io/kubesphere/pkg/controller/namespace"
+	"kubesphere.io/kubesphere/pkg/controller/network/nsnetworkpolicy"
+	"kubesphere.io/kubesphere/pkg/controller/user"
+	"kubesphere.io/kubesphere/pkg/controller/workspace"
+	"kubesphere.io/kubesphere/pkg/informers"
+	"kubesphere.io/kubesphere/pkg/simple/client/devops"
+	"kubesphere.io/kubesphere/pkg/simple/client/devops/jenkins"
+	"kubesphere.io/kubesphere/pkg/simple/client/k8s"
+	ldapclient "kubesphere.io/kubesphere/pkg/simple/client/ldap"
+	"kubesphere.io/kubesphere/pkg/simple/client/openpitrix"
+	"kubesphere.io/kubesphere/pkg/simple/client/s3"
+	"kubesphere.io/kubesphere/pkg/utils/term"
+	"os"
+	application "sigs.k8s.io/application/controllers"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/runtime/signals"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+)
+
+func NewControllerManagerCommand() *cobra.Command {
+	s := options.NewKubeSphereControllerManagerOptions()
+	conf, err := controllerconfig.TryLoadFromDisk()
+	if err == nil {
+		// make sure LeaderElection is not nil
+		s = &options.KubeSphereControllerManagerOptions{
+			KubernetesOptions:     conf.KubernetesOptions,
+			DevopsOptions:         conf.DevopsOptions,
+			S3Options:             conf.S3Options,
+			AuthenticationOptions: conf.AuthenticationOptions,
+			LdapOptions:           conf.LdapOptions,
+			OpenPitrixOptions:     conf.OpenPitrixOptions,
+			NetworkOptions:        conf.NetworkOptions,
+			MultiClusterOptions:   conf.MultiClusterOptions,
+			ServiceMeshOptions:    conf.ServiceMeshOptions,
+			LeaderElection:        s.LeaderElection,
+			LeaderElect:           s.LeaderElect,
+			WebhookCertDir:        s.WebhookCertDir,
+		}
+	} else {
+		klog.Fatal("Failed to load configuration from disk", err)
+	}
+
+	cmd := &cobra.Command{
+		Use:  "controller-manager",
+		Long: `KubeSphere controller manager is a daemon that`,
+		Run: func(cmd *cobra.Command, args []string) {
+			if errs := s.Validate(); len(errs) != 0 {
+				klog.Error(utilerrors.NewAggregate(errs))
+				os.Exit(1)
+			}
+
+			if err = run(s, signals.SetupSignalHandler()); err != nil {
+				klog.Error(err)
+				os.Exit(1)
+			}
+		},
+		SilenceUsage: true,
+	}
+
+	fs := cmd.Flags()
+	namedFlagSets := s.Flags()
+
+	for _, f := range namedFlagSets.FlagSets {
+		fs.AddFlagSet(f)
+	}
+
+	usageFmt := "Usage:\n  %s\n"
+	cols, _, _ := term.TerminalSize(cmd.OutOrStdout())
+	cmd.SetHelpFunc(func(cmd *cobra.Command, args []string) {
+		_, _ = fmt.Fprintf(cmd.OutOrStdout(), "%s\n\n"+usageFmt, cmd.Long, cmd.UseLine())
+		cliflag.PrintSections(cmd.OutOrStdout(), namedFlagSets, cols)
+	})
+	return cmd
+}
+
+func run(s *options.KubeSphereControllerManagerOptions, stopCh <-chan struct{}) error {
+	kubernetesClient, err := k8s.NewKubernetesClient(s.KubernetesOptions)
+	if err != nil {
+		klog.Errorf("Failed to create kubernetes clientset %v", err)
+		return err
+	}
+
+	var devopsClient devops.Interface
+	if s.DevopsOptions != nil && len(s.DevopsOptions.Host) != 0 {
+		devopsClient, err = jenkins.NewDevopsClient(s.DevopsOptions)
+		if err != nil {
+			return fmt.Errorf("failed to connect jenkins, please check jenkins status, error: %v", err)
+		}
+	}
+
+	var ldapClient ldapclient.Interface
+	if s.LdapOptions == nil || len(s.LdapOptions.Host) == 0 {
+		return fmt.Errorf("ldap service address MUST not be empty")
+	} else {
+		if s.LdapOptions.Host == ldapclient.FAKE_HOST { // for debug only
+			ldapClient = ldapclient.NewSimpleLdap()
+		} else {
+			ldapClient, err = ldapclient.NewLdapClient(s.LdapOptions, stopCh)
+			if err != nil {
+				return fmt.Errorf("failed to connect to ldap service, please check ldap status, error: %v", err)
+			}
+		}
+	}
+
+	var openpitrixClient openpitrix.Client
+	if s.OpenPitrixOptions != nil && !s.OpenPitrixOptions.IsEmpty() {
+		openpitrixClient, err = openpitrix.NewClient(s.OpenPitrixOptions)
+		if err != nil {
+			return fmt.Errorf("failed to connect to openpitrix, please check openpitrix status, error: %v", err)
+		}
+	}
+
+	var s3Client s3.Interface
+	if s.S3Options != nil && len(s.S3Options.Endpoint) != 0 {
+		s3Client, err = s3.NewS3Client(s.S3Options)
+		if err != nil {
+			return fmt.Errorf("failed to connect to s3, please check s3 service status, error: %v", err)
+		}
+	}
+
+	informerFactory := informers.NewInformerFactories(
+		kubernetesClient.Kubernetes(),
+		kubernetesClient.KubeSphere(),
+		kubernetesClient.Istio(),
+		kubernetesClient.Application(),
+		kubernetesClient.Snapshot(),
+		kubernetesClient.ApiExtensions())
+
+	mgrOptions := manager.Options{
+		CertDir: s.WebhookCertDir,
+		Port:    8443,
+	}
+
+	if s.LeaderElect {
+		mgrOptions = manager.Options{
+			CertDir:                 s.WebhookCertDir,
+			Port:                    8443,
+			LeaderElection:          s.LeaderElect,
+			LeaderElectionNamespace: "kubesphere-system",
+			LeaderElectionID:        "ks-controller-manager-leader-election",
+			LeaseDuration:           &s.LeaderElection.LeaseDuration,
+			RetryPeriod:             &s.LeaderElection.RetryPeriod,
+			RenewDeadline:           &s.LeaderElection.RenewDeadline,
+		}
+	}
+
+	klog.V(0).Info("setting up manager")
+
+	// Use 8443 instead of 443 cause we need root permission to bind port 443
+	mgr, err := manager.New(kubernetesClient.Config(), mgrOptions)
+	if err != nil {
+		klog.Fatalf("unable to set up overall controller manager: %v", err)
+	}
+
+	if err = apis.AddToScheme(mgr.GetScheme()); err != nil {
+		klog.Fatalf("unable add APIs to scheme: %v", err)
+	}
+
+	err = workspace.Add(mgr)
+	if err != nil {
+		klog.Fatal("Unable to create workspace controller")
+	}
+
+	err = namespace.Add(mgr)
+	if err != nil {
+		klog.Fatal("Unable to create namespace controller")
+	}
+
+	err = (&application.ApplicationReconciler{
+		Scheme: mgr.GetScheme(),
+		Client: mgr.GetClient(),
+		Mapper: mgr.GetRESTMapper(),
+		Log:    klogr.New(),
+	}).SetupWithManager(mgr)
+	if err != nil {
+		klog.Fatal("Unable to create application controller")
+	}
+
+	// TODO(jeff): refactor config with CRD
+	servicemeshEnabled := s.ServiceMeshOptions != nil && len(s.ServiceMeshOptions.IstioPilotHost) != 0
+	if err = addControllers(mgr,
+		kubernetesClient,
+		informerFactory,
+		devopsClient,
+		s3Client,
+		ldapClient,
+		s.AuthenticationOptions,
+		openpitrixClient,
+		s.MultiClusterOptions.Enable,
+		s.NetworkOptions,
+		servicemeshEnabled,
+		s.AuthenticationOptions.KubectlImage, stopCh); err != nil {
+		klog.Fatalf("unable to register controllers to the manager: %v", err)
+	}
+
+	// Start cache data after all informer is registered
+	klog.V(0).Info("Starting cache resource from apiserver...")
+	informerFactory.Start(stopCh)
+
+	// Setup webhooks
+	klog.V(2).Info("setting up webhook server")
+	hookServer := mgr.GetWebhookServer()
+
+	klog.V(2).Info("registering webhooks to the webhook server")
+	hookServer.Register("/validate-email-iam-kubesphere-io-v1alpha2-user", &webhook.Admission{Handler: &user.EmailValidator{Client: mgr.GetClient()}})
+	hookServer.Register("/validate-nsnp-kubesphere-io-v1alpha1-network", &webhook.Admission{Handler: &nsnetworkpolicy.NSNPValidator{Client: mgr.GetClient()}})
+
+	klog.V(0).Info("Starting the controllers.")
+	if err = mgr.Start(stopCh); err != nil {
+		klog.Fatalf("unable to run the manager: %v", err)
+	}
+
+	return nil
+}

cmd/controller-manager/controller-manager.go

@@ -0,0 +1,30 @@
+/*
+Copyright 2020 KubeSphere Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"kubesphere.io/kubesphere/cmd/controller-manager/app"
+	"os"
+)
+
+func main() {
+	command := app.NewControllerManagerCommand()
+
+	if err := command.Execute(); err != nil {
+		os.Exit(1)
+	}
+}

cmd/ks-apiserver/apiserver.go

@@ -0,0 +1,31 @@
+/*
+Copyright 2019 The KubeSphere Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"kubesphere.io/kubesphere/cmd/ks-apiserver/app"
+	"log"
+)
+
+func main() {
+
+	cmd := app.NewAPIServerCommand()
+
+	if err := cmd.Execute(); err != nil {
+		log.Fatalln(err)
+	}
+}

cmd/ks-apiserver/app/options/options.go

@@ -0,0 +1,211 @@
+/*
+Copyright 2020 KubeSphere Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"crypto/tls"
+	"flag"
+	"fmt"
+	cliflag "k8s.io/component-base/cli/flag"
+	"k8s.io/klog"
+	"kubesphere.io/kubesphere/pkg/apiserver"
+	apiserverconfig "kubesphere.io/kubesphere/pkg/apiserver/config"
+	"kubesphere.io/kubesphere/pkg/informers"
+	genericoptions "kubesphere.io/kubesphere/pkg/server/options"
+	auditingclient "kubesphere.io/kubesphere/pkg/simple/client/auditing/elasticsearch"
+	"kubesphere.io/kubesphere/pkg/simple/client/cache"
+	"kubesphere.io/kubesphere/pkg/simple/client/devops/jenkins"
+	eventsclient "kubesphere.io/kubesphere/pkg/simple/client/events/elasticsearch"
+	"kubesphere.io/kubesphere/pkg/simple/client/k8s"
+	esclient "kubesphere.io/kubesphere/pkg/simple/client/logging/elasticsearch"
+	"kubesphere.io/kubesphere/pkg/simple/client/monitoring/prometheus"
+	"kubesphere.io/kubesphere/pkg/simple/client/openpitrix"
+	"kubesphere.io/kubesphere/pkg/simple/client/s3"
+	fakes3 "kubesphere.io/kubesphere/pkg/simple/client/s3/fake"
+	"kubesphere.io/kubesphere/pkg/simple/client/sonarqube"
+	"net/http"
+	"strings"
+)
+
+type ServerRunOptions struct {
+	ConfigFile              string
+	GenericServerRunOptions *genericoptions.ServerRunOptions
+	*apiserverconfig.Config
+
+	//
+	DebugMode bool
+}
+
+func NewServerRunOptions() *ServerRunOptions {
+	s := &ServerRunOptions{
+		GenericServerRunOptions: genericoptions.NewServerRunOptions(),
+		Config:                  apiserverconfig.New(),
+	}
+
+	return s
+}
+
+func (s *ServerRunOptions) Flags() (fss cliflag.NamedFlagSets) {
+	fs := fss.FlagSet("generic")
+	fs.BoolVar(&s.DebugMode, "debug", false, "Don't enable this if you don't know what it means.")
+	s.GenericServerRunOptions.AddFlags(fs, s.GenericServerRunOptions)
+	s.KubernetesOptions.AddFlags(fss.FlagSet("kubernetes"), s.KubernetesOptions)
+	s.AuthenticationOptions.AddFlags(fss.FlagSet("authentication"), s.AuthenticationOptions)
+	s.AuthorizationOptions.AddFlags(fss.FlagSet("authorization"), s.AuthorizationOptions)
+	s.DevopsOptions.AddFlags(fss.FlagSet("devops"), s.DevopsOptions)
+	s.SonarQubeOptions.AddFlags(fss.FlagSet("sonarqube"), s.SonarQubeOptions)
+	s.RedisOptions.AddFlags(fss.FlagSet("redis"), s.RedisOptions)
+	s.S3Options.AddFlags(fss.FlagSet("s3"), s.S3Options)
+	s.OpenPitrixOptions.AddFlags(fss.FlagSet("openpitrix"), s.OpenPitrixOptions)
+	s.NetworkOptions.AddFlags(fss.FlagSet("network"), s.NetworkOptions)
+	s.ServiceMeshOptions.AddFlags(fss.FlagSet("servicemesh"), s.ServiceMeshOptions)
+	s.MonitoringOptions.AddFlags(fss.FlagSet("monitoring"), s.MonitoringOptions)
+	s.LoggingOptions.AddFlags(fss.FlagSet("logging"), s.LoggingOptions)
+	s.MultiClusterOptions.AddFlags(fss.FlagSet("multicluster"), s.MultiClusterOptions)
+	s.EventsOptions.AddFlags(fss.FlagSet("events"), s.EventsOptions)
+	s.AuditingOptions.AddFlags(fss.FlagSet("auditing"), s.AuditingOptions)
+
+	fs = fss.FlagSet("klog")
+	local := flag.NewFlagSet("klog", flag.ExitOnError)
+	klog.InitFlags(local)
+	local.VisitAll(func(fl *flag.Flag) {
+		fl.Name = strings.Replace(fl.Name, "_", "-", -1)
+		fs.AddGoFlag(fl)
+	})
+
+	return fss
+}
+
+const fakeInterface string = "FAKE"
+
+// NewAPIServer creates an APIServer instance using given options
+func (s *ServerRunOptions) NewAPIServer(stopCh <-chan struct{}) (*apiserver.APIServer, error) {
+	apiServer := &apiserver.APIServer{
+		Config: s.Config,
+	}
+
+	kubernetesClient, err := k8s.NewKubernetesClient(s.KubernetesOptions)
+	if err != nil {
+		return nil, err
+	}
+	apiServer.KubernetesClient = kubernetesClient
+
+	informerFactory := informers.NewInformerFactories(kubernetesClient.Kubernetes(), kubernetesClient.KubeSphere(),
+		kubernetesClient.Istio(), kubernetesClient.Application(), kubernetesClient.Snapshot(), kubernetesClient.ApiExtensions())
+	apiServer.InformerFactory = informerFactory
+
+	if s.MonitoringOptions == nil || len(s.MonitoringOptions.Endpoint) == 0 {
+		return nil, fmt.Errorf("moinitoring service address in configuration MUST not be empty, please check configmap/kubesphere-config in kubesphere-system namespace")
+	} else {
+		monitoringClient, err := prometheus.NewPrometheus(s.MonitoringOptions)
+		if err != nil {
+			return nil, fmt.Errorf("failed to connect to prometheus, please check prometheus status, error: %v", err)
+		}
+		apiServer.MonitoringClient = monitoringClient
+	}
+
+	if s.LoggingOptions.Host != "" {
+		loggingClient, err := esclient.NewElasticsearch(s.LoggingOptions)
+		if err != nil {
+			return nil, fmt.Errorf("failed to connect to elasticsearch, please check elasticsearch status, error: %v", err)
+		}
+		apiServer.LoggingClient = loggingClient
+	}
+
+	if s.S3Options.Endpoint != "" {
+		if s.S3Options.Endpoint == fakeInterface && s.DebugMode {
+			apiServer.S3Client = fakes3.NewFakeS3()
+		} else {
+			s3Client, err := s3.NewS3Client(s.S3Options)
+			if err != nil {
+				return nil, fmt.Errorf("failed to connect to s3, please check s3 service status, error: %v", err)
+			}
+			apiServer.S3Client = s3Client
+		}
+	}
+
+	if s.DevopsOptions.Host != "" {
+		devopsClient, err := jenkins.NewDevopsClient(s.DevopsOptions)
+		if err != nil {
+			return nil, fmt.Errorf("failed to connect to jenkins, please check jenkins status, error: %v", err)
+		}
+		apiServer.DevopsClient = devopsClient
+	}
+
+	if s.SonarQubeOptions.Host != "" {
+		sonarClient, err := sonarqube.NewSonarQubeClient(s.SonarQubeOptions)
+		if err != nil {
+			return nil, fmt.Errorf("failed to connecto to sonarqube, please check sonarqube status, error: %v", err)
+		}
+		apiServer.SonarClient = sonarqube.NewSonar(sonarClient.SonarQube())
+	}
+
+	var cacheClient cache.Interface
+	if s.RedisOptions == nil || len(s.RedisOptions.Host) == 0 {
+		return nil, fmt.Errorf("redis service address MUST not be empty, please check configmap/kubesphere-config in kubesphere-system namespace")
+	} else {
+		if s.RedisOptions.Host == fakeInterface && s.DebugMode {
+			apiServer.CacheClient = cache.NewSimpleCache()
+		} else {
+			cacheClient, err = cache.NewRedisClient(s.RedisOptions, stopCh)
+			if err != nil {
+				return nil, fmt.Errorf("failed to connect to redis service, please check redis status, error: %v", err)
+			}
+			apiServer.CacheClient = cacheClient
+		}
+	}
+
+	if s.EventsOptions.Host != "" {
+		eventsClient, err := eventsclient.NewClient(s.EventsOptions)
+		if err != nil {
+			return nil, fmt.Errorf("failed to connect to elasticsearch, please check elasticsearch status, error: %v", err)
+		}
+		apiServer.EventsClient = eventsClient
+	}
+
+	if s.AuditingOptions.Host != "" {
+		auditingClient, err := auditingclient.NewClient(s.AuditingOptions)
+		if err != nil {
+			return nil, fmt.Errorf("failed to connect to elasticsearch, please check elasticsearch status, error: %v", err)
+		}
+		apiServer.AuditingClient = auditingClient
+	}
+
+	if s.OpenPitrixOptions != nil && !s.OpenPitrixOptions.IsEmpty() {
+		opClient, err := openpitrix.NewClient(s.OpenPitrixOptions)
+		if err != nil {
+			return nil, fmt.Errorf("failed to connect to openpitrix, please check openpitrix status, error: %v", err)
+		}
+		apiServer.OpenpitrixClient = opClient
+	}
+
+	server := &http.Server{
+		Addr: fmt.Sprintf(":%d", s.GenericServerRunOptions.InsecurePort),
+	}
+
+	if s.GenericServerRunOptions.SecurePort != 0 {
+		certificate, err := tls.LoadX509KeyPair(s.GenericServerRunOptions.TlsCertFile, s.GenericServerRunOptions.TlsPrivateKey)
+		if err != nil {
+			return nil, err
+		}
+		server.TLSConfig.Certificates = []tls.Certificate{certificate}
+	}
+
+	apiServer.Server = server
+
+	return apiServer, nil
+}

cmd/ks-apiserver/app/options/validation.go

@@ -0,0 +1,39 @@
+/*
+Copyright 2020 KubeSphere Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+// Validate validates server run options, to find
+// options' misconfiguration
+func (s *ServerRunOptions) Validate() []error {
+	var errors []error
+
+	errors = append(errors, s.GenericServerRunOptions.Validate()...)
+	errors = append(errors, s.DevopsOptions.Validate()...)
+	errors = append(errors, s.KubernetesOptions.Validate()...)
+	errors = append(errors, s.ServiceMeshOptions.Validate()...)
+	errors = append(errors, s.MonitoringOptions.Validate()...)
+	errors = append(errors, s.SonarQubeOptions.Validate()...)
+	errors = append(errors, s.S3Options.Validate()...)
+	errors = append(errors, s.OpenPitrixOptions.Validate()...)
+	errors = append(errors, s.NetworkOptions.Validate()...)
+	errors = append(errors, s.LoggingOptions.Validate()...)
+	errors = append(errors, s.AuthorizationOptions.Validate()...)
+	errors = append(errors, s.EventsOptions.Validate()...)
+	errors = append(errors, s.AuditingOptions.Validate()...)
+
+	return errors
+}

cmd/ks-apiserver/app/server.go

@@ -0,0 +1,113 @@
+/*
+Copyright 2019 The KubeSphere Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+	"fmt"
+	kconfig "github.com/kiali/kiali/config"
+	"github.com/spf13/cobra"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	cliflag "k8s.io/component-base/cli/flag"
+	"kubesphere.io/kubesphere/cmd/ks-apiserver/app/options"
+	apiserverconfig "kubesphere.io/kubesphere/pkg/apiserver/config"
+	"kubesphere.io/kubesphere/pkg/utils/signals"
+	"kubesphere.io/kubesphere/pkg/utils/term"
+
+	tracing "kubesphere.io/kubesphere/pkg/kapis/servicemesh/metrics/v1alpha2"
+)
+
+func NewAPIServerCommand() *cobra.Command {
+	s := options.NewServerRunOptions()
+
+	// Load configuration from file
+	conf, err := apiserverconfig.TryLoadFromDisk()
+	if err == nil {
+		s = &options.ServerRunOptions{
+			GenericServerRunOptions: s.GenericServerRunOptions,
+			Config:                  conf,
+		}
+	}
+
+	cmd := &cobra.Command{
+		Use: "ks-apiserver",
+		Long: `The KubeSphere API server validates and configures data for the API objects. 
+The API Server services REST operations and provides the frontend to the
+cluster's shared state through which all other components interact.`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if errs := s.Validate(); len(errs) != 0 {
+				return utilerrors.NewAggregate(errs)
+			}
+
+			return Run(s, signals.SetupSignalHandler())
+		},
+		SilenceUsage: true,
+	}
+
+	fs := cmd.Flags()
+	namedFlagSets := s.Flags()
+	for _, f := range namedFlagSets.FlagSets {
+		fs.AddFlagSet(f)
+	}
+
+	usageFmt := "Usage:\n  %s\n"
+	cols, _, _ := term.TerminalSize(cmd.OutOrStdout())
+	cmd.SetHelpFunc(func(cmd *cobra.Command, args []string) {
+		fmt.Fprintf(cmd.OutOrStdout(), "%s\n\n"+usageFmt, cmd.Long, cmd.UseLine())
+		cliflag.PrintSections(cmd.OutOrStdout(), namedFlagSets, cols)
+	})
+	return cmd
+}
+
+func Run(s *options.ServerRunOptions, stopCh <-chan struct{}) error {
+
+	initializeServicemeshConfig(s)
+
+	apiserver, err := s.NewAPIServer(stopCh)
+	if err != nil {
+		return err
+	}
+
+	err = apiserver.PrepareRun(stopCh)
+	if err != nil {
+		return nil
+	}
+
+	return apiserver.Run(stopCh)
+}
+
+func initializeServicemeshConfig(s *options.ServerRunOptions) {
+	// Initialize kiali config
+	config := kconfig.NewConfig()
+
+	// Config jaeger query endpoint address
+	if s.ServiceMeshOptions != nil && len(s.ServiceMeshOptions.JaegerQueryHost) != 0 {
+		tracing.JaegerQueryUrl = s.ServiceMeshOptions.JaegerQueryHost
+	}
+
+	// Exclude system namespaces
+	config.API.Namespaces.Exclude = []string{"istio-system", "kubesphere*", "kube*"}
+	config.InCluster = true
+
+	// Set default prometheus service url
+	config.ExternalServices.PrometheusServiceURL = s.ServiceMeshOptions.ServicemeshPrometheusHost
+	config.ExternalServices.PrometheusCustomMetricsURL = config.ExternalServices.PrometheusServiceURL
+
+	// Set istio pilot discovery service url
+	config.ExternalServices.Istio.UrlServiceVersion = s.ServiceMeshOptions.IstioPilotHost
+
+	kconfig.Set(config)
+}

cmd/kubesphere.go

@@ -1,40 +0,0 @@
-/*
-Copyright 2018 The KubeSphere Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"github.com/spf13/pflag"
-
-	"kubesphere.io/kubesphere/pkg/app"
-	"kubesphere.io/kubesphere/pkg/logs"
-	"kubesphere.io/kubesphere/pkg/options"
-	"kubesphere.io/kubesphere/pkg/version"
-)
-
-func main() {
-
-	options.AddFlags(pflag.CommandLine)
-
-	pflag.Parse()
-	logs.InitLogs()
-
-	defer logs.FlushLogs()
-
-	version.PrintAndExitIfRequested()
-
-	app.Run()
-}

code-of-conduct.md

@@ -1,14 +0,0 @@
-# KubeSphere Code of Conduct
-
-KubeSphere follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).  
-
-# Best practice of committing code
-Besides following above conduct from CNCF, we also hope every contributor in this project could help us to improve the quality of code, something you should know before checking in any new code:
- - As gopher, make sure you already read [the conduct of Go language](https://golang.org/conduct) and [the instruction of writting Go](https://golang.org/doc/effective_go.html).  
- - Fork the project under your account and make the changes you want there.  
- - Execute 'go fmt' for every piece of new code.  
- - Every pulling request(PR) would be better constructed with only one commit, this could help code reviewer to go through your code efficiently, also helpful for every follower of this project to understand what happens in this PR. If you need to make any further code change to address the comments from reviewers, which means some new commits will be generated under this PR, you need to use 'git rebase' to combine those commits together.
- - Every PR should only solve one problem or provide one feature, don't put several different fixes into one PR.  
- - At lease two code reviewers should involve into code reviewing process. 
- - Please introduce new third-party packages as little as possible to reduce the vendor dependency of this project. For example, don't import a full unit converting package but only use one function from it. For this case, you'd better write that function by yourself.
- - more.

config/crd/bases/cluster.kubesphere.io_agents.yaml

@@ -0,0 +1,114 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: agents.cluster.kubesphere.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.Paused
+    name: Paused
+    type: bool
+  group: cluster.kubesphere.io
+  names:
+    kind: Agent
+    listKind: AgentList
+    plural: agents
+    singular: agent
+  scope: Cluster
+  subresources: {}
+  validation:
+    openAPIV3Schema:
+      description: Agent is the Schema for the agents API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: AgentSpec defines the desired state of Agent
+          properties:
+            kubernetesAPIServerPort:
+              description: KubeAPIServerPort is the port which listens for forwarding
+                kube-apiserver traffic
+              type: integer
+            kubesphereAPIServerPort:
+              description: KubeSphereAPIServerPort is the port which listens for forwarding
+                kubesphere apigateway traffic
+              type: integer
+            paused:
+              description: Indicates that the agent is paused.
+              type: boolean
+            proxy:
+              description: Proxy address
+              type: string
+            token:
+              description: Token used by agents to connect to proxy.
+              type: string
+          type: object
+        status:
+          description: AgentStatus defines the observed state of Agent
+          properties:
+            conditions:
+              description: Represents the latest available observations of a agent's
+                current state.
+              items:
+                properties:
+                  lastTransitionTime:
+                    description: Last time the condition transitioned from one status
+                      to another.
+                    format: date-time
+                    type: string
+                  lastUpdateTime:
+                    description: The last time this condition was updated.
+                    format: date-time
+                    type: string
+                  message:
+                    description: A human readable message indicating details about
+                      the transition.
+                    type: string
+                  reason:
+                    description: The reason for the condition's last transition.
+                    type: string
+                  status:
+                    description: Status of the condition, one of True, False, Unknown.
+                    type: string
+                  type:
+                    description: Type of AgentCondition
+                    type: string
+                required:
+                - status
+                type: object
+              type: array
+            kubeconfig:
+              description: Issued new kubeconfig by proxy server
+              format: byte
+              type: string
+            ping:
+              description: Represents the connection quality, in ms
+              format: int64
+              type: integer
+          type: object
+      type: object
+  version: v1alpha1
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/bases/cluster.kubesphere.io_clusters.yaml

@@ -0,0 +1,168 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: clusters.cluster.kubesphere.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.joinFederation
+    name: Federated
+    type: boolean
+  - JSONPath: .spec.provider
+    name: Provider
+    type: string
+  - JSONPath: .spec.enable
+    name: Active
+    type: boolean
+  - JSONPath: .status.kubernetesVersion
+    name: Version
+    type: string
+  group: cluster.kubesphere.io
+  names:
+    kind: Cluster
+    listKind: ClusterList
+    plural: clusters
+    singular: cluster
+  scope: Cluster
+  subresources: {}
+  validation:
+    openAPIV3Schema:
+      description: Cluster is the schema for the clusters API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            connection:
+              description: Connection holds info to connect to the member cluster
+              properties:
+                kubeconfig:
+                  description: KubeConfig content used to connect to cluster api server
+                    Should provide this field explicitly if connection type is direct.
+                    Will be populated by ks-proxy if connection type is proxy.
+                  format: byte
+                  type: string
+                kubernetesAPIEndpoint:
+                  description: Kubernetes API Server endpoint. This can be a hostname,
+                    hostname:port, IP or IP:port. Should provide this field explicitly
+                    if connection type is direct. Will be populated by ks-apiserver
+                    if connection type is proxy.
+                  type: string
+                kubernetesAPIServerPort:
+                  description: KubeAPIServerPort is the port which listens for forwarding
+                    kube-apiserver traffic Only applicable when connection type is
+                    proxy.
+                  type: integer
+                kubesphereAPIEndpoint:
+                  description: KubeSphere API Server endpoint. This can be a hostname,
+                    hostname:port, IP or IP:port. Should provide this field explicitly
+                    if connection type is direct. Will be populated by ks-apiserver
+                    if connection type is proxy.
+                  type: string
+                kubesphereAPIServerPort:
+                  description: KubeSphereAPIServerPort is the port which listens for
+                    forwarding kubesphere apigateway traffic Only applicable when
+                    connection type is proxy.
+                  type: integer
+                token:
+                  description: Token used by agents of member cluster to connect to
+                    host cluster proxy. This field is populated by apiserver only
+                    if connection type is proxy.
+                  type: string
+                type:
+                  description: type defines how host cluster will connect to host
+                    cluster ConnectionTypeDirect means direct connection, this requires   kubeconfig
+                    and kubesphere apiserver endpoint provided ConnectionTypeProxy
+                    means using kubesphere proxy, no kubeconfig   or kubesphere apiserver
+                    endpoint required
+                  type: string
+              type: object
+            enable:
+              description: Desired state of the cluster
+              type: boolean
+            joinFederation:
+              description: Join cluster as a kubefed cluster
+              type: boolean
+            provider:
+              description: Provider of the cluster, this field is just for description
+              type: string
+          type: object
+        status:
+          properties:
+            conditions:
+              description: Represents the latest available observations of a cluster's
+                current state.
+              items:
+                properties:
+                  lastTransitionTime:
+                    description: Last time the condition transitioned from one status
+                      to another.
+                    format: date-time
+                    type: string
+                  lastUpdateTime:
+                    description: The last time this condition was updated.
+                    format: date-time
+                    type: string
+                  message:
+                    description: A human readable message indicating details about
+                      the transition.
+                    type: string
+                  reason:
+                    description: The reason for the condition's last transition.
+                    type: string
+                  status:
+                    description: Status of the condition, one of True, False, Unknown.
+                    type: string
+                  type:
+                    description: Type of the condition
+                    type: string
+                required:
+                - status
+                - type
+                type: object
+              type: array
+            kubernetesVersion:
+              description: GitVersion of the kubernetes cluster, this field is populated
+                by cluster controller
+              type: string
+            nodeCount:
+              description: Count of the kubernetes cluster nodes This field may not
+                reflect the instant status of the cluster.
+              type: integer
+            region:
+              description: Region is the name of the region in which all of the nodes
+                in the cluster exist.  e.g. 'us-east1'.
+              type: string
+            zones:
+              description: Zones are the names of availability zones in which the
+                nodes of the cluster exist, e.g. 'us-east1-a'.
+              items:
+                type: string
+              type: array
+          type: object
+      type: object
+  version: v1alpha1
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/bases/devops.kubesphere.io_devopsprojects.yaml

@@ -0,0 +1,59 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: devopsprojects.devops.kubesphere.io
+spec:
+  group: devops.kubesphere.io
+  names:
+    categories:
+    - devops
+    kind: DevOpsProject
+    listKind: DevOpsProjectList
+    plural: devopsprojects
+    singular: devopsproject
+  scope: Cluster
+  validation:
+    openAPIV3Schema:
+      description: DevOpsProject is the Schema for the devopsprojects API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: DevOpsProjectSpec defines the desired state of DevOpsProject
+          type: object
+        status:
+          description: DevOpsProjectStatus defines the observed state of DevOpsProject
+          properties:
+            adminNamespace:
+              description: 'INSERT ADDITIONAL STATUS FIELD - define observed state
+                of cluster Important: Run "make" to regenerate code after modifying
+                this file'
+              type: string
+          type: object
+      type: object
+  version: v1alpha3
+  versions:
+  - name: v1alpha3
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/bases/devops.kubesphere.io_pipelines.yaml

@@ -0,0 +1,260 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: pipelines.devops.kubesphere.io
+spec:
+  group: devops.kubesphere.io
+  names:
+    kind: Pipeline
+    listKind: PipelineList
+    plural: pipelines
+    singular: pipeline
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      description: Pipeline is the Schema for the pipelines API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: PipelineSpec defines the desired state of Pipeline
+          properties:
+            multi_branch_pipeline:
+              properties:
+                bitbucket_server_source:
+                  properties:
+                    api_uri:
+                      type: string
+                    credential_id:
+                      type: string
+                    discover_branches:
+                      type: integer
+                    discover_pr_from_forks:
+                      properties:
+                        strategy:
+                          type: integer
+                        trust:
+                          type: integer
+                      type: object
+                    discover_pr_from_origin:
+                      type: integer
+                    git_clone_option:
+                      properties:
+                        depth:
+                          type: integer
+                        shallow:
+                          type: boolean
+                        timeout:
+                          type: integer
+                      type: object
+                    owner:
+                      type: string
+                    regex_filter:
+                      type: string
+                    repo:
+                      type: string
+                    scm_id:
+                      type: string
+                  type: object
+                descriptio:
+                  type: string
+                discarder:
+                  properties:
+                    days_to_keep:
+                      type: string
+                    num_to_keep:
+                      type: string
+                  type: object
+                git_source:
+                  properties:
+                    credential_id:
+                      type: string
+                    discover_branches:
+                      type: boolean
+                    git_clone_option:
+                      properties:
+                        depth:
+                          type: integer
+                        shallow:
+                          type: boolean
+                        timeout:
+                          type: integer
+                      type: object
+                    regex_filter:
+                      type: string
+                    scm_id:
+                      type: string
+                    url:
+                      type: string
+                  type: object
+                github_source:
+                  properties:
+                    api_uri:
+                      type: string
+                    credential_id:
+                      type: string
+                    discover_branches:
+                      type: integer
+                    discover_pr_from_forks:
+                      properties:
+                        strategy:
+                          type: integer
+                        trust:
+                          type: integer
+                      type: object
+                    discover_pr_from_origin:
+                      type: integer
+                    git_clone_option:
+                      properties:
+                        depth:
+                          type: integer
+                        shallow:
+                          type: boolean
+                        timeout:
+                          type: integer
+                      type: object
+                    owner:
+                      type: string
+                    regex_filter:
+                      type: string
+                    repo:
+                      type: string
+                    scm_id:
+                      type: string
+                  type: object
+                multibranch_job_trigger:
+                  properties:
+                    create_action_job_to_trigger:
+                      type: string
+                    delete_action_job_to_trigger:
+                      type: string
+                  type: object
+                name:
+                  type: string
+                script_path:
+                  type: string
+                single_svn_source:
+                  properties:
+                    credential_id:
+                      type: string
+                    remote:
+                      type: string
+                    scm_id:
+                      type: string
+                  type: object
+                source_type:
+                  type: string
+                svn_source:
+                  properties:
+                    credential_id:
+                      type: string
+                    excludes:
+                      type: string
+                    includes:
+                      type: string
+                    remote:
+                      type: string
+                    scm_id:
+                      type: string
+                  type: object
+                timer_trigger:
+                  properties:
+                    cron:
+                      description: user in no scm job
+                      type: string
+                    interval:
+                      description: use in multi-branch job
+                      type: string
+                  type: object
+              required:
+              - name
+              - script_path
+              - source_type
+              type: object
+            pipeline:
+              properties:
+                descriptio:
+                  type: string
+                disable_concurrent:
+                  type: boolean
+                discarder:
+                  properties:
+                    days_to_keep:
+                      type: string
+                    num_to_keep:
+                      type: string
+                  type: object
+                jenkinsfile:
+                  type: string
+                name:
+                  type: string
+                parameters:
+                  items:
+                    properties:
+                      default_value:
+                        type: string
+                      description:
+                        type: string
+                      name:
+                        type: string
+                      type:
+                        type: string
+                    required:
+                    - name
+                    - type
+                    type: object
+                  type: array
+                remote_trigger:
+                  properties:
+                    token:
+                      type: string
+                  type: object
+                timer_trigger:
+                  properties:
+                    cron:
+                      description: user in no scm job
+                      type: string
+                    interval:
+                      description: use in multi-branch job
+                      type: string
+                  type: object
+              required:
+              - name
+              type: object
+            type:
+              description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+                Important: Run "make" to regenerate code after modifying this file'
+              type: string
+          required:
+          - type
+          type: object
+        status:
+          description: PipelineStatus defines the observed state of Pipeline
+          type: object
+      type: object
+  version: v1alpha3
+  versions:
+  - name: v1alpha3
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/bases/devops.kubesphere.io_s2ibinaries.yaml

@@ -0,0 +1,86 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: s2ibinaries.devops.kubesphere.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.fileName
+    name: FileName
+    type: string
+  - JSONPath: .spec.md5
+    name: MD5
+    type: string
+  - JSONPath: .spec.size
+    name: Size
+    type: string
+  - JSONPath: .status.phase
+    name: Phase
+    type: string
+  group: devops.kubesphere.io
+  names:
+    kind: S2iBinary
+    listKind: S2iBinaryList
+    plural: s2ibinaries
+    singular: s2ibinary
+  scope: Namespaced
+  subresources: {}
+  validation:
+    openAPIV3Schema:
+      description: S2iBinary is the Schema for the s2ibinaries API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: S2iBinarySpec defines the desired state of S2iBinary
+          properties:
+            downloadURL:
+              description: DownloadURL in KubeSphere
+              type: string
+            fileName:
+              description: FileName is filename of binary
+              type: string
+            md5:
+              description: MD5 is Binary's MD5 Hash
+              type: string
+            size:
+              description: Size is the file size of file
+              type: string
+            uploadTimeStamp:
+              description: UploadTime is last upload time
+              format: date-time
+              type: string
+          type: object
+        status:
+          description: S2iBinaryStatus defines the observed state of S2iBinary
+          properties:
+            phase:
+              description: Phase is status of S2iBinary . Possible value is "Ready","UnableToDownload"
+              type: string
+          type: object
+      type: object
+  version: v1alpha1
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/bases/devops.kubesphere.io_s2ibuilders.yaml

@@ -0,0 +1,578 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: s2ibuilders.devops.kubesphere.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .status.runCount
+    name: RunCount
+    type: integer
+  - JSONPath: .status.lastRunState
+    name: LastRunState
+    type: string
+  - JSONPath: .status.lastRunName
+    name: LastRunName
+    type: string
+  - JSONPath: .status.lastRunStartTime
+    name: LastRunStartTime
+    type: date
+  group: devops.kubesphere.io
+  names:
+    kind: S2iBuilder
+    listKind: S2iBuilderList
+    plural: s2ibuilders
+    shortNames:
+    - s2ib
+    singular: s2ibuilder
+  scope: Namespaced
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      description: S2iBuilder is the Schema for the s2ibuilders API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: S2iBuilderSpec defines the desired state of S2iBuilder
+          properties:
+            config:
+              description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+                Important: Run "make" to regenerate code after modifying this file'
+              properties:
+                addHost:
+                  description: AddHost Add a line to /etc/hosts for test purpose or
+                    private use in LAN. Its format is host:IP,muliple hosts can be
+                    added  by using multiple --add-host
+                  items:
+                    type: string
+                  type: array
+                asDockerfile:
+                  description: AsDockerfile indicates the path where the Dockerfile
+                    should be written instead of building a new image.
+                  type: string
+                assembleUser:
+                  description: AssembleUser specifies the user to run the assemble
+                    script in container
+                  type: string
+                blockOnBuild:
+                  description: BlockOnBuild prevents s2i from performing a docker
+                    build operation if one is necessary to execute ONBUILD commands,
+                    or to layer source code into the container for images that don't
+                    have a tar binary available, if the image contains ONBUILD commands
+                    that would be executed.
+                  type: boolean
+                branchExpression:
+                  description: Regular expressions, ignoring names that do not match
+                    the provided regular expression
+                  type: string
+                buildVolumes:
+                  description: BuildVolumes specifies a list of volumes to mount to
+                    container running the build.
+                  items:
+                    type: string
+                  type: array
+                builderBaseImageVersion:
+                  description: BuilderBaseImageVersion provides optional version information
+                    about the builder base image.
+                  type: string
+                builderImage:
+                  description: BuilderImage describes which image is used for building
+                    the result images.
+                  type: string
+                builderImageVersion:
+                  description: BuilderImageVersion provides optional version information
+                    about the builder image.
+                  type: string
+                builderPullPolicy:
+                  description: BuilderPullPolicy specifies when to pull the builder
+                    image
+                  type: string
+                callbackUrl:
+                  description: CallbackURL is a URL which is called upon successful
+                    build to inform about that fact.
+                  type: string
+                cgroupLimits:
+                  description: CGroupLimits describes the cgroups limits that will
+                    be applied to any containers run by s2i.
+                  properties:
+                    cpuPeriod:
+                      format: int64
+                      type: integer
+                    cpuQuota:
+                      format: int64
+                      type: integer
+                    cpuShares:
+                      format: int64
+                      type: integer
+                    memoryLimitBytes:
+                      format: int64
+                      type: integer
+                    memorySwap:
+                      format: int64
+                      type: integer
+                    parent:
+                      type: string
+                  required:
+                  - cpuPeriod
+                  - cpuQuota
+                  - cpuShares
+                  - memoryLimitBytes
+                  - memorySwap
+                  - parent
+                  type: object
+                contextDir:
+                  description: Specify a relative directory inside the application
+                    repository that should be used as a root directory for the application.
+                  type: string
+                description:
+                  description: Description is a result image description label. The
+                    default is no description.
+                  type: string
+                destination:
+                  description: Destination specifies a location where the untar operation
+                    will place its artifacts.
+                  type: string
+                displayName:
+                  description: DisplayName is a result image display-name label. This
+                    defaults to the output image name.
+                  type: string
+                dockerConfig:
+                  description: DockerConfig describes how to access host docker daemon.
+                  properties:
+                    caFile:
+                      description: CAFile is the certificate authority file path for
+                        a TLS connection
+                      type: string
+                    certFile:
+                      description: CertFile is the certificate file path for a TLS
+                        connection
+                      type: string
+                    endPoint:
+                      description: Endpoint is the docker network endpoint or socket
+                      type: string
+                    keyFile:
+                      description: KeyFile is the key file path for a TLS connection
+                      type: string
+                    tlsVerify:
+                      description: TLSVerify indicates if TLS peer must be verified
+                      type: boolean
+                    useTLS:
+                      description: UseTLS indicates if TLS must be used
+                      type: boolean
+                  required:
+                  - caFile
+                  - certFile
+                  - endPoint
+                  - keyFile
+                  - tlsVerify
+                  - useTLS
+                  type: object
+                dockerNetworkMode:
+                  description: DockerNetworkMode is used to set the docker network
+                    setting to --net=container:<id> when the builder is invoked from
+                    a container.
+                  type: string
+                dropCapabilities:
+                  description: DropCapabilities contains a list of capabilities to
+                    drop when executing containers
+                  items:
+                    type: string
+                  type: array
+                environment:
+                  description: Environment is a map of environment variables to be
+                    passed to the image.
+                  items:
+                    description: EnvironmentSpec specifies a single environment variable.
+                    properties:
+                      name:
+                        type: string
+                      value:
+                        type: string
+                    required:
+                    - name
+                    - value
+                    type: object
+                  type: array
+                excludeRegExp:
+                  description: ExcludeRegExp contains a string representation of the
+                    regular expression desired for deciding which files to exclude
+                    from the tar stream
+                  type: string
+                export:
+                  description: Export Push the result image to specify image registry
+                    in tag
+                  type: boolean
+                gitSecretRef:
+                  description: GitSecretRef is the BasicAuth Secret of Git Clone
+                  properties:
+                    name:
+                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        TODO: Add other useful fields. apiVersion, kind, uid?'
+                      type: string
+                  type: object
+                hasOnBuild:
+                  description: HasOnBuild will be set to true if the builder image
+                    contains ONBUILD instructions
+                  type: boolean
+                imageName:
+                  description: ImageName Contains the registry address and reponame,
+                    tag should set by field tag alone
+                  type: string
+                imageScriptsUrl:
+                  description: ImageScriptsURL is the default location to find the
+                    assemble/run scripts for a builder image. This url can be a reference
+                    within the builder image if the scheme is specified as image://
+                  type: string
+                imageWorkDir:
+                  description: ImageWorkDir is the default working directory for the
+                    builder image.
+                  type: string
+                incremental:
+                  description: Incremental describes whether to try to perform incremental
+                    build.
+                  type: boolean
+                incrementalAuthentication:
+                  description: IncrementalAuthentication holds the authentication
+                    information for pulling the previous image from private repositories
+                  properties:
+                    email:
+                      type: string
+                    password:
+                      type: string
+                    secretRef:
+                      description: LocalObjectReference contains enough information
+                        to let you locate the referenced object inside the same namespace.
+                      properties:
+                        name:
+                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            TODO: Add other useful fields. apiVersion, kind, uid?'
+                          type: string
+                      type: object
+                    serverAddress:
+                      type: string
+                    username:
+                      type: string
+                  type: object
+                incrementalFromTag:
+                  description: IncrementalFromTag sets an alternative image tag to
+                    look for existing artifacts. Tag is used by default if this is
+                    not set.
+                  type: string
+                injections:
+                  description: Injections specifies a list source/destination folders
+                    that are injected to the container that runs assemble. All files
+                    we inject will be truncated after the assemble script finishes.
+                  items:
+                    description: VolumeSpec represents a single volume mount point.
+                    properties:
+                      destination:
+                        description: Destination is the path to mount the volume to
+                          - absolute or relative.
+                        type: string
+                      keep:
+                        description: Keep indicates if the mounted data should be
+                          kept in the final image.
+                        type: boolean
+                      source:
+                        description: Source is a reference to the volume source.
+                        type: string
+                    type: object
+                  type: array
+                isBinaryURL:
+                  description: IsBinaryURL explain the type of SourceURL. If it is
+                    IsBinaryURL, it will download the file directly without using
+                    git.
+                  type: boolean
+                keepSymlinks:
+                  description: KeepSymlinks indicates to copy symlinks as symlinks.
+                    Default behavior is to follow symlinks and copy files by content.
+                  type: boolean
+                labelNamespace:
+                  description: LabelNamespace provides the namespace under which the
+                    labels will be generated.
+                  type: string
+                labels:
+                  additionalProperties:
+                    type: string
+                  description: Labels specify labels and their values to be applied
+                    to the resulting image. Label keys must have non-zero length.
+                    The labels defined here override generated labels in case they
+                    have the same name.
+                  type: object
+                layeredBuild:
+                  description: LayeredBuild describes if this is build which layered
+                    scripts and sources on top of BuilderImage.
+                  type: boolean
+                nodeAffinityKey:
+                  description: The key of Node Affinity.
+                  type: string
+                nodeAffinityValues:
+                  description: The values of Node Affinity.
+                  items:
+                    type: string
+                  type: array
+                outputBuildResult:
+                  description: Whether output build result to status.
+                  type: boolean
+                outputImageName:
+                  description: OutputImageName is a result image name without tag,
+                    default is latest. tag will append to ImageName in the end
+                  type: string
+                preserveWorkingDir:
+                  description: PreserveWorkingDir describes if working directory should
+                    be left after processing.
+                  type: boolean
+                previousImagePullPolicy:
+                  description: PreviousImagePullPolicy specifies when to pull the
+                    previously build image when doing incremental build
+                  type: string
+                pullAuthentication:
+                  description: PullAuthentication holds the authentication information
+                    for pulling the Docker images from private repositories
+                  properties:
+                    email:
+                      type: string
+                    password:
+                      type: string
+                    secretRef:
+                      description: LocalObjectReference contains enough information
+                        to let you locate the referenced object inside the same namespace.
+                      properties:
+                        name:
+                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            TODO: Add other useful fields. apiVersion, kind, uid?'
+                          type: string
+                      type: object
+                    serverAddress:
+                      type: string
+                    username:
+                      type: string
+                  type: object
+                pushAuthentication:
+                  description: PullAuthentication holds the authentication information
+                    for pulling the Docker images from private repositories
+                  properties:
+                    email:
+                      type: string
+                    password:
+                      type: string
+                    secretRef:
+                      description: LocalObjectReference contains enough information
+                        to let you locate the referenced object inside the same namespace.
+                      properties:
+                        name:
+                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            TODO: Add other useful fields. apiVersion, kind, uid?'
+                          type: string
+                      type: object
+                    serverAddress:
+                      type: string
+                    username:
+                      type: string
+                  type: object
+                removePreviousImage:
+                  description: RemovePreviousImage describes if previous image should
+                    be removed after successful build. This applies only to incremental
+                    builds.
+                  type: boolean
+                revisionId:
+                  description: The RevisionId is a branch name or a SHA-1 hash of
+                    every important thing about the commit
+                  type: string
+                runImage:
+                  description: RunImage will trigger a "docker run ..." invocation
+                    of the produced image so the user can see if it operates as he
+                    would expect
+                  type: boolean
+                runtimeArtifacts:
+                  description: RuntimeArtifacts specifies a list of source/destination
+                    pairs that will be copied from builder to a runtime image. Source
+                    can be a file or directory. Destination must be a directory. Regardless
+                    whether it is an absolute or relative path, it will be placed
+                    into image's WORKDIR. Destination also can be empty or equals
+                    to ".", in this case it just refers to a root of WORKDIR. In case
+                    it's empty, S2I will try to get this list from io.openshift.s2i.assemble-input-files
+                    label on a RuntimeImage.
+                  items:
+                    description: VolumeSpec represents a single volume mount point.
+                    properties:
+                      destination:
+                        description: Destination is the path to mount the volume to
+                          - absolute or relative.
+                        type: string
+                      keep:
+                        description: Keep indicates if the mounted data should be
+                          kept in the final image.
+                        type: boolean
+                      source:
+                        description: Source is a reference to the volume source.
+                        type: string
+                    type: object
+                  type: array
+                runtimeAuthentication:
+                  description: RuntimeAuthentication holds the authentication information
+                    for pulling the runtime Docker images from private repositories.
+                  properties:
+                    email:
+                      type: string
+                    password:
+                      type: string
+                    secretRef:
+                      description: LocalObjectReference contains enough information
+                        to let you locate the referenced object inside the same namespace.
+                      properties:
+                        name:
+                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            TODO: Add other useful fields. apiVersion, kind, uid?'
+                          type: string
+                      type: object
+                    serverAddress:
+                      type: string
+                    username:
+                      type: string
+                  type: object
+                runtimeImage:
+                  description: RuntimeImage specifies the image that will be a base
+                    for resulting image and will be used for running an application.
+                    By default, BuilderImage is used for building and running, but
+                    the latter may be overridden.
+                  type: string
+                runtimeImagePullPolicy:
+                  description: RuntimeImagePullPolicy specifies when to pull a runtime
+                    image.
+                  type: string
+                scriptDownloadProxyConfig:
+                  description: ScriptDownloadProxyConfig optionally specifies the
+                    http and https proxy to use when downloading scripts
+                  properties:
+                    httpProxy:
+                      type: string
+                    httpsProxy:
+                      type: string
+                  type: object
+                scriptsUrl:
+                  description: ScriptsURL is a URL describing where to fetch the S2I
+                    scripts from during build process. This url can be a reference
+                    within the builder image if the scheme is specified as image://
+                  type: string
+                secretCode:
+                  description: SecretCode
+                  type: string
+                securityOpt:
+                  description: SecurityOpt are passed as options to the docker containers
+                    launched by s2i.
+                  items:
+                    type: string
+                  type: array
+                sourceUrl:
+                  description: SourceURL is  url of the codes such as https://github.com/a/b.git
+                  type: string
+                tag:
+                  description: Tag is a result image tag name.
+                  type: string
+                taintKey:
+                  description: The name of taint.
+                  type: string
+                usage:
+                  description: Usage allows for properly shortcircuiting s2i logic
+                    when `s2i usage` is invoked
+                  type: boolean
+                workingDir:
+                  description: WorkingDir describes temporary directory used for downloading
+                    sources, scripts and tar operations.
+                  type: string
+                workingSourceDir:
+                  description: WorkingSourceDir describes the subdirectory off of
+                    WorkingDir set up during the repo download that is later used
+                    as the root for ignore processing
+                  type: string
+              required:
+              - imageName
+              - sourceUrl
+              type: object
+            fromTemplate:
+              description: FromTemplate define some inputs from user
+              properties:
+                builderImage:
+                  description: BaseImage specify which version of this template to
+                    use
+                  type: string
+                name:
+                  description: Name specify a template to use, so many fields in Config
+                    can left empty
+                  type: string
+                parameters:
+                  description: Parameters must use with `template`, fill some parameters
+                    which template will use
+                  items:
+                    properties:
+                      defaultValue:
+                        type: string
+                      description:
+                        type: string
+                      key:
+                        type: string
+                      optValues:
+                        items:
+                          type: string
+                        type: array
+                      required:
+                        type: boolean
+                      type:
+                        type: string
+                      value:
+                        type: string
+                    type: object
+                  type: array
+              type: object
+          type: object
+        status:
+          description: S2iBuilderStatus defines the observed state of S2iBuilder
+          properties:
+            lastRunName:
+              description: LastRunState return the name of the newest run of this
+                builder
+              type: string
+            lastRunStartTime:
+              description: LastRunStartTime return the startTime of the newest run
+                of this builder
+              format: date-time
+              type: string
+            lastRunState:
+              description: LastRunState return the state of the newest run of this
+                builder
+              type: string
+            runCount:
+              description: RunCount represent the sum of s2irun of this builder
+              type: integer
+          required:
+          - runCount
+          type: object
+      type: object
+  version: v1alpha1
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/bases/devops.kubesphere.io_s2ibuildertemplates.yaml

@@ -0,0 +1,141 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: s2ibuildertemplates.devops.kubesphere.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.codeFramework
+    name: Framework
+    type: string
+  - JSONPath: .spec.defaultBaseImage
+    name: DefaultBaseImage
+    type: string
+  - JSONPath: .spec.version
+    name: Version
+    type: string
+  group: devops.kubesphere.io
+  names:
+    categories:
+    - devops
+    kind: S2iBuilderTemplate
+    listKind: S2iBuilderTemplateList
+    plural: s2ibuildertemplates
+    shortNames:
+    - s2ibt
+    singular: s2ibuildertemplate
+  scope: Cluster
+  subresources: {}
+  validation:
+    openAPIV3Schema:
+      description: S2iBuilderTemplate is the Schema for the s2ibuildertemplates API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: S2iBuilderTemplateSpec defines the desired state of S2iBuilderTemplate
+          properties:
+            codeFramework:
+              description: CodeFramework means which language this template is designed
+                for and which framework is using if has framework. Like Java, NodeJS
+                etc
+              type: string
+            containerInfo:
+              description: Images are the images this template will use.
+              items:
+                properties:
+                  buildVolumes:
+                    description: BuildVolumes specifies a list of volumes to mount
+                      to container running the build.
+                    items:
+                      type: string
+                    type: array
+                  builderImage:
+                    description: BaseImage are the images this template will use.
+                    type: string
+                  runtimeArtifacts:
+                    items:
+                      description: VolumeSpec represents a single volume mount point.
+                      properties:
+                        destination:
+                          description: Destination is the path to mount the volume
+                            to - absolute or relative.
+                          type: string
+                        keep:
+                          description: Keep indicates if the mounted data should be
+                            kept in the final image.
+                          type: boolean
+                        source:
+                          description: Source is a reference to the volume source.
+                          type: string
+                      type: object
+                    type: array
+                  runtimeImage:
+                    type: string
+                type: object
+              type: array
+            defaultBaseImage:
+              description: DefaultBaseImage is the image that will be used by default
+              type: string
+            description:
+              description: Description illustrate the purpose of this template
+              type: string
+            environment:
+              description: Parameters is a set of environment variables to be passed
+                to the image.
+              items:
+                properties:
+                  defaultValue:
+                    type: string
+                  description:
+                    type: string
+                  key:
+                    type: string
+                  optValues:
+                    items:
+                      type: string
+                    type: array
+                  required:
+                    type: boolean
+                  type:
+                    type: string
+                  value:
+                    type: string
+                type: object
+              type: array
+            iconPath:
+              description: IconPath is used for frontend display
+              type: string
+            version:
+              description: Version of template
+              type: string
+          type: object
+        status:
+          description: S2iBuilderTemplateStatus defines the observed state of S2iBuilderTemplate
+          type: object
+      type: object
+  version: v1alpha1
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/bases/devops.kubesphere.io_s2iruns.yaml

@@ -0,0 +1,181 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: s2iruns.devops.kubesphere.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .status.runState
+    name: State
+    type: string
+  - JSONPath: .status.kubernetesJobName
+    name: K8sJobName
+    type: string
+  - JSONPath: .status.startTime
+    name: StartTime
+    type: date
+  - JSONPath: .status.completionTime
+    name: CompletionTime
+    type: date
+  - JSONPath: .status.s2iBuildResult.imageName
+    name: ImageName
+    type: string
+  group: devops.kubesphere.io
+  names:
+    kind: S2iRun
+    listKind: S2iRunList
+    plural: s2iruns
+    shortNames:
+    - s2ir
+    singular: s2irun
+  scope: Namespaced
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      description: S2iRun is the Schema for the s2iruns API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: S2iRunSpec defines the desired state of S2iRun
+          properties:
+            backoffLimit:
+              description: BackoffLimit limits the restart count of each s2irun. Default
+                is 0
+              format: int32
+              type: integer
+            builderName:
+              description: BuilderName specify the name of s2ibuilder, required
+              type: string
+            newRevisionId:
+              description: NewRevisionId override the default NewRevisionId in its
+                s2ibuilder.
+              type: string
+            newSourceURL:
+              description: NewSourceURL is used to download new binary artifacts
+              type: string
+            newTag:
+              description: NewTag override the default tag in its s2ibuilder, image
+                name cannot be changed.
+              type: string
+            secondsAfterFinished:
+              description: SecondsAfterFinished if is set and greater than zero, and
+                the job created by s2irun become successful or failed , the job will
+                be auto deleted after SecondsAfterFinished
+              format: int32
+              type: integer
+          required:
+          - builderName
+          type: object
+        status:
+          description: S2iRunStatus defines the observed state of S2iRun
+          properties:
+            completionTime:
+              description: Represents time when the job was completed. It is not guaranteed
+                to be set in happens-before order across separate operations. It is
+                represented in RFC3339 form and is in UTC.
+              format: date-time
+              type: string
+            kubernetesJobName:
+              description: KubernetesJobName is the job name in k8s
+              type: string
+            logURL:
+              description: LogURL is uesd for external log handler to let user know
+                where is log located in
+              type: string
+            runState:
+              description: RunState  indicates whether this job is done or failed
+              type: string
+            s2iBuildResult:
+              description: S2i build result info.
+              properties:
+                commandPull:
+                  description: Command for pull image.
+                  type: string
+                imageCreated:
+                  description: Image created time.
+                  type: string
+                imageID:
+                  description: Image ID.
+                  type: string
+                imageName:
+                  description: ImageName is the name of artifact
+                  type: string
+                imageRepoTags:
+                  description: image tags.
+                  items:
+                    type: string
+                  type: array
+                imageSize:
+                  description: The size in bytes of the image
+                  format: int64
+                  type: integer
+              type: object
+            s2iBuildSource:
+              description: S2i build source info.
+              properties:
+                binaryName:
+                  description: Binary file Name
+                  type: string
+                binarySize:
+                  description: Binary file Size
+                  format: int64
+                  type: integer
+                builderImage:
+                  description: // BuilderImage describes which image is used for building
+                    the result images.
+                  type: string
+                commitID:
+                  description: CommitID represents an arbitrary extended object reference
+                    in Git as SHA-1
+                  type: string
+                committerEmail:
+                  description: CommitterEmail contains the e-mail of the committer
+                  type: string
+                committerName:
+                  description: CommitterName contains the name of the committer
+                  type: string
+                description:
+                  description: Description is a result image description label. The
+                    default is no description.
+                  type: string
+                revisionId:
+                  description: The RevisionId is a branch name or a SHA-1 hash of
+                    every important thing about the commit
+                  type: string
+                sourceUrl:
+                  description: SourceURL is  url of the codes such as https://github.com/a/b.git
+                  type: string
+              type: object
+            startTime:
+              description: StartTime represent when this run began
+              format: date-time
+              type: string
+          type: object
+      type: object
+  version: v1alpha1
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/app_v1beta1_application.yaml

@@ -0,0 +1,239 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: applications.app.k8s.io
+spec:
+  group: app.k8s.io
+  names:
+    kind: Application
+    plural: applications
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          type: string
+        kind:
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            assemblyPhase:
+              type: string
+            componentKinds:
+              items:
+                type: object
+              type: array
+            descriptor:
+              properties:
+                description:
+                  type: string
+                icons:
+                  items:
+                    properties:
+                      size:
+                        type: string
+                      src:
+                        type: string
+                      type:
+                        type: string
+                    required:
+                    - src
+                    type: object
+                  type: array
+                keywords:
+                  items:
+                    type: string
+                  type: array
+                links:
+                  items:
+                    properties:
+                      description:
+                        type: string
+                      url:
+                        type: string
+                    type: object
+                  type: array
+                maintainers:
+                  items:
+                    properties:
+                      email:
+                        type: string
+                      name:
+                        type: string
+                      url:
+                        type: string
+                    type: object
+                  type: array
+                notes:
+                  type: string
+                owners:
+                  items:
+                    properties:
+                      email:
+                        type: string
+                      name:
+                        type: string
+                      url:
+                        type: string
+                    type: object
+                  type: array
+                type:
+                  type: string
+                version:
+                  type: string
+              type: object
+            info:
+              items:
+                properties:
+                  name:
+                    type: string
+                  type:
+                    type: string
+                  value:
+                    type: string
+                  valueFrom:
+                    properties:
+                      configMapKeyRef:
+                        properties:
+                          apiVersion:
+                            type: string
+                          fieldPath:
+                            type: string
+                          key:
+                            type: string
+                          kind:
+                            type: string
+                          name:
+                            type: string
+                          namespace:
+                            type: string
+                          resourceVersion:
+                            type: string
+                          uid:
+                            type: string
+                        type: object
+                      ingressRef:
+                        properties:
+                          apiVersion:
+                            type: string
+                          fieldPath:
+                            type: string
+                          host:
+                            type: string
+                          kind:
+                            type: string
+                          name:
+                            type: string
+                          namespace:
+                            type: string
+                          path:
+                            type: string
+                          resourceVersion:
+                            type: string
+                          uid:
+                            type: string
+                        type: object
+                      secretKeyRef:
+                        properties:
+                          apiVersion:
+                            type: string
+                          fieldPath:
+                            type: string
+                          key:
+                            type: string
+                          kind:
+                            type: string
+                          name:
+                            type: string
+                          namespace:
+                            type: string
+                          resourceVersion:
+                            type: string
+                          uid:
+                            type: string
+                        type: object
+                      serviceRef:
+                        properties:
+                          apiVersion:
+                            type: string
+                          fieldPath:
+                            type: string
+                          kind:
+                            type: string
+                          name:
+                            type: string
+                          namespace:
+                            type: string
+                          path:
+                            type: string
+                          port:
+                            format: int32
+                            type: integer
+                          resourceVersion:
+                            type: string
+                          uid:
+                            type: string
+                        type: object
+                      type:
+                        type: string
+                    type: object
+                type: object
+              type: array
+            selector:
+              type: object
+          type: object
+        status:
+          properties:
+            components:
+              items:
+                properties:
+                  group:
+                    type: string
+                  kind:
+                    type: string
+                  link:
+                    type: string
+                  name:
+                    type: string
+                  status:
+                    type: string
+                type: object
+              type: array
+            conditions:
+              items:
+                properties:
+                  lastTransitionTime:
+                    format: date-time
+                    type: string
+                  lastUpdateTime:
+                    format: date-time
+                    type: string
+                  message:
+                    type: string
+                  reason:
+                    type: string
+                  status:
+                    type: string
+                  type:
+                    type: string
+                required:
+                - type
+                - status
+                type: object
+              type: array
+            observedGeneration:
+              format: int64
+              type: integer
+          type: object
+  version: v1beta1
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/auditing.kubesphere.io_rules.yaml

@@ -0,0 +1,92 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: rules.auditing.kubesphere.io
+spec:
+  group: auditing.kubesphere.io
+  names:
+    kind: Rule
+    listKind: RuleList
+    plural: rules
+    singular: rule
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      description: Rule is the Schema for the rules API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: AuditRuleSpec defines the desired state of Rule
+          properties:
+            rules:
+              items:
+                properties:
+                  alias:
+                    description: This effective When the rule type is alias
+                    type: string
+                  condition:
+                    description: Rule condition This effective When the rule type
+                      is rule
+                    type: string
+                  desc:
+                    description: Rule describe
+                    type: string
+                  enable:
+                    description: Is the rule enable
+                    type: boolean
+                  list:
+                    description: This effective When the rule type is list
+                    items:
+                      type: string
+                    type: array
+                  macro:
+                    description: This effective When the rule type is macro
+                    type: string
+                  name:
+                    description: Rule name
+                    type: string
+                  output:
+                    description: The output formater of message which send to user
+                    type: string
+                  priority:
+                    description: Rule priority, DEBUG, INFO, WARNING
+                    type: string
+                  type:
+                    description: Rule type, rule, macro,list,alias
+                    type: string
+                required:
+                - enable
+                type: object
+              type: array
+          type: object
+        status:
+          description: AuditRuleStatus defines the observed state of Rule
+          type: object
+      type: object
+  version: v1alpha1
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/auditing.kubesphere.io_webhooks.yaml

@@ -0,0 +1,915 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: webhooks.auditing.kubesphere.io
+spec:
+  group: auditing.kubesphere.io
+  names:
+    kind: Webhook
+    listKind: WebhookList
+    plural: webhooks
+    singular: webhook
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      description: Webhook is the Schema for the webhooks API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: WebhookSpec defines the desired state of Webhook
+          properties:
+            affinity:
+              description: If specified, the pod's scheduling constraints
+              properties:
+                nodeAffinity:
+                  description: Describes node affinity scheduling rules for the pod.
+                  properties:
+                    preferredDuringSchedulingIgnoredDuringExecution:
+                      description: The scheduler will prefer to schedule pods to nodes
+                        that satisfy the affinity expressions specified by this field,
+                        but it may choose a node that violates one or more of the
+                        expressions. The node that is most preferred is the one with
+                        the greatest sum of weights, i.e. for each node that meets
+                        all of the scheduling requirements (resource request, requiredDuringScheduling
+                        affinity expressions, etc.), compute a sum by iterating through
+                        the elements of this field and adding "weight" to the sum
+                        if the node matches the corresponding matchExpressions; the
+                        node(s) with the highest sum are the most preferred.
+                      items:
+                        description: An empty preferred scheduling term matches all
+                          objects with implicit weight 0 (i.e. it's a no-op). A null
+                          preferred scheduling term matches no objects (i.e. is also
+                          a no-op).
+                        properties:
+                          preference:
+                            description: A node selector term, associated with the
+                              corresponding weight.
+                            properties:
+                              matchExpressions:
+                                description: A list of node selector requirements
+                                  by node's labels.
+                                items:
+                                  description: A node selector requirement is a selector
+                                    that contains values, a key, and an operator that
+                                    relates the key and values.
+                                  properties:
+                                    key:
+                                      description: The label key that the selector
+                                        applies to.
+                                      type: string
+                                    operator:
+                                      description: Represents a key's relationship
+                                        to a set of values. Valid operators are In,
+                                        NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                      type: string
+                                    values:
+                                      description: An array of string values. If the
+                                        operator is In or NotIn, the values array
+                                        must be non-empty. If the operator is Exists
+                                        or DoesNotExist, the values array must be
+                                        empty. If the operator is Gt or Lt, the values
+                                        array must have a single element, which will
+                                        be interpreted as an integer. This array is
+                                        replaced during a strategic merge patch.
+                                      items:
+                                        type: string
+                                      type: array
+                                  required:
+                                  - key
+                                  - operator
+                                  type: object
+                                type: array
+                              matchFields:
+                                description: A list of node selector requirements
+                                  by node's fields.
+                                items:
+                                  description: A node selector requirement is a selector
+                                    that contains values, a key, and an operator that
+                                    relates the key and values.
+                                  properties:
+                                    key:
+                                      description: The label key that the selector
+                                        applies to.
+                                      type: string
+                                    operator:
+                                      description: Represents a key's relationship
+                                        to a set of values. Valid operators are In,
+                                        NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                      type: string
+                                    values:
+                                      description: An array of string values. If the
+                                        operator is In or NotIn, the values array
+                                        must be non-empty. If the operator is Exists
+                                        or DoesNotExist, the values array must be
+                                        empty. If the operator is Gt or Lt, the values
+                                        array must have a single element, which will
+                                        be interpreted as an integer. This array is
+                                        replaced during a strategic merge patch.
+                                      items:
+                                        type: string
+                                      type: array
+                                  required:
+                                  - key
+                                  - operator
+                                  type: object
+                                type: array
+                            type: object
+                          weight:
+                            description: Weight associated with matching the corresponding
+                              nodeSelectorTerm, in the range 1-100.
+                            format: int32
+                            type: integer
+                        required:
+                        - preference
+                        - weight
+                        type: object
+                      type: array
+                    requiredDuringSchedulingIgnoredDuringExecution:
+                      description: If the affinity requirements specified by this
+                        field are not met at scheduling time, the pod will not be
+                        scheduled onto the node. If the affinity requirements specified
+                        by this field cease to be met at some point during pod execution
+                        (e.g. due to an update), the system may or may not try to
+                        eventually evict the pod from its node.
+                      properties:
+                        nodeSelectorTerms:
+                          description: Required. A list of node selector terms. The
+                            terms are ORed.
+                          items:
+                            description: A null or empty node selector term matches
+                              no objects. The requirements of them are ANDed. The
+                              TopologySelectorTerm type implements a subset of the
+                              NodeSelectorTerm.
+                            properties:
+                              matchExpressions:
+                                description: A list of node selector requirements
+                                  by node's labels.
+                                items:
+                                  description: A node selector requirement is a selector
+                                    that contains values, a key, and an operator that
+                                    relates the key and values.
+                                  properties:
+                                    key:
+                                      description: The label key that the selector
+                                        applies to.
+                                      type: string
+                                    operator:
+                                      description: Represents a key's relationship
+                                        to a set of values. Valid operators are In,
+                                        NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                      type: string
+                                    values:
+                                      description: An array of string values. If the
+                                        operator is In or NotIn, the values array
+                                        must be non-empty. If the operator is Exists
+                                        or DoesNotExist, the values array must be
+                                        empty. If the operator is Gt or Lt, the values
+                                        array must have a single element, which will
+                                        be interpreted as an integer. This array is
+                                        replaced during a strategic merge patch.
+                                      items:
+                                        type: string
+                                      type: array
+                                  required:
+                                  - key
+                                  - operator
+                                  type: object
+                                type: array
+                              matchFields:
+                                description: A list of node selector requirements
+                                  by node's fields.
+                                items:
+                                  description: A node selector requirement is a selector
+                                    that contains values, a key, and an operator that
+                                    relates the key and values.
+                                  properties:
+                                    key:
+                                      description: The label key that the selector
+                                        applies to.
+                                      type: string
+                                    operator:
+                                      description: Represents a key's relationship
+                                        to a set of values. Valid operators are In,
+                                        NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                      type: string
+                                    values:
+                                      description: An array of string values. If the
+                                        operator is In or NotIn, the values array
+                                        must be non-empty. If the operator is Exists
+                                        or DoesNotExist, the values array must be
+                                        empty. If the operator is Gt or Lt, the values
+                                        array must have a single element, which will
+                                        be interpreted as an integer. This array is
+                                        replaced during a strategic merge patch.
+                                      items:
+                                        type: string
+                                      type: array
+                                  required:
+                                  - key
+                                  - operator
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      required:
+                      - nodeSelectorTerms
+                      type: object
+                  type: object
+                podAffinity:
+                  description: Describes pod affinity scheduling rules (e.g. co-locate
+                    this pod in the same node, zone, etc. as some other pod(s)).
+                  properties:
+                    preferredDuringSchedulingIgnoredDuringExecution:
+                      description: The scheduler will prefer to schedule pods to nodes
+                        that satisfy the affinity expressions specified by this field,
+                        but it may choose a node that violates one or more of the
+                        expressions. The node that is most preferred is the one with
+                        the greatest sum of weights, i.e. for each node that meets
+                        all of the scheduling requirements (resource request, requiredDuringScheduling
+                        affinity expressions, etc.), compute a sum by iterating through
+                        the elements of this field and adding "weight" to the sum
+                        if the node has pods which matches the corresponding podAffinityTerm;
+                        the node(s) with the highest sum are the most preferred.
+                      items:
+                        description: The weights of all of the matched WeightedPodAffinityTerm
+                          fields are added per-node to find the most preferred node(s)
+                        properties:
+                          podAffinityTerm:
+                            description: Required. A pod affinity term, associated
+                              with the corresponding weight.
+                            properties:
+                              labelSelector:
+                                description: A label query over a set of resources,
+                                  in this case pods.
+                                properties:
+                                  matchExpressions:
+                                    description: matchExpressions is a list of label
+                                      selector requirements. The requirements are
+                                      ANDed.
+                                    items:
+                                      description: A label selector requirement is
+                                        a selector that contains values, a key, and
+                                        an operator that relates the key and values.
+                                      properties:
+                                        key:
+                                          description: key is the label key that the
+                                            selector applies to.
+                                          type: string
+                                        operator:
+                                          description: operator represents a key's
+                                            relationship to a set of values. Valid
+                                            operators are In, NotIn, Exists and DoesNotExist.
+                                          type: string
+                                        values:
+                                          description: values is an array of string
+                                            values. If the operator is In or NotIn,
+                                            the values array must be non-empty. If
+                                            the operator is Exists or DoesNotExist,
+                                            the values array must be empty. This array
+                                            is replaced during a strategic merge patch.
+                                          items:
+                                            type: string
+                                          type: array
+                                      required:
+                                      - key
+                                      - operator
+                                      type: object
+                                    type: array
+                                  matchLabels:
+                                    additionalProperties:
+                                      type: string
+                                    description: matchLabels is a map of {key,value}
+                                      pairs. A single {key,value} in the matchLabels
+                                      map is equivalent to an element of matchExpressions,
+                                      whose key field is "key", the operator is "In",
+                                      and the values array contains only "value".
+                                      The requirements are ANDed.
+                                    type: object
+                                type: object
+                              namespaces:
+                                description: namespaces specifies which namespaces
+                                  the labelSelector applies to (matches against);
+                                  null or empty list means "this pod's namespace"
+                                items:
+                                  type: string
+                                type: array
+                              topologyKey:
+                                description: This pod should be co-located (affinity)
+                                  or not co-located (anti-affinity) with the pods
+                                  matching the labelSelector in the specified namespaces,
+                                  where co-located is defined as running on a node
+                                  whose value of the label with key topologyKey matches
+                                  that of any node on which any of the selected pods
+                                  is running. Empty topologyKey is not allowed.
+                                type: string
+                            required:
+                            - topologyKey
+                            type: object
+                          weight:
+                            description: weight associated with matching the corresponding
+                              podAffinityTerm, in the range 1-100.
+                            format: int32
+                            type: integer
+                        required:
+                        - podAffinityTerm
+                        - weight
+                        type: object
+                      type: array
+                    requiredDuringSchedulingIgnoredDuringExecution:
+                      description: If the affinity requirements specified by this
+                        field are not met at scheduling time, the pod will not be
+                        scheduled onto the node. If the affinity requirements specified
+                        by this field cease to be met at some point during pod execution
+                        (e.g. due to a pod label update), the system may or may not
+                        try to eventually evict the pod from its node. When there
+                        are multiple elements, the lists of nodes corresponding to
+                        each podAffinityTerm are intersected, i.e. all terms must
+                        be satisfied.
+                      items:
+                        description: Defines a set of pods (namely those matching
+                          the labelSelector relative to the given namespace(s)) that
+                          this pod should be co-located (affinity) or not co-located
+                          (anti-affinity) with, where co-located is defined as running
+                          on a node whose value of the label with key <topologyKey>
+                          matches that of any node on which a pod of the set of pods
+                          is running
+                        properties:
+                          labelSelector:
+                            description: A label query over a set of resources, in
+                              this case pods.
+                            properties:
+                              matchExpressions:
+                                description: matchExpressions is a list of label selector
+                                  requirements. The requirements are ANDed.
+                                items:
+                                  description: A label selector requirement is a selector
+                                    that contains values, a key, and an operator that
+                                    relates the key and values.
+                                  properties:
+                                    key:
+                                      description: key is the label key that the selector
+                                        applies to.
+                                      type: string
+                                    operator:
+                                      description: operator represents a key's relationship
+                                        to a set of values. Valid operators are In,
+                                        NotIn, Exists and DoesNotExist.
+                                      type: string
+                                    values:
+                                      description: values is an array of string values.
+                                        If the operator is In or NotIn, the values
+                                        array must be non-empty. If the operator is
+                                        Exists or DoesNotExist, the values array must
+                                        be empty. This array is replaced during a
+                                        strategic merge patch.
+                                      items:
+                                        type: string
+                                      type: array
+                                  required:
+                                  - key
+                                  - operator
+                                  type: object
+                                type: array
+                              matchLabels:
+                                additionalProperties:
+                                  type: string
+                                description: matchLabels is a map of {key,value} pairs.
+                                  A single {key,value} in the matchLabels map is equivalent
+                                  to an element of matchExpressions, whose key field
+                                  is "key", the operator is "In", and the values array
+                                  contains only "value". The requirements are ANDed.
+                                type: object
+                            type: object
+                          namespaces:
+                            description: namespaces specifies which namespaces the
+                              labelSelector applies to (matches against); null or
+                              empty list means "this pod's namespace"
+                            items:
+                              type: string
+                            type: array
+                          topologyKey:
+                            description: This pod should be co-located (affinity)
+                              or not co-located (anti-affinity) with the pods matching
+                              the labelSelector in the specified namespaces, where
+                              co-located is defined as running on a node whose value
+                              of the label with key topologyKey matches that of any
+                              node on which any of the selected pods is running. Empty
+                              topologyKey is not allowed.
+                            type: string
+                        required:
+                        - topologyKey
+                        type: object
+                      type: array
+                  type: object
+                podAntiAffinity:
+                  description: Describes pod anti-affinity scheduling rules (e.g.
+                    avoid putting this pod in the same node, zone, etc. as some other
+                    pod(s)).
+                  properties:
+                    preferredDuringSchedulingIgnoredDuringExecution:
+                      description: The scheduler will prefer to schedule pods to nodes
+                        that satisfy the anti-affinity expressions specified by this
+                        field, but it may choose a node that violates one or more
+                        of the expressions. The node that is most preferred is the
+                        one with the greatest sum of weights, i.e. for each node that
+                        meets all of the scheduling requirements (resource request,
+                        requiredDuringScheduling anti-affinity expressions, etc.),
+                        compute a sum by iterating through the elements of this field
+                        and adding "weight" to the sum if the node has pods which
+                        matches the corresponding podAffinityTerm; the node(s) with
+                        the highest sum are the most preferred.
+                      items:
+                        description: The weights of all of the matched WeightedPodAffinityTerm
+                          fields are added per-node to find the most preferred node(s)
+                        properties:
+                          podAffinityTerm:
+                            description: Required. A pod affinity term, associated
+                              with the corresponding weight.
+                            properties:
+                              labelSelector:
+                                description: A label query over a set of resources,
+                                  in this case pods.
+                                properties:
+                                  matchExpressions:
+                                    description: matchExpressions is a list of label
+                                      selector requirements. The requirements are
+                                      ANDed.
+                                    items:
+                                      description: A label selector requirement is
+                                        a selector that contains values, a key, and
+                                        an operator that relates the key and values.
+                                      properties:
+                                        key:
+                                          description: key is the label key that the
+                                            selector applies to.
+                                          type: string
+                                        operator:
+                                          description: operator represents a key's
+                                            relationship to a set of values. Valid
+                                            operators are In, NotIn, Exists and DoesNotExist.
+                                          type: string
+                                        values:
+                                          description: values is an array of string
+                                            values. If the operator is In or NotIn,
+                                            the values array must be non-empty. If
+                                            the operator is Exists or DoesNotExist,
+                                            the values array must be empty. This array
+                                            is replaced during a strategic merge patch.
+                                          items:
+                                            type: string
+                                          type: array
+                                      required:
+                                      - key
+                                      - operator
+                                      type: object
+                                    type: array
+                                  matchLabels:
+                                    additionalProperties:
+                                      type: string
+                                    description: matchLabels is a map of {key,value}
+                                      pairs. A single {key,value} in the matchLabels
+                                      map is equivalent to an element of matchExpressions,
+                                      whose key field is "key", the operator is "In",
+                                      and the values array contains only "value".
+                                      The requirements are ANDed.
+                                    type: object
+                                type: object
+                              namespaces:
+                                description: namespaces specifies which namespaces
+                                  the labelSelector applies to (matches against);
+                                  null or empty list means "this pod's namespace"
+                                items:
+                                  type: string
+                                type: array
+                              topologyKey:
+                                description: This pod should be co-located (affinity)
+                                  or not co-located (anti-affinity) with the pods
+                                  matching the labelSelector in the specified namespaces,
+                                  where co-located is defined as running on a node
+                                  whose value of the label with key topologyKey matches
+                                  that of any node on which any of the selected pods
+                                  is running. Empty topologyKey is not allowed.
+                                type: string
+                            required:
+                            - topologyKey
+                            type: object
+                          weight:
+                            description: weight associated with matching the corresponding
+                              podAffinityTerm, in the range 1-100.
+                            format: int32
+                            type: integer
+                        required:
+                        - podAffinityTerm
+                        - weight
+                        type: object
+                      type: array
+                    requiredDuringSchedulingIgnoredDuringExecution:
+                      description: If the anti-affinity requirements specified by
+                        this field are not met at scheduling time, the pod will not
+                        be scheduled onto the node. If the anti-affinity requirements
+                        specified by this field cease to be met at some point during
+                        pod execution (e.g. due to a pod label update), the system
+                        may or may not try to eventually evict the pod from its node.
+                        When there are multiple elements, the lists of nodes corresponding
+                        to each podAffinityTerm are intersected, i.e. all terms must
+                        be satisfied.
+                      items:
+                        description: Defines a set of pods (namely those matching
+                          the labelSelector relative to the given namespace(s)) that
+                          this pod should be co-located (affinity) or not co-located
+                          (anti-affinity) with, where co-located is defined as running
+                          on a node whose value of the label with key <topologyKey>
+                          matches that of any node on which a pod of the set of pods
+                          is running
+                        properties:
+                          labelSelector:
+                            description: A label query over a set of resources, in
+                              this case pods.
+                            properties:
+                              matchExpressions:
+                                description: matchExpressions is a list of label selector
+                                  requirements. The requirements are ANDed.
+                                items:
+                                  description: A label selector requirement is a selector
+                                    that contains values, a key, and an operator that
+                                    relates the key and values.
+                                  properties:
+                                    key:
+                                      description: key is the label key that the selector
+                                        applies to.
+                                      type: string
+                                    operator:
+                                      description: operator represents a key's relationship
+                                        to a set of values. Valid operators are In,
+                                        NotIn, Exists and DoesNotExist.
+                                      type: string
+                                    values:
+                                      description: values is an array of string values.
+                                        If the operator is In or NotIn, the values
+                                        array must be non-empty. If the operator is
+                                        Exists or DoesNotExist, the values array must
+                                        be empty. This array is replaced during a
+                                        strategic merge patch.
+                                      items:
+                                        type: string
+                                      type: array
+                                  required:
+                                  - key
+                                  - operator
+                                  type: object
+                                type: array
+                              matchLabels:
+                                additionalProperties:
+                                  type: string
+                                description: matchLabels is a map of {key,value} pairs.
+                                  A single {key,value} in the matchLabels map is equivalent
+                                  to an element of matchExpressions, whose key field
+                                  is "key", the operator is "In", and the values array
+                                  contains only "value". The requirements are ANDed.
+                                type: object
+                            type: object
+                          namespaces:
+                            description: namespaces specifies which namespaces the
+                              labelSelector applies to (matches against); null or
+                              empty list means "this pod's namespace"
+                            items:
+                              type: string
+                            type: array
+                          topologyKey:
+                            description: This pod should be co-located (affinity)
+                              or not co-located (anti-affinity) with the pods matching
+                              the labelSelector in the specified namespaces, where
+                              co-located is defined as running on a node whose value
+                              of the label with key topologyKey matches that of any
+                              node on which any of the selected pods is running. Empty
+                              topologyKey is not allowed.
+                            type: string
+                        required:
+                        - topologyKey
+                        type: object
+                      type: array
+                  type: object
+              type: object
+            args:
+              description: Arguments to the entrypoint.. It will be appended to the
+                args and replace the default value.
+              items:
+                type: string
+              type: array
+            auditLevel:
+              description: 'The Level that all requests are recorded at. available
+                options: None, Metadata, Request, RequestResponse default: Metadata'
+              type: string
+            auditSinkPolicy:
+              description: AuditSinkPolicy is a rule selector, only the rule matched
+                this selector will be taked effect.
+              properties:
+                alertingRuleSelector:
+                  description: A label selector is a label query over a set of resources.
+                    The result of matchLabels and matchExpressions are ANDed. An empty
+                    label selector matches all objects. A null label selector matches
+                    no objects.
+                  properties:
+                    matchExpressions:
+                      description: matchExpressions is a list of label selector requirements.
+                        The requirements are ANDed.
+                      items:
+                        description: A label selector requirement is a selector that
+                          contains values, a key, and an operator that relates the
+                          key and values.
+                        properties:
+                          key:
+                            description: key is the label key that the selector applies
+                              to.
+                            type: string
+                          operator:
+                            description: operator represents a key's relationship
+                              to a set of values. Valid operators are In, NotIn, Exists
+                              and DoesNotExist.
+                            type: string
+                          values:
+                            description: values is an array of string values. If the
+                              operator is In or NotIn, the values array must be non-empty.
+                              If the operator is Exists or DoesNotExist, the values
+                              array must be empty. This array is replaced during a
+                              strategic merge patch.
+                            items:
+                              type: string
+                            type: array
+                        required:
+                        - key
+                        - operator
+                        type: object
+                      type: array
+                    matchLabels:
+                      additionalProperties:
+                        type: string
+                      description: matchLabels is a map of {key,value} pairs. A single
+                        {key,value} in the matchLabels map is equivalent to an element
+                        of matchExpressions, whose key field is "key", the operator
+                        is "In", and the values array contains only "value". The requirements
+                        are ANDed.
+                      type: object
+                  type: object
+                archivingRuleSelector:
+                  description: A label selector is a label query over a set of resources.
+                    The result of matchLabels and matchExpressions are ANDed. An empty
+                    label selector matches all objects. A null label selector matches
+                    no objects.
+                  properties:
+                    matchExpressions:
+                      description: matchExpressions is a list of label selector requirements.
+                        The requirements are ANDed.
+                      items:
+                        description: A label selector requirement is a selector that
+                          contains values, a key, and an operator that relates the
+                          key and values.
+                        properties:
+                          key:
+                            description: key is the label key that the selector applies
+                              to.
+                            type: string
+                          operator:
+                            description: operator represents a key's relationship
+                              to a set of values. Valid operators are In, NotIn, Exists
+                              and DoesNotExist.
+                            type: string
+                          values:
+                            description: values is an array of string values. If the
+                              operator is In or NotIn, the values array must be non-empty.
+                              If the operator is Exists or DoesNotExist, the values
+                              array must be empty. This array is replaced during a
+                              strategic merge patch.
+                            items:
+                              type: string
+                            type: array
+                        required:
+                        - key
+                        - operator
+                        type: object
+                      type: array
+                    matchLabels:
+                      additionalProperties:
+                        type: string
+                      description: matchLabels is a map of {key,value} pairs. A single
+                        {key,value} in the matchLabels map is equivalent to an element
+                        of matchExpressions, whose key field is "key", the operator
+                        is "In", and the values array contains only "value". The requirements
+                        are ANDed.
+                      type: object
+                  type: object
+              type: object
+            auditType:
+              description: Audit type, static or dynamic.
+              type: string
+            image:
+              description: The webhook docker image name.
+              type: string
+            imagePullPolicy:
+              description: 'Image pull policy. One of Always, Never, IfNotPresent.
+                Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+                Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images'
+              type: string
+            imagePullSecrets:
+              description: 'ImagePullSecrets is an optional list of references to
+                secrets in the same namespace to use for pulling any of the images
+                used by this PodSpec. If specified, these secrets will be passed to
+                individual puller implementations for them to use. For example, in
+                the case of docker, only DockerConfig type secrets are honored. More
+                info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod'
+              items:
+                description: LocalObjectReference contains enough information to let
+                  you locate the referenced object inside the same namespace.
+                properties:
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      TODO: Add other useful fields. apiVersion, kind, uid?'
+                    type: string
+                type: object
+              type: array
+            k8sAuditingEnabled:
+              description: K8s auditing is enabled or not.
+              type: boolean
+            nodeSelector:
+              additionalProperties:
+                type: string
+              description: 'NodeSelector is a selector which must be true for the
+                pod to fit on a node. Selector which must match a node''s labels for
+                the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+              type: object
+            priority:
+              description: Rule priority, DEBUG < INFO < WARNING Audit events will
+                be stored only when the priority of the audit rule matching the audit
+                event is greater than this.
+              type: string
+            receivers:
+              description: ' Receiver contains the information to make a connection
+                with the alertmanager'
+              items:
+                description: Receiver config which received the audit alert
+                properties:
+                  config:
+                    description: ClientConfig holds the connection parameters for
+                      the webhook
+                    properties:
+                      caBundle:
+                        description: '`caBundle` is a PEM encoded CA bundle which
+                          will be used to validate the webhook''s server certificate.
+                          If unspecified, system trust roots on the apiserver are
+                          used.'
+                        format: byte
+                        type: string
+                      service:
+                        description: "`service` is a reference to the service for
+                          this webhook. Either `service` or `url` must be specified.
+                          \n If the webhook is running within the cluster, then you
+                          should use `service`."
+                        properties:
+                          name:
+                            description: '`name` is the name of the service. Required'
+                            type: string
+                          namespace:
+                            description: '`namespace` is the namespace of the service.
+                              Required'
+                            type: string
+                          path:
+                            description: '`path` is an optional URL path which will
+                              be sent in any request to this service.'
+                            type: string
+                          port:
+                            description: If specified, the port on the service that
+                              hosting webhook. Default to 443 for backward compatibility.
+                              `port` should be a valid port number (1-65535, inclusive).
+                            format: int32
+                            type: integer
+                        required:
+                        - name
+                        - namespace
+                        type: object
+                      url:
+                        description: "`url` gives the location of the webhook, in
+                          standard URL form (`scheme://host:port/path`). Exactly one
+                          of `url` or `service` must be specified. \n The `host` should
+                          not refer to a service running in the cluster; use the `service`
+                          field instead. The host might be resolved via external DNS
+                          in some apiservers (e.g., `kube-apiserver` cannot resolve
+                          in-cluster DNS as that would be a layering violation). `host`
+                          may also be an IP address. \n Please note that using `localhost`
+                          or `127.0.0.1` as a `host` is risky unless you take great
+                          care to run this webhook on all hosts which run an apiserver
+                          which might need to make calls to this webhook. Such installs
+                          are likely to be non-portable, i.e., not easy to turn up
+                          in a new cluster. \n The scheme must be \"https\"; the URL
+                          must begin with \"https://\". \n A path is optional, and
+                          if present may be any string permissible in a URL. You may
+                          use the path to pass an arbitrary string to the webhook,
+                          for example, a cluster identifier. \n Attempting to use
+                          a user or basic auth e.g. \"user:password@\" is not allowed.
+                          Fragments (\"#...\") and query parameters (\"?...\") are
+                          not allowed, either."
+                        type: string
+                    type: object
+                  name:
+                    description: Receiver name
+                    type: string
+                  type:
+                    description: Receiver type, alertmanager or webhook
+                    type: string
+                type: object
+              type: array
+            replicas:
+              description: Number of desired pods. This is a pointer to distinguish
+                between explicit zero and not specified. Defaults to 1.
+              format: int32
+              type: integer
+            resources:
+              description: 'Compute Resources required by this container. Cannot be
+                updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
+              properties:
+                limits:
+                  additionalProperties:
+                    type: string
+                  description: 'Limits describes the maximum amount of compute resources
+                    allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
+                  type: object
+                requests:
+                  additionalProperties:
+                    type: string
+                  description: 'Requests describes the minimum amount of compute resources
+                    required. If Requests is omitted for a container, it defaults
+                    to Limits if that is explicitly specified, otherwise to an implementation-defined
+                    value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
+                  type: object
+              type: object
+            tolerations:
+              description: If specified, the pod's tolerations.
+              items:
+                description: The pod this Toleration is attached to tolerates any
+                  taint that matches the triple <key,value,effect> using the matching
+                  operator <operator>.
+                properties:
+                  effect:
+                    description: Effect indicates the taint effect to match. Empty
+                      means match all taint effects. When specified, allowed values
+                      are NoSchedule, PreferNoSchedule and NoExecute.
+                    type: string
+                  key:
+                    description: Key is the taint key that the toleration applies
+                      to. Empty means match all taint keys. If the key is empty, operator
+                      must be Exists; this combination means to match all values and
+                      all keys.
+                    type: string
+                  operator:
+                    description: Operator represents a key's relationship to the value.
+                      Valid operators are Exists and Equal. Defaults to Equal. Exists
+                      is equivalent to wildcard for value, so that a pod can tolerate
+                      all taints of a particular category.
+                    type: string
+                  tolerationSeconds:
+                    description: TolerationSeconds represents the period of time the
+                      toleration (which must be of effect NoExecute, otherwise this
+                      field is ignored) tolerates the taint. By default, it is not
+                      set, which means tolerate the taint forever (do not evict).
+                      Zero and negative values will be treated as 0 (evict immediately)
+                      by the system.
+                    format: int64
+                    type: integer
+                  value:
+                    description: Value is the taint value the toleration matches to.
+                      If the operator is Exists, the value should be empty, otherwise
+                      just a regular string.
+                    type: string
+                type: object
+              type: array
+          type: object
+        status:
+          description: WebhookStatus defines the observed state of Webhook
+          type: object
+      type: object
+  version: v1alpha1
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/cluster.kubesphere.io_clusters.yaml

@@ -0,0 +1,173 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: clusters.cluster.kubesphere.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.joinFederation
+    name: Federated
+    type: boolean
+  - JSONPath: .spec.provider
+    name: Provider
+    type: string
+  - JSONPath: .spec.enable
+    name: Active
+    type: boolean
+  - JSONPath: .status.kubernetesVersion
+    name: Version
+    type: string
+  group: cluster.kubesphere.io
+  names:
+    kind: Cluster
+    listKind: ClusterList
+    plural: clusters
+    singular: cluster
+  scope: Cluster
+  subresources: {}
+  validation:
+    openAPIV3Schema:
+      description: Cluster is the schema for the clusters API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            connection:
+              description: Connection holds info to connect to the member cluster
+              properties:
+                kubeconfig:
+                  description: KubeConfig content used to connect to cluster api server
+                    Should provide this field explicitly if connection type is direct.
+                    Will be populated by ks-proxy if connection type is proxy.
+                  format: byte
+                  type: string
+                kubernetesAPIEndpoint:
+                  description: 'Kubernetes API Server endpoint. Example: https://10.10.0.1:6443
+                    Should provide this field explicitly if connection type is direct.
+                    Will be populated by ks-apiserver if connection type is proxy.'
+                  type: string
+                kubernetesAPIServerPort:
+                  description: KubeAPIServerPort is the port which listens for forwarding
+                    kube-apiserver traffic Only applicable when connection type is
+                    proxy.
+                  type: integer
+                kubesphereAPIEndpoint:
+                  description: 'KubeSphere API Server endpoint. Example: http://10.10.0.11:8080
+                    Should provide this field explicitly if connection type is direct.
+                    Will be populated by ks-apiserver if connection type is proxy.'
+                  type: string
+                kubesphereAPIServerPort:
+                  description: KubeSphereAPIServerPort is the port which listens for
+                    forwarding kubesphere apigateway traffic Only applicable when
+                    connection type is proxy.
+                  type: integer
+                token:
+                  description: Token used by agents of member cluster to connect to
+                    host cluster proxy. This field is populated by apiserver only
+                    if connection type is proxy.
+                  type: string
+                type:
+                  description: type defines how host cluster will connect to host
+                    cluster ConnectionTypeDirect means direct connection, this requires   kubeconfig
+                    and kubesphere apiserver endpoint provided ConnectionTypeProxy
+                    means using kubesphere proxy, no kubeconfig   or kubesphere apiserver
+                    endpoint required
+                  type: string
+              type: object
+            enable:
+              description: Desired state of the cluster
+              type: boolean
+            joinFederation:
+              description: Join cluster as a kubefed cluster
+              type: boolean
+            provider:
+              description: Provider of the cluster, this field is just for description
+              type: string
+          type: object
+        status:
+          properties:
+            conditions:
+              description: Represents the latest available observations of a cluster's
+                current state.
+              items:
+                properties:
+                  lastTransitionTime:
+                    description: Last time the condition transitioned from one status
+                      to another.
+                    format: date-time
+                    type: string
+                  lastUpdateTime:
+                    description: The last time this condition was updated.
+                    format: date-time
+                    type: string
+                  message:
+                    description: A human readable message indicating details about
+                      the transition.
+                    type: string
+                  reason:
+                    description: The reason for the condition's last transition.
+                    type: string
+                  status:
+                    description: Status of the condition, one of True, False, Unknown.
+                    type: string
+                  type:
+                    description: Type of the condition
+                    type: string
+                required:
+                - status
+                - type
+                type: object
+              type: array
+            configz:
+              additionalProperties:
+                type: boolean
+              description: Configz is status of components enabled in the member cluster.
+                This is synchronized with member cluster every amount of time, like
+                5 minutes.
+              type: object
+            kubernetesVersion:
+              description: GitVersion of the kubernetes cluster, this field is populated
+                by cluster controller
+              type: string
+            nodeCount:
+              description: Count of the kubernetes cluster nodes This field may not
+                reflect the instant status of the cluster.
+              type: integer
+            region:
+              description: Region is the name of the region in which all of the nodes
+                in the cluster exist.  e.g. 'us-east1'.
+              type: string
+            zones:
+              description: Zones are the names of availability zones in which the
+                nodes of the cluster exist, e.g. 'us-east1-a'.
+              items:
+                type: string
+              type: array
+          type: object
+      type: object
+  version: v1alpha1
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/devops.kubesphere.io_devopsprojects.yaml

@@ -0,0 +1,59 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: devopsprojects.devops.kubesphere.io
+spec:
+  group: devops.kubesphere.io
+  names:
+    categories:
+    - devops
+    kind: DevOpsProject
+    listKind: DevOpsProjectList
+    plural: devopsprojects
+    singular: devopsproject
+  scope: Cluster
+  validation:
+    openAPIV3Schema:
+      description: DevOpsProject is the Schema for the devopsprojects API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: DevOpsProjectSpec defines the desired state of DevOpsProject
+          type: object
+        status:
+          description: DevOpsProjectStatus defines the observed state of DevOpsProject
+          properties:
+            adminNamespace:
+              description: 'INSERT ADDITIONAL STATUS FIELD - define observed state
+                of cluster Important: Run "make" to regenerate code after modifying
+                this file'
+              type: string
+          type: object
+      type: object
+  version: v1alpha3
+  versions:
+  - name: v1alpha3
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/devops.kubesphere.io_pipelines.yaml

@@ -0,0 +1,260 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: pipelines.devops.kubesphere.io
+spec:
+  group: devops.kubesphere.io
+  names:
+    kind: Pipeline
+    listKind: PipelineList
+    plural: pipelines
+    singular: pipeline
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      description: Pipeline is the Schema for the pipelines API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: PipelineSpec defines the desired state of Pipeline
+          properties:
+            multi_branch_pipeline:
+              properties:
+                bitbucket_server_source:
+                  properties:
+                    api_uri:
+                      type: string
+                    credential_id:
+                      type: string
+                    discover_branches:
+                      type: integer
+                    discover_pr_from_forks:
+                      properties:
+                        strategy:
+                          type: integer
+                        trust:
+                          type: integer
+                      type: object
+                    discover_pr_from_origin:
+                      type: integer
+                    git_clone_option:
+                      properties:
+                        depth:
+                          type: integer
+                        shallow:
+                          type: boolean
+                        timeout:
+                          type: integer
+                      type: object
+                    owner:
+                      type: string
+                    regex_filter:
+                      type: string
+                    repo:
+                      type: string
+                    scm_id:
+                      type: string
+                  type: object
+                description:
+                  type: string
+                discarder:
+                  properties:
+                    days_to_keep:
+                      type: string
+                    num_to_keep:
+                      type: string
+                  type: object
+                git_source:
+                  properties:
+                    credential_id:
+                      type: string
+                    discover_branches:
+                      type: boolean
+                    git_clone_option:
+                      properties:
+                        depth:
+                          type: integer
+                        shallow:
+                          type: boolean
+                        timeout:
+                          type: integer
+                      type: object
+                    regex_filter:
+                      type: string
+                    scm_id:
+                      type: string
+                    url:
+                      type: string
+                  type: object
+                github_source:
+                  properties:
+                    api_uri:
+                      type: string
+                    credential_id:
+                      type: string
+                    discover_branches:
+                      type: integer
+                    discover_pr_from_forks:
+                      properties:
+                        strategy:
+                          type: integer
+                        trust:
+                          type: integer
+                      type: object
+                    discover_pr_from_origin:
+                      type: integer
+                    git_clone_option:
+                      properties:
+                        depth:
+                          type: integer
+                        shallow:
+                          type: boolean
+                        timeout:
+                          type: integer
+                      type: object
+                    owner:
+                      type: string
+                    regex_filter:
+                      type: string
+                    repo:
+                      type: string
+                    scm_id:
+                      type: string
+                  type: object
+                multibranch_job_trigger:
+                  properties:
+                    create_action_job_to_trigger:
+                      type: string
+                    delete_action_job_to_trigger:
+                      type: string
+                  type: object
+                name:
+                  type: string
+                script_path:
+                  type: string
+                single_svn_source:
+                  properties:
+                    credential_id:
+                      type: string
+                    remote:
+                      type: string
+                    scm_id:
+                      type: string
+                  type: object
+                source_type:
+                  type: string
+                svn_source:
+                  properties:
+                    credential_id:
+                      type: string
+                    excludes:
+                      type: string
+                    includes:
+                      type: string
+                    remote:
+                      type: string
+                    scm_id:
+                      type: string
+                  type: object
+                timer_trigger:
+                  properties:
+                    cron:
+                      description: user in no scm job
+                      type: string
+                    interval:
+                      description: use in multi-branch job
+                      type: string
+                  type: object
+              required:
+              - name
+              - script_path
+              - source_type
+              type: object
+            pipeline:
+              properties:
+                description:
+                  type: string
+                disable_concurrent:
+                  type: boolean
+                discarder:
+                  properties:
+                    days_to_keep:
+                      type: string
+                    num_to_keep:
+                      type: string
+                  type: object
+                jenkinsfile:
+                  type: string
+                name:
+                  type: string
+                parameters:
+                  items:
+                    properties:
+                      default_value:
+                        type: string
+                      description:
+                        type: string
+                      name:
+                        type: string
+                      type:
+                        type: string
+                    required:
+                    - name
+                    - type
+                    type: object
+                  type: array
+                remote_trigger:
+                  properties:
+                    token:
+                      type: string
+                  type: object
+                timer_trigger:
+                  properties:
+                    cron:
+                      description: user in no scm job
+                      type: string
+                    interval:
+                      description: use in multi-branch job
+                      type: string
+                  type: object
+              required:
+              - name
+              type: object
+            type:
+              description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+                Important: Run "make" to regenerate code after modifying this file'
+              type: string
+          required:
+          - type
+          type: object
+        status:
+          description: PipelineStatus defines the observed state of Pipeline
+          type: object
+      type: object
+  version: v1alpha3
+  versions:
+  - name: v1alpha3
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/devops.kubesphere.io_s2ibinaries.yaml

@@ -0,0 +1,86 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: s2ibinaries.devops.kubesphere.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.fileName
+    name: FileName
+    type: string
+  - JSONPath: .spec.md5
+    name: MD5
+    type: string
+  - JSONPath: .spec.size
+    name: Size
+    type: string
+  - JSONPath: .status.phase
+    name: Phase
+    type: string
+  group: devops.kubesphere.io
+  names:
+    kind: S2iBinary
+    listKind: S2iBinaryList
+    plural: s2ibinaries
+    singular: s2ibinary
+  scope: Namespaced
+  subresources: {}
+  validation:
+    openAPIV3Schema:
+      description: S2iBinary is the Schema for the s2ibinaries API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: S2iBinarySpec defines the desired state of S2iBinary
+          properties:
+            downloadURL:
+              description: DownloadURL in KubeSphere
+              type: string
+            fileName:
+              description: FileName is filename of binary
+              type: string
+            md5:
+              description: MD5 is Binary's MD5 Hash
+              type: string
+            size:
+              description: Size is the file size of file
+              type: string
+            uploadTimeStamp:
+              description: UploadTime is last upload time
+              format: date-time
+              type: string
+          type: object
+        status:
+          description: S2iBinaryStatus defines the observed state of S2iBinary
+          properties:
+            phase:
+              description: Phase is status of S2iBinary . Possible value is "Ready","UnableToDownload"
+              type: string
+          type: object
+      type: object
+  version: v1alpha1
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/devops.kubesphere.io_s2ibuilders.yaml

@@ -0,0 +1,578 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: s2ibuilders.devops.kubesphere.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .status.runCount
+    name: RunCount
+    type: integer
+  - JSONPath: .status.lastRunState
+    name: LastRunState
+    type: string
+  - JSONPath: .status.lastRunName
+    name: LastRunName
+    type: string
+  - JSONPath: .status.lastRunStartTime
+    name: LastRunStartTime
+    type: date
+  group: devops.kubesphere.io
+  names:
+    kind: S2iBuilder
+    listKind: S2iBuilderList
+    plural: s2ibuilders
+    shortNames:
+    - s2ib
+    singular: s2ibuilder
+  scope: Namespaced
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      description: S2iBuilder is the Schema for the s2ibuilders API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: S2iBuilderSpec defines the desired state of S2iBuilder
+          properties:
+            config:
+              description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+                Important: Run "make" to regenerate code after modifying this file'
+              properties:
+                addHost:
+                  description: AddHost Add a line to /etc/hosts for test purpose or
+                    private use in LAN. Its format is host:IP,muliple hosts can be
+                    added  by using multiple --add-host
+                  items:
+                    type: string
+                  type: array
+                asDockerfile:
+                  description: AsDockerfile indicates the path where the Dockerfile
+                    should be written instead of building a new image.
+                  type: string
+                assembleUser:
+                  description: AssembleUser specifies the user to run the assemble
+                    script in container
+                  type: string
+                blockOnBuild:
+                  description: BlockOnBuild prevents s2i from performing a docker
+                    build operation if one is necessary to execute ONBUILD commands,
+                    or to layer source code into the container for images that don't
+                    have a tar binary available, if the image contains ONBUILD commands
+                    that would be executed.
+                  type: boolean
+                branchExpression:
+                  description: Regular expressions, ignoring names that do not match
+                    the provided regular expression
+                  type: string
+                buildVolumes:
+                  description: BuildVolumes specifies a list of volumes to mount to
+                    container running the build.
+                  items:
+                    type: string
+                  type: array
+                builderBaseImageVersion:
+                  description: BuilderBaseImageVersion provides optional version information
+                    about the builder base image.
+                  type: string
+                builderImage:
+                  description: BuilderImage describes which image is used for building
+                    the result images.
+                  type: string
+                builderImageVersion:
+                  description: BuilderImageVersion provides optional version information
+                    about the builder image.
+                  type: string
+                builderPullPolicy:
+                  description: BuilderPullPolicy specifies when to pull the builder
+                    image
+                  type: string
+                callbackUrl:
+                  description: CallbackURL is a URL which is called upon successful
+                    build to inform about that fact.
+                  type: string
+                cgroupLimits:
+                  description: CGroupLimits describes the cgroups limits that will
+                    be applied to any containers run by s2i.
+                  properties:
+                    cpuPeriod:
+                      format: int64
+                      type: integer
+                    cpuQuota:
+                      format: int64
+                      type: integer
+                    cpuShares:
+                      format: int64
+                      type: integer
+                    memoryLimitBytes:
+                      format: int64
+                      type: integer
+                    memorySwap:
+                      format: int64
+                      type: integer
+                    parent:
+                      type: string
+                  required:
+                  - cpuPeriod
+                  - cpuQuota
+                  - cpuShares
+                  - memoryLimitBytes
+                  - memorySwap
+                  - parent
+                  type: object
+                contextDir:
+                  description: Specify a relative directory inside the application
+                    repository that should be used as a root directory for the application.
+                  type: string
+                description:
+                  description: Description is a result image description label. The
+                    default is no description.
+                  type: string
+                destination:
+                  description: Destination specifies a location where the untar operation
+                    will place its artifacts.
+                  type: string
+                displayName:
+                  description: DisplayName is a result image display-name label. This
+                    defaults to the output image name.
+                  type: string
+                dockerConfig:
+                  description: DockerConfig describes how to access host docker daemon.
+                  properties:
+                    caFile:
+                      description: CAFile is the certificate authority file path for
+                        a TLS connection
+                      type: string
+                    certFile:
+                      description: CertFile is the certificate file path for a TLS
+                        connection
+                      type: string
+                    endPoint:
+                      description: Endpoint is the docker network endpoint or socket
+                      type: string
+                    keyFile:
+                      description: KeyFile is the key file path for a TLS connection
+                      type: string
+                    tlsVerify:
+                      description: TLSVerify indicates if TLS peer must be verified
+                      type: boolean
+                    useTLS:
+                      description: UseTLS indicates if TLS must be used
+                      type: boolean
+                  required:
+                  - caFile
+                  - certFile
+                  - endPoint
+                  - keyFile
+                  - tlsVerify
+                  - useTLS
+                  type: object
+                dockerNetworkMode:
+                  description: DockerNetworkMode is used to set the docker network
+                    setting to --net=container:<id> when the builder is invoked from
+                    a container.
+                  type: string
+                dropCapabilities:
+                  description: DropCapabilities contains a list of capabilities to
+                    drop when executing containers
+                  items:
+                    type: string
+                  type: array
+                environment:
+                  description: Environment is a map of environment variables to be
+                    passed to the image.
+                  items:
+                    description: EnvironmentSpec specifies a single environment variable.
+                    properties:
+                      name:
+                        type: string
+                      value:
+                        type: string
+                    required:
+                    - name
+                    - value
+                    type: object
+                  type: array
+                excludeRegExp:
+                  description: ExcludeRegExp contains a string representation of the
+                    regular expression desired for deciding which files to exclude
+                    from the tar stream
+                  type: string
+                export:
+                  description: Export Push the result image to specify image registry
+                    in tag
+                  type: boolean
+                gitSecretRef:
+                  description: GitSecretRef is the BasicAuth Secret of Git Clone
+                  properties:
+                    name:
+                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        TODO: Add other useful fields. apiVersion, kind, uid?'
+                      type: string
+                  type: object
+                hasOnBuild:
+                  description: HasOnBuild will be set to true if the builder image
+                    contains ONBUILD instructions
+                  type: boolean
+                imageName:
+                  description: ImageName Contains the registry address and reponame,
+                    tag should set by field tag alone
+                  type: string
+                imageScriptsUrl:
+                  description: ImageScriptsURL is the default location to find the
+                    assemble/run scripts for a builder image. This url can be a reference
+                    within the builder image if the scheme is specified as image://
+                  type: string
+                imageWorkDir:
+                  description: ImageWorkDir is the default working directory for the
+                    builder image.
+                  type: string
+                incremental:
+                  description: Incremental describes whether to try to perform incremental
+                    build.
+                  type: boolean
+                incrementalAuthentication:
+                  description: IncrementalAuthentication holds the authentication
+                    information for pulling the previous image from private repositories
+                  properties:
+                    email:
+                      type: string
+                    password:
+                      type: string
+                    secretRef:
+                      description: LocalObjectReference contains enough information
+                        to let you locate the referenced object inside the same namespace.
+                      properties:
+                        name:
+                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            TODO: Add other useful fields. apiVersion, kind, uid?'
+                          type: string
+                      type: object
+                    serverAddress:
+                      type: string
+                    username:
+                      type: string
+                  type: object
+                incrementalFromTag:
+                  description: IncrementalFromTag sets an alternative image tag to
+                    look for existing artifacts. Tag is used by default if this is
+                    not set.
+                  type: string
+                injections:
+                  description: Injections specifies a list source/destination folders
+                    that are injected to the container that runs assemble. All files
+                    we inject will be truncated after the assemble script finishes.
+                  items:
+                    description: VolumeSpec represents a single volume mount point.
+                    properties:
+                      destination:
+                        description: Destination is the path to mount the volume to
+                          - absolute or relative.
+                        type: string
+                      keep:
+                        description: Keep indicates if the mounted data should be
+                          kept in the final image.
+                        type: boolean
+                      source:
+                        description: Source is a reference to the volume source.
+                        type: string
+                    type: object
+                  type: array
+                isBinaryURL:
+                  description: IsBinaryURL explain the type of SourceURL. If it is
+                    IsBinaryURL, it will download the file directly without using
+                    git.
+                  type: boolean
+                keepSymlinks:
+                  description: KeepSymlinks indicates to copy symlinks as symlinks.
+                    Default behavior is to follow symlinks and copy files by content.
+                  type: boolean
+                labelNamespace:
+                  description: LabelNamespace provides the namespace under which the
+                    labels will be generated.
+                  type: string
+                labels:
+                  additionalProperties:
+                    type: string
+                  description: Labels specify labels and their values to be applied
+                    to the resulting image. Label keys must have non-zero length.
+                    The labels defined here override generated labels in case they
+                    have the same name.
+                  type: object
+                layeredBuild:
+                  description: LayeredBuild describes if this is build which layered
+                    scripts and sources on top of BuilderImage.
+                  type: boolean
+                nodeAffinityKey:
+                  description: The key of Node Affinity.
+                  type: string
+                nodeAffinityValues:
+                  description: The values of Node Affinity.
+                  items:
+                    type: string
+                  type: array
+                outputBuildResult:
+                  description: Whether output build result to status.
+                  type: boolean
+                outputImageName:
+                  description: OutputImageName is a result image name without tag,
+                    default is latest. tag will append to ImageName in the end
+                  type: string
+                preserveWorkingDir:
+                  description: PreserveWorkingDir describes if working directory should
+                    be left after processing.
+                  type: boolean
+                previousImagePullPolicy:
+                  description: PreviousImagePullPolicy specifies when to pull the
+                    previously build image when doing incremental build
+                  type: string
+                pullAuthentication:
+                  description: PullAuthentication holds the authentication information
+                    for pulling the Docker images from private repositories
+                  properties:
+                    email:
+                      type: string
+                    password:
+                      type: string
+                    secretRef:
+                      description: LocalObjectReference contains enough information
+                        to let you locate the referenced object inside the same namespace.
+                      properties:
+                        name:
+                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            TODO: Add other useful fields. apiVersion, kind, uid?'
+                          type: string
+                      type: object
+                    serverAddress:
+                      type: string
+                    username:
+                      type: string
+                  type: object
+                pushAuthentication:
+                  description: PullAuthentication holds the authentication information
+                    for pulling the Docker images from private repositories
+                  properties:
+                    email:
+                      type: string
+                    password:
+                      type: string
+                    secretRef:
+                      description: LocalObjectReference contains enough information
+                        to let you locate the referenced object inside the same namespace.
+                      properties:
+                        name:
+                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            TODO: Add other useful fields. apiVersion, kind, uid?'
+                          type: string
+                      type: object
+                    serverAddress:
+                      type: string
+                    username:
+                      type: string
+                  type: object
+                removePreviousImage:
+                  description: RemovePreviousImage describes if previous image should
+                    be removed after successful build. This applies only to incremental
+                    builds.
+                  type: boolean
+                revisionId:
+                  description: The RevisionId is a branch name or a SHA-1 hash of
+                    every important thing about the commit
+                  type: string
+                runImage:
+                  description: RunImage will trigger a "docker run ..." invocation
+                    of the produced image so the user can see if it operates as he
+                    would expect
+                  type: boolean
+                runtimeArtifacts:
+                  description: RuntimeArtifacts specifies a list of source/destination
+                    pairs that will be copied from builder to a runtime image. Source
+                    can be a file or directory. Destination must be a directory. Regardless
+                    whether it is an absolute or relative path, it will be placed
+                    into image's WORKDIR. Destination also can be empty or equals
+                    to ".", in this case it just refers to a root of WORKDIR. In case
+                    it's empty, S2I will try to get this list from io.openshift.s2i.assemble-input-files
+                    label on a RuntimeImage.
+                  items:
+                    description: VolumeSpec represents a single volume mount point.
+                    properties:
+                      destination:
+                        description: Destination is the path to mount the volume to
+                          - absolute or relative.
+                        type: string
+                      keep:
+                        description: Keep indicates if the mounted data should be
+                          kept in the final image.
+                        type: boolean
+                      source:
+                        description: Source is a reference to the volume source.
+                        type: string
+                    type: object
+                  type: array
+                runtimeAuthentication:
+                  description: RuntimeAuthentication holds the authentication information
+                    for pulling the runtime Docker images from private repositories.
+                  properties:
+                    email:
+                      type: string
+                    password:
+                      type: string
+                    secretRef:
+                      description: LocalObjectReference contains enough information
+                        to let you locate the referenced object inside the same namespace.
+                      properties:
+                        name:
+                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            TODO: Add other useful fields. apiVersion, kind, uid?'
+                          type: string
+                      type: object
+                    serverAddress:
+                      type: string
+                    username:
+                      type: string
+                  type: object
+                runtimeImage:
+                  description: RuntimeImage specifies the image that will be a base
+                    for resulting image and will be used for running an application.
+                    By default, BuilderImage is used for building and running, but
+                    the latter may be overridden.
+                  type: string
+                runtimeImagePullPolicy:
+                  description: RuntimeImagePullPolicy specifies when to pull a runtime
+                    image.
+                  type: string
+                scriptDownloadProxyConfig:
+                  description: ScriptDownloadProxyConfig optionally specifies the
+                    http and https proxy to use when downloading scripts
+                  properties:
+                    httpProxy:
+                      type: string
+                    httpsProxy:
+                      type: string
+                  type: object
+                scriptsUrl:
+                  description: ScriptsURL is a URL describing where to fetch the S2I
+                    scripts from during build process. This url can be a reference
+                    within the builder image if the scheme is specified as image://
+                  type: string
+                secretCode:
+                  description: SecretCode
+                  type: string
+                securityOpt:
+                  description: SecurityOpt are passed as options to the docker containers
+                    launched by s2i.
+                  items:
+                    type: string
+                  type: array
+                sourceUrl:
+                  description: SourceURL is  url of the codes such as https://github.com/a/b.git
+                  type: string
+                tag:
+                  description: Tag is a result image tag name.
+                  type: string
+                taintKey:
+                  description: The name of taint.
+                  type: string
+                usage:
+                  description: Usage allows for properly shortcircuiting s2i logic
+                    when `s2i usage` is invoked
+                  type: boolean
+                workingDir:
+                  description: WorkingDir describes temporary directory used for downloading
+                    sources, scripts and tar operations.
+                  type: string
+                workingSourceDir:
+                  description: WorkingSourceDir describes the subdirectory off of
+                    WorkingDir set up during the repo download that is later used
+                    as the root for ignore processing
+                  type: string
+              required:
+              - imageName
+              - sourceUrl
+              type: object
+            fromTemplate:
+              description: FromTemplate define some inputs from user
+              properties:
+                builderImage:
+                  description: BaseImage specify which version of this template to
+                    use
+                  type: string
+                name:
+                  description: Name specify a template to use, so many fields in Config
+                    can left empty
+                  type: string
+                parameters:
+                  description: Parameters must use with `template`, fill some parameters
+                    which template will use
+                  items:
+                    properties:
+                      defaultValue:
+                        type: string
+                      description:
+                        type: string
+                      key:
+                        type: string
+                      optValues:
+                        items:
+                          type: string
+                        type: array
+                      required:
+                        type: boolean
+                      type:
+                        type: string
+                      value:
+                        type: string
+                    type: object
+                  type: array
+              type: object
+          type: object
+        status:
+          description: S2iBuilderStatus defines the observed state of S2iBuilder
+          properties:
+            lastRunName:
+              description: LastRunState return the name of the newest run of this
+                builder
+              type: string
+            lastRunStartTime:
+              description: LastRunStartTime return the startTime of the newest run
+                of this builder
+              format: date-time
+              type: string
+            lastRunState:
+              description: LastRunState return the state of the newest run of this
+                builder
+              type: string
+            runCount:
+              description: RunCount represent the sum of s2irun of this builder
+              type: integer
+          required:
+          - runCount
+          type: object
+      type: object
+  version: v1alpha1
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/devops.kubesphere.io_s2ibuildertemplates.yaml

@@ -0,0 +1,141 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: s2ibuildertemplates.devops.kubesphere.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.codeFramework
+    name: Framework
+    type: string
+  - JSONPath: .spec.defaultBaseImage
+    name: DefaultBaseImage
+    type: string
+  - JSONPath: .spec.version
+    name: Version
+    type: string
+  group: devops.kubesphere.io
+  names:
+    categories:
+    - devops
+    kind: S2iBuilderTemplate
+    listKind: S2iBuilderTemplateList
+    plural: s2ibuildertemplates
+    shortNames:
+    - s2ibt
+    singular: s2ibuildertemplate
+  scope: Cluster
+  subresources: {}
+  validation:
+    openAPIV3Schema:
+      description: S2iBuilderTemplate is the Schema for the s2ibuildertemplates API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: S2iBuilderTemplateSpec defines the desired state of S2iBuilderTemplate
+          properties:
+            codeFramework:
+              description: CodeFramework means which language this template is designed
+                for and which framework is using if has framework. Like Java, NodeJS
+                etc
+              type: string
+            containerInfo:
+              description: Images are the images this template will use.
+              items:
+                properties:
+                  buildVolumes:
+                    description: BuildVolumes specifies a list of volumes to mount
+                      to container running the build.
+                    items:
+                      type: string
+                    type: array
+                  builderImage:
+                    description: BaseImage are the images this template will use.
+                    type: string
+                  runtimeArtifacts:
+                    items:
+                      description: VolumeSpec represents a single volume mount point.
+                      properties:
+                        destination:
+                          description: Destination is the path to mount the volume
+                            to - absolute or relative.
+                          type: string
+                        keep:
+                          description: Keep indicates if the mounted data should be
+                            kept in the final image.
+                          type: boolean
+                        source:
+                          description: Source is a reference to the volume source.
+                          type: string
+                      type: object
+                    type: array
+                  runtimeImage:
+                    type: string
+                type: object
+              type: array
+            defaultBaseImage:
+              description: DefaultBaseImage is the image that will be used by default
+              type: string
+            description:
+              description: Description illustrate the purpose of this template
+              type: string
+            environment:
+              description: Parameters is a set of environment variables to be passed
+                to the image.
+              items:
+                properties:
+                  defaultValue:
+                    type: string
+                  description:
+                    type: string
+                  key:
+                    type: string
+                  optValues:
+                    items:
+                      type: string
+                    type: array
+                  required:
+                    type: boolean
+                  type:
+                    type: string
+                  value:
+                    type: string
+                type: object
+              type: array
+            iconPath:
+              description: IconPath is used for frontend display
+              type: string
+            version:
+              description: Version of template
+              type: string
+          type: object
+        status:
+          description: S2iBuilderTemplateStatus defines the observed state of S2iBuilderTemplate
+          type: object
+      type: object
+  version: v1alpha1
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/devops.kubesphere.io_s2iruns.yaml

@@ -0,0 +1,181 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: s2iruns.devops.kubesphere.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .status.runState
+    name: State
+    type: string
+  - JSONPath: .status.kubernetesJobName
+    name: K8sJobName
+    type: string
+  - JSONPath: .status.startTime
+    name: StartTime
+    type: date
+  - JSONPath: .status.completionTime
+    name: CompletionTime
+    type: date
+  - JSONPath: .status.s2iBuildResult.imageName
+    name: ImageName
+    type: string
+  group: devops.kubesphere.io
+  names:
+    kind: S2iRun
+    listKind: S2iRunList
+    plural: s2iruns
+    shortNames:
+    - s2ir
+    singular: s2irun
+  scope: Namespaced
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      description: S2iRun is the Schema for the s2iruns API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: S2iRunSpec defines the desired state of S2iRun
+          properties:
+            backoffLimit:
+              description: BackoffLimit limits the restart count of each s2irun. Default
+                is 0
+              format: int32
+              type: integer
+            builderName:
+              description: BuilderName specify the name of s2ibuilder, required
+              type: string
+            newRevisionId:
+              description: NewRevisionId override the default NewRevisionId in its
+                s2ibuilder.
+              type: string
+            newSourceURL:
+              description: NewSourceURL is used to download new binary artifacts
+              type: string
+            newTag:
+              description: NewTag override the default tag in its s2ibuilder, image
+                name cannot be changed.
+              type: string
+            secondsAfterFinished:
+              description: SecondsAfterFinished if is set and greater than zero, and
+                the job created by s2irun become successful or failed , the job will
+                be auto deleted after SecondsAfterFinished
+              format: int32
+              type: integer
+          required:
+          - builderName
+          type: object
+        status:
+          description: S2iRunStatus defines the observed state of S2iRun
+          properties:
+            completionTime:
+              description: Represents time when the job was completed. It is not guaranteed
+                to be set in happens-before order across separate operations. It is
+                represented in RFC3339 form and is in UTC.
+              format: date-time
+              type: string
+            kubernetesJobName:
+              description: KubernetesJobName is the job name in k8s
+              type: string
+            logURL:
+              description: LogURL is uesd for external log handler to let user know
+                where is log located in
+              type: string
+            runState:
+              description: RunState  indicates whether this job is done or failed
+              type: string
+            s2iBuildResult:
+              description: S2i build result info.
+              properties:
+                commandPull:
+                  description: Command for pull image.
+                  type: string
+                imageCreated:
+                  description: Image created time.
+                  type: string
+                imageID:
+                  description: Image ID.
+                  type: string
+                imageName:
+                  description: ImageName is the name of artifact
+                  type: string
+                imageRepoTags:
+                  description: image tags.
+                  items:
+                    type: string
+                  type: array
+                imageSize:
+                  description: The size in bytes of the image
+                  format: int64
+                  type: integer
+              type: object
+            s2iBuildSource:
+              description: S2i build source info.
+              properties:
+                binaryName:
+                  description: Binary file Name
+                  type: string
+                binarySize:
+                  description: Binary file Size
+                  format: int64
+                  type: integer
+                builderImage:
+                  description: // BuilderImage describes which image is used for building
+                    the result images.
+                  type: string
+                commitID:
+                  description: CommitID represents an arbitrary extended object reference
+                    in Git as SHA-1
+                  type: string
+                committerEmail:
+                  description: CommitterEmail contains the e-mail of the committer
+                  type: string
+                committerName:
+                  description: CommitterName contains the name of the committer
+                  type: string
+                description:
+                  description: Description is a result image description label. The
+                    default is no description.
+                  type: string
+                revisionId:
+                  description: The RevisionId is a branch name or a SHA-1 hash of
+                    every important thing about the commit
+                  type: string
+                sourceUrl:
+                  description: SourceURL is  url of the codes such as https://github.com/a/b.git
+                  type: string
+              type: object
+            startTime:
+              description: StartTime represent when this run began
+              format: date-time
+              type: string
+          type: object
+      type: object
+  version: v1alpha1
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/iam.kubesphere.io_globalrolebindings.yaml

@@ -0,0 +1,99 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: globalrolebindings.iam.kubesphere.io
+spec:
+  group: iam.kubesphere.io
+  names:
+    categories:
+    - iam
+    kind: GlobalRoleBinding
+    listKind: GlobalRoleBindingList
+    plural: globalrolebindings
+    singular: globalrolebinding
+  scope: Cluster
+  validation:
+    openAPIV3Schema:
+      description: GlobalRoleBinding is the Schema for the globalrolebindings API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          description: Standard object's metadata.
+          type: object
+        roleRef:
+          description: RoleRef can only reference a GlobalRole. If the RoleRef cannot
+            be resolved, the Authorizer must return an error.
+          properties:
+            apiGroup:
+              description: APIGroup is the group for the resource being referenced
+              type: string
+            kind:
+              description: Kind is the type of resource being referenced
+              type: string
+            name:
+              description: Name is the name of resource being referenced
+              type: string
+          required:
+          - apiGroup
+          - kind
+          - name
+          type: object
+        subjects:
+          description: Subjects holds references to the objects the role applies to.
+          items:
+            description: Subject contains a reference to the object or user identities
+              a role binding applies to.  This can either hold a direct API object
+              reference, or a value for non-objects such as user and group names.
+            properties:
+              apiGroup:
+                description: APIGroup holds the API group of the referenced subject.
+                  Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
+                  for User and Group subjects.
+                type: string
+              kind:
+                description: Kind of object being referenced. Values defined by this
+                  API group are "User", "Group", and "ServiceAccount". If the Authorizer
+                  does not recognized the kind value, the Authorizer should report
+                  an error.
+                type: string
+              name:
+                description: Name of the object being referenced.
+                type: string
+              namespace:
+                description: Namespace of the referenced object.  If the object kind
+                  is non-namespace, such as "User" or "Group", and this value is not
+                  empty the Authorizer should report an error.
+                type: string
+            required:
+            - kind
+            - name
+            type: object
+          type: array
+      required:
+      - roleRef
+      type: object
+  version: v1alpha2
+  versions:
+  - name: v1alpha2
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/iam.kubesphere.io_globalroles.yaml

@@ -0,0 +1,95 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: globalroles.iam.kubesphere.io
+spec:
+  group: iam.kubesphere.io
+  names:
+    categories:
+    - iam
+    kind: GlobalRole
+    listKind: GlobalRoleList
+    plural: globalroles
+    singular: globalrole
+  scope: Cluster
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          description: Standard object's metadata.
+          type: object
+        rules:
+          description: Rules holds all the PolicyRules for this GlobalRole
+          items:
+            description: PolicyRule holds information that describes a policy rule,
+              but does not contain information about who the rule applies to or which
+              namespace the rule applies to.
+            properties:
+              apiGroups:
+                description: APIGroups is the name of the APIGroup that contains the
+                  resources.  If multiple API groups are specified, any action requested
+                  against one of the enumerated resources in any API group will be
+                  allowed.
+                items:
+                  type: string
+                type: array
+              nonResourceURLs:
+                description: NonResourceURLs is a set of partial urls that a user
+                  should have access to.  *s are allowed, but only as the full, final
+                  step in the path Since non-resource URLs are not namespaced, this
+                  field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
+                  Rules can either apply to API resources (such as "pods" or "secrets")
+                  or non-resource URL paths (such as "/api"),  but not both.
+                items:
+                  type: string
+                type: array
+              resourceNames:
+                description: ResourceNames is an optional white list of names that
+                  the rule applies to.  An empty set means that everything is allowed.
+                items:
+                  type: string
+                type: array
+              resources:
+                description: Resources is a list of resources this rule applies to.  ResourceAll
+                  represents all resources.
+                items:
+                  type: string
+                type: array
+              verbs:
+                description: Verbs is a list of Verbs that apply to ALL the ResourceKinds
+                  and AttributeRestrictions contained in this rule.  VerbAll represents
+                  all kinds.
+                items:
+                  type: string
+                type: array
+            required:
+            - verbs
+            type: object
+          type: array
+      type: object
+  version: v1alpha2
+  versions:
+  - name: v1alpha2
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/iam.kubesphere.io_loginrecords.yaml

@@ -0,0 +1,95 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: loginrecords.iam.kubesphere.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.type
+    name: Type
+    type: string
+  - JSONPath: .spec.provider
+    name: Provider
+    type: string
+  - JSONPath: .spec.sourceIP
+    name: From
+    type: string
+  - JSONPath: .spec.success
+    name: Success
+    type: string
+  - JSONPath: .spec.reason
+    name: Reason
+    type: string
+  - JSONPath: .metadata.creationTimestamp
+    name: Age
+    type: date
+  group: iam.kubesphere.io
+  names:
+    categories:
+    - iam
+    kind: LoginRecord
+    listKind: LoginRecordList
+    plural: loginrecords
+    singular: loginrecord
+  scope: Cluster
+  subresources: {}
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            provider:
+              description: Provider of authentication, Ldap/Github etc.
+              type: string
+            reason:
+              description: States failed login attempt reason
+              type: string
+            sourceIP:
+              description: Source IP of client
+              type: string
+            success:
+              description: Successful login attempt or not
+              type: boolean
+            type:
+              description: Which authentication method used, BasicAuth/OAuth
+              type: string
+            userAgent:
+              description: User agent of login attempt
+              type: string
+          required:
+          - provider
+          - reason
+          - sourceIP
+          - success
+          - type
+          type: object
+      required:
+      - spec
+      type: object
+  version: v1alpha2
+  versions:
+  - name: v1alpha2
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/iam.kubesphere.io_rolebases.yaml

@@ -0,0 +1,50 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: rolebases.iam.kubesphere.io
+spec:
+  group: iam.kubesphere.io
+  names:
+    categories:
+    - iam
+    kind: RoleBase
+    listKind: RoleBaseList
+    plural: rolebases
+    singular: rolebase
+  scope: Cluster
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        role:
+          type: object
+      required:
+      - role
+      type: object
+  version: v1alpha2
+  versions:
+  - name: v1alpha2
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/iam.kubesphere.io_users.yaml

@@ -0,0 +1,98 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: users.iam.kubesphere.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.email
+    name: Email
+    type: string
+  - JSONPath: .status.state
+    name: Status
+    type: string
+  group: iam.kubesphere.io
+  names:
+    categories:
+    - iam
+    kind: User
+    listKind: UserList
+    plural: users
+    singular: user
+  scope: Cluster
+  subresources: {}
+  validation:
+    openAPIV3Schema:
+      description: User is the Schema for the users API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          description: Standard object's metadata.
+          type: object
+        spec:
+          description: UserSpec defines the desired state of User
+          properties:
+            description:
+              description: Description of the user.
+              type: string
+            displayName:
+              type: string
+            email:
+              description: Unique email address(https://www.ietf.org/rfc/rfc5322.txt).
+              type: string
+            groups:
+              items:
+                type: string
+              type: array
+            lang:
+              description: The preferred written or spoken language for the user.
+              type: string
+            password:
+              description: password will be encrypted by mutating admission webhook
+              type: string
+          required:
+          - email
+          type: object
+        status:
+          description: UserStatus defines the observed state of User
+          properties:
+            lastLoginTime:
+              description: Last login attempt timestamp
+              format: date-time
+              type: string
+            lastTransitionTime:
+              format: date-time
+              type: string
+            reason:
+              type: string
+            state:
+              description: The user status
+              type: string
+          type: object
+      required:
+      - spec
+      type: object
+  version: v1alpha2
+  versions:
+  - name: v1alpha2
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/iam.kubesphere.io_workspacerolebindings.yaml

@@ -0,0 +1,104 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: workspacerolebindings.iam.kubesphere.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .metadata.labels.kubesphere\.io/workspace
+    name: Workspace
+    type: string
+  group: iam.kubesphere.io
+  names:
+    categories:
+    - iam
+    kind: WorkspaceRoleBinding
+    listKind: WorkspaceRoleBindingList
+    plural: workspacerolebindings
+    singular: workspacerolebinding
+  scope: Cluster
+  subresources: {}
+  validation:
+    openAPIV3Schema:
+      description: WorkspaceRoleBinding is the Schema for the workspacerolebindings
+        API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        roleRef:
+          description: RoleRef can only reference a WorkspaceRole. If the RoleRef
+            cannot be resolved, the Authorizer must return an error.
+          properties:
+            apiGroup:
+              description: APIGroup is the group for the resource being referenced
+              type: string
+            kind:
+              description: Kind is the type of resource being referenced
+              type: string
+            name:
+              description: Name is the name of resource being referenced
+              type: string
+          required:
+          - apiGroup
+          - kind
+          - name
+          type: object
+        subjects:
+          description: Subjects holds references to the objects the role applies to.
+          items:
+            description: Subject contains a reference to the object or user identities
+              a role binding applies to.  This can either hold a direct API object
+              reference, or a value for non-objects such as user and group names.
+            properties:
+              apiGroup:
+                description: APIGroup holds the API group of the referenced subject.
+                  Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
+                  for User and Group subjects.
+                type: string
+              kind:
+                description: Kind of object being referenced. Values defined by this
+                  API group are "User", "Group", and "ServiceAccount". If the Authorizer
+                  does not recognized the kind value, the Authorizer should report
+                  an error.
+                type: string
+              name:
+                description: Name of the object being referenced.
+                type: string
+              namespace:
+                description: Namespace of the referenced object.  If the object kind
+                  is non-namespace, such as "User" or "Group", and this value is not
+                  empty the Authorizer should report an error.
+                type: string
+            required:
+            - kind
+            - name
+            type: object
+          type: array
+      required:
+      - roleRef
+      type: object
+  version: v1alpha2
+  versions:
+  - name: v1alpha2
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/iam.kubesphere.io_workspaceroles.yaml

@@ -0,0 +1,103 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: workspaceroles.iam.kubesphere.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .metadata.labels.kubesphere\.io/workspace
+    name: Workspace
+    type: string
+  - JSONPath: .metadata.annotations.kubesphere\.io/alias-name
+    name: Alias
+    type: string
+  group: iam.kubesphere.io
+  names:
+    categories:
+    - iam
+    kind: WorkspaceRole
+    listKind: WorkspaceRoleList
+    plural: workspaceroles
+    singular: workspacerole
+  scope: Cluster
+  subresources: {}
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          description: Standard object's metadata.
+          type: object
+        rules:
+          description: Rules holds all the PolicyRules for this WorkspaceRole
+          items:
+            description: PolicyRule holds information that describes a policy rule,
+              but does not contain information about who the rule applies to or which
+              namespace the rule applies to.
+            properties:
+              apiGroups:
+                description: APIGroups is the name of the APIGroup that contains the
+                  resources.  If multiple API groups are specified, any action requested
+                  against one of the enumerated resources in any API group will be
+                  allowed.
+                items:
+                  type: string
+                type: array
+              nonResourceURLs:
+                description: NonResourceURLs is a set of partial urls that a user
+                  should have access to.  *s are allowed, but only as the full, final
+                  step in the path Since non-resource URLs are not namespaced, this
+                  field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
+                  Rules can either apply to API resources (such as "pods" or "secrets")
+                  or non-resource URL paths (such as "/api"),  but not both.
+                items:
+                  type: string
+                type: array
+              resourceNames:
+                description: ResourceNames is an optional white list of names that
+                  the rule applies to.  An empty set means that everything is allowed.
+                items:
+                  type: string
+                type: array
+              resources:
+                description: Resources is a list of resources this rule applies to.  ResourceAll
+                  represents all resources.
+                items:
+                  type: string
+                type: array
+              verbs:
+                description: Verbs is a list of Verbs that apply to ALL the ResourceKinds
+                  and AttributeRestrictions contained in this rule.  VerbAll represents
+                  all kinds.
+                items:
+                  type: string
+                type: array
+            required:
+            - verbs
+            type: object
+          type: array
+      type: object
+  version: v1alpha2
+  versions:
+  - name: v1alpha2
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/istio_v1alpha3_destinationrule.yaml

@@ -0,0 +1,763 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: destinationrules.istio.kubesphere.io
+spec:
+  group: istio.kubesphere.io
+  names:
+    kind: DestinationRule
+    plural: destinationrules
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            host:
+              description: 'REQUIRED. The name of a service from the service registry.
+                Service names are looked up from the platform''s service registry
+                (e.g., Kubernetes services, Consul services, etc.) and from the hosts
+                declared by [ServiceEntries](#ServiceEntry). Rules defined for services
+                that do not exist in the service registry will be ignored.  *Note
+                for Kubernetes users*: When short names are used (e.g. "reviews" instead
+                of "reviews.default.svc.cluster.local"), Istio will interpret the
+                short name based on the namespace of the rule, not the service. A
+                rule in the "default" namespace containing a host "reviews will be
+                interpreted as "reviews.default.svc.cluster.local", irrespective of
+                the actual namespace associated with the reviews service. _To avoid
+                potential misconfigurations, it is recommended to always use fully
+                qualified domain names over short names._  Note that the host field
+                applies to both HTTP and TCP services.'
+              type: string
+            subsets:
+              description: One or more named sets that represent individual versions
+                of a service. Traffic policies can be overridden at subset level.
+              items:
+                properties:
+                  labels:
+                    description: REQUIRED. Labels apply a filter over the endpoints
+                      of a service in the service registry. See route rules for examples
+                      of usage.
+                    type: object
+                  name:
+                    description: REQUIRED. Name of the subset. The service name and
+                      the subset name can be used for traffic splitting in a route
+                      rule.
+                    type: string
+                  trafficPolicy:
+                    description: Traffic policies that apply to this subset. Subsets
+                      inherit the traffic policies specified at the DestinationRule
+                      level. Settings specified at the subset level will override
+                      the corresponding settings specified at the DestinationRule
+                      level.
+                    properties:
+                      connectionPool:
+                        description: Settings controlling the volume of connections
+                          to an upstream service
+                        properties:
+                          http:
+                            description: HTTP connection pool settings.
+                            properties:
+                              maxRequestsPerConnection:
+                                description: Maximum number of requests per connection
+                                  to a backend. Setting this parameter to 1 disables
+                                  keep alive.
+                                format: int32
+                                type: integer
+                              maxRetries:
+                                description: Maximum number of retries that can be
+                                  outstanding to all hosts in a cluster at a given
+                                  time. Defaults to 3.
+                                format: int32
+                                type: integer
+                            type: object
+                          tcp:
+                            description: Settings common to both HTTP and TCP upstream
+                              connections.
+                            properties:
+                              connectTimeout:
+                                description: TCP connection timeout.
+                                type: string
+                              maxConnections:
+                                description: Maximum number of HTTP1 /TCP connections
+                                  to a destination host.
+                                format: int32
+                                type: integer
+                            type: object
+                        type: object
+                      loadBalancer:
+                        description: Settings controlling the load balancer algorithms.
+                        properties:
+                          consistentHash:
+                            properties:
+                              httpCookie:
+                                description: Hash based on HTTP cookie.
+                                properties:
+                                  name:
+                                    description: REQUIRED. Name of the cookie.
+                                    type: string
+                                  path:
+                                    description: Path to set for the cookie.
+                                    type: string
+                                  ttl:
+                                    description: REQUIRED. Lifetime of the cookie.
+                                    type: string
+                                required:
+                                - name
+                                - ttl
+                                type: object
+                              httpHeaderName:
+                                description: 'It is required to specify exactly one
+                                  of the fields as hash key: HttpHeaderName, HttpCookie,
+                                  or UseSourceIP. Hash based on a specific HTTP header.'
+                                type: string
+                              minimumRingSize:
+                                description: The minimum number of virtual nodes to
+                                  use for the hash ring. Defaults to 1024. Larger
+                                  ring sizes result in more granular load distributions.
+                                  If the number of hosts in the load balancing pool
+                                  is larger than the ring size, each host will be
+                                  assigned a single virtual node.
+                                format: int64
+                                type: integer
+                              useSourceIp:
+                                description: Hash based on the source IP address.
+                                type: boolean
+                            type: object
+                          simple:
+                            description: 'It is required to specify exactly one of
+                              the fields: Simple or ConsistentHash'
+                            type: string
+                        type: object
+                      outlierDetection:
+                        description: Settings controlling eviction of unhealthy hosts
+                          from the load balancing pool
+                        properties:
+                          baseEjectionTime:
+                            description: 'Minimum ejection duration. A host will remain
+                              ejected for a period equal to the product of minimum
+                              ejection duration and the number of times the host has
+                              been ejected. This technique allows the system to automatically
+                              increase the ejection period for unhealthy upstream
+                              servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default
+                              is 30s.'
+                            type: string
+                          consecutiveErrors:
+                            description: Number of errors before a host is ejected
+                              from the connection pool. Defaults to 5. When the upstream
+                              host is accessed over HTTP, a 5xx return code qualifies
+                              as an error. When the upstream host is accessed over
+                              an opaque TCP connection, connect timeouts and connection
+                              error/failure events qualify as an error.
+                            format: int32
+                            type: integer
+                          interval:
+                            description: 'Time interval between ejection sweep analysis.
+                              format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
+                            type: string
+                          maxEjectionPercent:
+                            description: Maximum % of hosts in the load balancing
+                              pool for the upstream service that can be ejected. Defaults
+                              to 10%.
+                            format: int32
+                            type: integer
+                        type: object
+                      portLevelSettings:
+                        description: Traffic policies specific to individual ports.
+                          Note that port level settings will override the destination-level
+                          settings. Traffic settings specified at the destination-level
+                          will not be inherited when overridden by port-level settings,
+                          i.e. default values will be applied to fields omitted in
+                          port-level traffic policies.
+                        items:
+                          properties:
+                            connectionPool:
+                              description: Settings controlling the volume of connections
+                                to an upstream service
+                              properties:
+                                http:
+                                  description: HTTP connection pool settings.
+                                  properties:
+                                    maxRequestsPerConnection:
+                                      description: Maximum number of requests per
+                                        connection to a backend. Setting this parameter
+                                        to 1 disables keep alive.
+                                      format: int32
+                                      type: integer
+                                    maxRetries:
+                                      description: Maximum number of retries that
+                                        can be outstanding to all hosts in a cluster
+                                        at a given time. Defaults to 3.
+                                      format: int32
+                                      type: integer
+                                  type: object
+                                tcp:
+                                  description: Settings common to both HTTP and TCP
+                                    upstream connections.
+                                  properties:
+                                    connectTimeout:
+                                      description: TCP connection timeout.
+                                      type: string
+                                    maxConnections:
+                                      description: Maximum number of HTTP1 /TCP connections
+                                        to a destination host.
+                                      format: int32
+                                      type: integer
+                                  type: object
+                              type: object
+                            loadBalancer:
+                              description: Settings controlling the load balancer
+                                algorithms.
+                              properties:
+                                consistentHash:
+                                  properties:
+                                    httpCookie:
+                                      description: Hash based on HTTP cookie.
+                                      properties:
+                                        name:
+                                          description: REQUIRED. Name of the cookie.
+                                          type: string
+                                        path:
+                                          description: Path to set for the cookie.
+                                          type: string
+                                        ttl:
+                                          description: REQUIRED. Lifetime of the cookie.
+                                          type: string
+                                      required:
+                                      - name
+                                      - ttl
+                                      type: object
+                                    httpHeaderName:
+                                      description: 'It is required to specify exactly
+                                        one of the fields as hash key: HttpHeaderName,
+                                        HttpCookie, or UseSourceIP. Hash based on
+                                        a specific HTTP header.'
+                                      type: string
+                                    minimumRingSize:
+                                      description: The minimum number of virtual nodes
+                                        to use for the hash ring. Defaults to 1024.
+                                        Larger ring sizes result in more granular
+                                        load distributions. If the number of hosts
+                                        in the load balancing pool is larger than
+                                        the ring size, each host will be assigned
+                                        a single virtual node.
+                                      format: int64
+                                      type: integer
+                                    useSourceIp:
+                                      description: Hash based on the source IP address.
+                                      type: boolean
+                                  type: object
+                                simple:
+                                  description: 'It is required to specify exactly
+                                    one of the fields: Simple or ConsistentHash'
+                                  type: string
+                              type: object
+                            outlierDetection:
+                              description: Settings controlling eviction of unhealthy
+                                hosts from the load balancing pool
+                              properties:
+                                baseEjectionTime:
+                                  description: 'Minimum ejection duration. A host
+                                    will remain ejected for a period equal to the
+                                    product of minimum ejection duration and the number
+                                    of times the host has been ejected. This technique
+                                    allows the system to automatically increase the
+                                    ejection period for unhealthy upstream servers.
+                                    format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is
+                                    30s.'
+                                  type: string
+                                consecutiveErrors:
+                                  description: Number of errors before a host is ejected
+                                    from the connection pool. Defaults to 5. When
+                                    the upstream host is accessed over HTTP, a 5xx
+                                    return code qualifies as an error. When the upstream
+                                    host is accessed over an opaque TCP connection,
+                                    connect timeouts and connection error/failure
+                                    events qualify as an error.
+                                  format: int32
+                                  type: integer
+                                interval:
+                                  description: 'Time interval between ejection sweep
+                                    analysis. format: 1h/1m/1s/1ms. MUST BE >=1ms.
+                                    Default is 10s.'
+                                  type: string
+                                maxEjectionPercent:
+                                  description: Maximum % of hosts in the load balancing
+                                    pool for the upstream service that can be ejected.
+                                    Defaults to 10%.
+                                  format: int32
+                                  type: integer
+                              type: object
+                            port:
+                              description: Specifies the port name or number of a
+                                port on the destination service on which this policy
+                                is being applied.  Names must comply with DNS label
+                                syntax (rfc1035) and therefore cannot collide with
+                                numbers. If there are multiple ports on a service
+                                with the same protocol the names should be of the
+                                form <protocol-name>-<DNS label>.
+                              properties:
+                                name:
+                                  description: Valid port name
+                                  type: string
+                                number:
+                                  description: Valid port number
+                                  format: int32
+                                  type: integer
+                              type: object
+                            tls:
+                              description: TLS related settings for connections to
+                                the upstream service.
+                              properties:
+                                caCertificates:
+                                  description: 'OPTIONAL: The path to the file containing
+                                    certificate authority certificates to use in verifying
+                                    a presented server certificate. If omitted, the
+                                    proxy will not verify the server''s certificate.
+                                    Should be empty if mode is `ISTIO_MUTUAL`.'
+                                  type: string
+                                clientCertificate:
+                                  description: REQUIRED if mode is `MUTUAL`. The path
+                                    to the file holding the client-side TLS certificate
+                                    to use. Should be empty if mode is `ISTIO_MUTUAL`.
+                                  type: string
+                                mode:
+                                  description: 'REQUIRED: Indicates whether connections
+                                    to this port should be secured using TLS. The
+                                    value of this field determines how TLS is enforced.'
+                                  type: string
+                                privateKey:
+                                  description: REQUIRED if mode is `MUTUAL`. The path
+                                    to the file holding the client's private key.
+                                    Should be empty if mode is `ISTIO_MUTUAL`.
+                                  type: string
+                                sni:
+                                  description: SNI string to present to the server
+                                    during TLS handshake. Should be empty if mode
+                                    is `ISTIO_MUTUAL`.
+                                  type: string
+                                subjectAltNames:
+                                  description: A list of alternate names to verify
+                                    the subject identity in the certificate. If specified,
+                                    the proxy will verify that the server certificate's
+                                    subject alt name matches one of the specified
+                                    values. Should be empty if mode is `ISTIO_MUTUAL`.
+                                  items:
+                                    type: string
+                                  type: array
+                              required:
+                              - mode
+                              type: object
+                          required:
+                          - port
+                          type: object
+                        type: array
+                      tls:
+                        description: TLS related settings for connections to the upstream
+                          service.
+                        properties:
+                          caCertificates:
+                            description: 'OPTIONAL: The path to the file containing
+                              certificate authority certificates to use in verifying
+                              a presented server certificate. If omitted, the proxy
+                              will not verify the server''s certificate. Should be
+                              empty if mode is `ISTIO_MUTUAL`.'
+                            type: string
+                          clientCertificate:
+                            description: REQUIRED if mode is `MUTUAL`. The path to
+                              the file holding the client-side TLS certificate to
+                              use. Should be empty if mode is `ISTIO_MUTUAL`.
+                            type: string
+                          mode:
+                            description: 'REQUIRED: Indicates whether connections
+                              to this port should be secured using TLS. The value
+                              of this field determines how TLS is enforced.'
+                            type: string
+                          privateKey:
+                            description: REQUIRED if mode is `MUTUAL`. The path to
+                              the file holding the client's private key. Should be
+                              empty if mode is `ISTIO_MUTUAL`.
+                            type: string
+                          sni:
+                            description: SNI string to present to the server during
+                              TLS handshake. Should be empty if mode is `ISTIO_MUTUAL`.
+                            type: string
+                          subjectAltNames:
+                            description: A list of alternate names to verify the subject
+                              identity in the certificate. If specified, the proxy
+                              will verify that the server certificate's subject alt
+                              name matches one of the specified values. Should be
+                              empty if mode is `ISTIO_MUTUAL`.
+                            items:
+                              type: string
+                            type: array
+                        required:
+                        - mode
+                        type: object
+                    type: object
+                required:
+                - name
+                - labels
+                type: object
+              type: array
+            trafficPolicy:
+              description: Traffic policies to apply (load balancing policy, connection
+                pool sizes, outlier detection).
+              properties:
+                connectionPool:
+                  description: Settings controlling the volume of connections to an
+                    upstream service
+                  properties:
+                    http:
+                      description: HTTP connection pool settings.
+                      properties:
+                        maxRequestsPerConnection:
+                          description: Maximum number of requests per connection to
+                            a backend. Setting this parameter to 1 disables keep alive.
+                          format: int32
+                          type: integer
+                        maxRetries:
+                          description: Maximum number of retries that can be outstanding
+                            to all hosts in a cluster at a given time. Defaults to
+                            3.
+                          format: int32
+                          type: integer
+                      type: object
+                    tcp:
+                      description: Settings common to both HTTP and TCP upstream connections.
+                      properties:
+                        connectTimeout:
+                          description: TCP connection timeout.
+                          type: string
+                        maxConnections:
+                          description: Maximum number of HTTP1 /TCP connections to
+                            a destination host.
+                          format: int32
+                          type: integer
+                      type: object
+                  type: object
+                loadBalancer:
+                  description: Settings controlling the load balancer algorithms.
+                  properties:
+                    consistentHash:
+                      properties:
+                        httpCookie:
+                          description: Hash based on HTTP cookie.
+                          properties:
+                            name:
+                              description: REQUIRED. Name of the cookie.
+                              type: string
+                            path:
+                              description: Path to set for the cookie.
+                              type: string
+                            ttl:
+                              description: REQUIRED. Lifetime of the cookie.
+                              type: string
+                          required:
+                          - name
+                          - ttl
+                          type: object
+                        httpHeaderName:
+                          description: 'It is required to specify exactly one of the
+                            fields as hash key: HttpHeaderName, HttpCookie, or UseSourceIP.
+                            Hash based on a specific HTTP header.'
+                          type: string
+                        minimumRingSize:
+                          description: The minimum number of virtual nodes to use
+                            for the hash ring. Defaults to 1024. Larger ring sizes
+                            result in more granular load distributions. If the number
+                            of hosts in the load balancing pool is larger than the
+                            ring size, each host will be assigned a single virtual
+                            node.
+                          format: int64
+                          type: integer
+                        useSourceIp:
+                          description: Hash based on the source IP address.
+                          type: boolean
+                      type: object
+                    simple:
+                      description: 'It is required to specify exactly one of the fields:
+                        Simple or ConsistentHash'
+                      type: string
+                  type: object
+                outlierDetection:
+                  description: Settings controlling eviction of unhealthy hosts from
+                    the load balancing pool
+                  properties:
+                    baseEjectionTime:
+                      description: 'Minimum ejection duration. A host will remain
+                        ejected for a period equal to the product of minimum ejection
+                        duration and the number of times the host has been ejected.
+                        This technique allows the system to automatically increase
+                        the ejection period for unhealthy upstream servers. format:
+                        1h/1m/1s/1ms. MUST BE >=1ms. Default is 30s.'
+                      type: string
+                    consecutiveErrors:
+                      description: Number of errors before a host is ejected from
+                        the connection pool. Defaults to 5. When the upstream host
+                        is accessed over HTTP, a 5xx return code qualifies as an error.
+                        When the upstream host is accessed over an opaque TCP connection,
+                        connect timeouts and connection error/failure events qualify
+                        as an error.
+                      format: int32
+                      type: integer
+                    interval:
+                      description: 'Time interval between ejection sweep analysis.
+                        format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
+                      type: string
+                    maxEjectionPercent:
+                      description: Maximum % of hosts in the load balancing pool for
+                        the upstream service that can be ejected. Defaults to 10%.
+                      format: int32
+                      type: integer
+                  type: object
+                portLevelSettings:
+                  description: Traffic policies specific to individual ports. Note
+                    that port level settings will override the destination-level settings.
+                    Traffic settings specified at the destination-level will not be
+                    inherited when overridden by port-level settings, i.e. default
+                    values will be applied to fields omitted in port-level traffic
+                    policies.
+                  items:
+                    properties:
+                      connectionPool:
+                        description: Settings controlling the volume of connections
+                          to an upstream service
+                        properties:
+                          http:
+                            description: HTTP connection pool settings.
+                            properties:
+                              maxRequestsPerConnection:
+                                description: Maximum number of requests per connection
+                                  to a backend. Setting this parameter to 1 disables
+                                  keep alive.
+                                format: int32
+                                type: integer
+                              maxRetries:
+                                description: Maximum number of retries that can be
+                                  outstanding to all hosts in a cluster at a given
+                                  time. Defaults to 3.
+                                format: int32
+                                type: integer
+                            type: object
+                          tcp:
+                            description: Settings common to both HTTP and TCP upstream
+                              connections.
+                            properties:
+                              connectTimeout:
+                                description: TCP connection timeout.
+                                type: string
+                              maxConnections:
+                                description: Maximum number of HTTP1 /TCP connections
+                                  to a destination host.
+                                format: int32
+                                type: integer
+                            type: object
+                        type: object
+                      loadBalancer:
+                        description: Settings controlling the load balancer algorithms.
+                        properties:
+                          consistentHash:
+                            properties:
+                              httpCookie:
+                                description: Hash based on HTTP cookie.
+                                properties:
+                                  name:
+                                    description: REQUIRED. Name of the cookie.
+                                    type: string
+                                  path:
+                                    description: Path to set for the cookie.
+                                    type: string
+                                  ttl:
+                                    description: REQUIRED. Lifetime of the cookie.
+                                    type: string
+                                required:
+                                - name
+                                - ttl
+                                type: object
+                              httpHeaderName:
+                                description: 'It is required to specify exactly one
+                                  of the fields as hash key: HttpHeaderName, HttpCookie,
+                                  or UseSourceIP. Hash based on a specific HTTP header.'
+                                type: string
+                              minimumRingSize:
+                                description: The minimum number of virtual nodes to
+                                  use for the hash ring. Defaults to 1024. Larger
+                                  ring sizes result in more granular load distributions.
+                                  If the number of hosts in the load balancing pool
+                                  is larger than the ring size, each host will be
+                                  assigned a single virtual node.
+                                format: int64
+                                type: integer
+                              useSourceIp:
+                                description: Hash based on the source IP address.
+                                type: boolean
+                            type: object
+                          simple:
+                            description: 'It is required to specify exactly one of
+                              the fields: Simple or ConsistentHash'
+                            type: string
+                        type: object
+                      outlierDetection:
+                        description: Settings controlling eviction of unhealthy hosts
+                          from the load balancing pool
+                        properties:
+                          baseEjectionTime:
+                            description: 'Minimum ejection duration. A host will remain
+                              ejected for a period equal to the product of minimum
+                              ejection duration and the number of times the host has
+                              been ejected. This technique allows the system to automatically
+                              increase the ejection period for unhealthy upstream
+                              servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default
+                              is 30s.'
+                            type: string
+                          consecutiveErrors:
+                            description: Number of errors before a host is ejected
+                              from the connection pool. Defaults to 5. When the upstream
+                              host is accessed over HTTP, a 5xx return code qualifies
+                              as an error. When the upstream host is accessed over
+                              an opaque TCP connection, connect timeouts and connection
+                              error/failure events qualify as an error.
+                            format: int32
+                            type: integer
+                          interval:
+                            description: 'Time interval between ejection sweep analysis.
+                              format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
+                            type: string
+                          maxEjectionPercent:
+                            description: Maximum % of hosts in the load balancing
+                              pool for the upstream service that can be ejected. Defaults
+                              to 10%.
+                            format: int32
+                            type: integer
+                        type: object
+                      port:
+                        description: Specifies the port name or number of a port on
+                          the destination service on which this policy is being applied.  Names
+                          must comply with DNS label syntax (rfc1035) and therefore
+                          cannot collide with numbers. If there are multiple ports
+                          on a service with the same protocol the names should be
+                          of the form <protocol-name>-<DNS label>.
+                        properties:
+                          name:
+                            description: Valid port name
+                            type: string
+                          number:
+                            description: Valid port number
+                            format: int32
+                            type: integer
+                        type: object
+                      tls:
+                        description: TLS related settings for connections to the upstream
+                          service.
+                        properties:
+                          caCertificates:
+                            description: 'OPTIONAL: The path to the file containing
+                              certificate authority certificates to use in verifying
+                              a presented server certificate. If omitted, the proxy
+                              will not verify the server''s certificate. Should be
+                              empty if mode is `ISTIO_MUTUAL`.'
+                            type: string
+                          clientCertificate:
+                            description: REQUIRED if mode is `MUTUAL`. The path to
+                              the file holding the client-side TLS certificate to
+                              use. Should be empty if mode is `ISTIO_MUTUAL`.
+                            type: string
+                          mode:
+                            description: 'REQUIRED: Indicates whether connections
+                              to this port should be secured using TLS. The value
+                              of this field determines how TLS is enforced.'
+                            type: string
+                          privateKey:
+                            description: REQUIRED if mode is `MUTUAL`. The path to
+                              the file holding the client's private key. Should be
+                              empty if mode is `ISTIO_MUTUAL`.
+                            type: string
+                          sni:
+                            description: SNI string to present to the server during
+                              TLS handshake. Should be empty if mode is `ISTIO_MUTUAL`.
+                            type: string
+                          subjectAltNames:
+                            description: A list of alternate names to verify the subject
+                              identity in the certificate. If specified, the proxy
+                              will verify that the server certificate's subject alt
+                              name matches one of the specified values. Should be
+                              empty if mode is `ISTIO_MUTUAL`.
+                            items:
+                              type: string
+                            type: array
+                        required:
+                        - mode
+                        type: object
+                    required:
+                    - port
+                    type: object
+                  type: array
+                tls:
+                  description: TLS related settings for connections to the upstream
+                    service.
+                  properties:
+                    caCertificates:
+                      description: 'OPTIONAL: The path to the file containing certificate
+                        authority certificates to use in verifying a presented server
+                        certificate. If omitted, the proxy will not verify the server''s
+                        certificate. Should be empty if mode is `ISTIO_MUTUAL`.'
+                      type: string
+                    clientCertificate:
+                      description: REQUIRED if mode is `MUTUAL`. The path to the file
+                        holding the client-side TLS certificate to use. Should be
+                        empty if mode is `ISTIO_MUTUAL`.
+                      type: string
+                    mode:
+                      description: 'REQUIRED: Indicates whether connections to this
+                        port should be secured using TLS. The value of this field
+                        determines how TLS is enforced.'
+                      type: string
+                    privateKey:
+                      description: REQUIRED if mode is `MUTUAL`. The path to the file
+                        holding the client's private key. Should be empty if mode
+                        is `ISTIO_MUTUAL`.
+                      type: string
+                    sni:
+                      description: SNI string to present to the server during TLS
+                        handshake. Should be empty if mode is `ISTIO_MUTUAL`.
+                      type: string
+                    subjectAltNames:
+                      description: A list of alternate names to verify the subject
+                        identity in the certificate. If specified, the proxy will
+                        verify that the server certificate's subject alt name matches
+                        one of the specified values. Should be empty if mode is `ISTIO_MUTUAL`.
+                      items:
+                        type: string
+                      type: array
+                  required:
+                  - mode
+                  type: object
+              type: object
+          required:
+          - host
+          type: object
+      required:
+      - spec
+  version: v1alpha3
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/istio_v1alpha3_gateway.yaml

@@ -0,0 +1,129 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: gateways.istio.kubesphere.io
+spec:
+  group: istio.kubesphere.io
+  names:
+    kind: Gateway
+    plural: gateways
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            selector:
+              description: One or more labels that indicate a specific set of pods/VMs
+                on which this gateway configuration should be applied. If no selectors
+                are provided, the gateway will be implemented by the default istio-ingress
+                controller.
+              type: object
+            servers:
+              description: 'REQUIRED: A list of server specifications.'
+              items:
+                properties:
+                  hosts:
+                    description: A list of hosts exposed by this gateway. While typically
+                      applicable to HTTP services, it can also be used for TCP services
+                      using TLS with SNI. Standard DNS wildcard prefix syntax is permitted.  A
+                      VirtualService that is bound to a gateway must having a matching
+                      host in its default destination. Specifically one of the VirtualService
+                      destination hosts is a strict suffix of a gateway host or a
+                      gateway host is a suffix of one of the VirtualService hosts.
+                    items:
+                      type: string
+                    type: array
+                  port:
+                    description: 'REQUIRED: The Port on which the proxy should listen
+                      for incoming connections'
+                    properties:
+                      name:
+                        description: Label assigned to the port.
+                        type: string
+                      number:
+                        description: 'REQUIRED: A valid non-negative integer port
+                          number.'
+                        format: int64
+                        type: integer
+                      protocol:
+                        description: 'REQUIRED: The protocol exposed on the port.
+                          MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP.'
+                        type: string
+                    required:
+                    - number
+                    - protocol
+                    type: object
+                  tls:
+                    description: Set of TLS related options that govern the server's
+                      behavior. Use these options to control if all http requests
+                      should be redirected to https, and the TLS modes to use.
+                    properties:
+                      caCertificates:
+                        description: REQUIRED if mode is "MUTUAL". The path to a file
+                          containing certificate authority certificates to use in
+                          verifying a presented client side certificate.
+                        type: string
+                      httpsRedirect:
+                        description: If set to true, the load balancer will send a
+                          302 redirect for all http connections, asking the clients
+                          to use HTTPS.
+                        type: boolean
+                      mode:
+                        description: 'Optional: Indicates whether connections to this
+                          port should be secured using TLS. The value of this field
+                          determines how TLS is enforced.'
+                        type: string
+                      privateKey:
+                        description: REQUIRED if mode is "SIMPLE" or "MUTUAL". The
+                          path to the file holding the server's private key.
+                        type: string
+                      serverCertificate:
+                        description: REQUIRED if mode is "SIMPLE" or "MUTUAL". The
+                          path to the file holding the server-side TLS certificate
+                          to use.
+                        type: string
+                      subjectAltNames:
+                        description: A list of alternate names to verify the subject
+                          identity in the certificate presented by the client.
+                        items:
+                          type: string
+                        type: array
+                    required:
+                    - httpsRedirect
+                    - serverCertificate
+                    - privateKey
+                    - caCertificates
+                    - subjectAltNames
+                    type: object
+                required:
+                - port
+                type: object
+              type: array
+          required:
+          - servers
+          type: object
+      required:
+      - spec
+  version: v1alpha3
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/istio_v1alpha3_virtualservice.yaml

@@ -0,0 +1,695 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: virtualservices.istio.kubesphere.io
+spec:
+  group: istio.kubesphere.io
+  names:
+    kind: VirtualService
+    plural: virtualservices
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            gateways:
+              description: The names of gateways and sidecars that should apply these
+                routes. A single VirtualService is used for sidecars inside the mesh
+                as well as for one or more gateways. The selection condition imposed
+                by this field can be overridden using the source field in the match
+                conditions of HTTP/TCP routes. The reserved word "mesh" is used to
+                imply all the sidecars in the mesh. When this field is omitted, the
+                default gateway ("mesh") will be used, which would apply the rule
+                to all sidecars in the mesh. If a list of gateway names is provided,
+                the rules will apply only to the gateways. To apply the rules to both
+                gateways and sidecars, specify "mesh" as one of the gateway names.
+              items:
+                type: string
+              type: array
+            hosts:
+              description: REQUIRED. The destination address for traffic captured
+                by this virtual service. Could be a DNS name with wildcard prefix
+                or a CIDR prefix. Depending on the platform, short-names can also
+                be used instead of a FQDN (i.e. has no dots in the name). In such
+                a scenario, the FQDN of the host would be derived based on the underlying
+                platform.  For example on Kubernetes, when hosts contains a short
+                name, Istio will interpret the short name based on the namespace of
+                the rule. Thus, when a client namespace applies a rule in the "default"
+                namespace containing a name "reviews, Istio will setup routes to the
+                "reviews.default.svc.cluster.local" service. However, if a different
+                name such as "reviews.sales.svc.cluster.local" is used, it would be
+                treated as a FQDN during virtual host matching. In Consul, a plain
+                service name would be resolved to the FQDN "reviews.service.consul".  Note
+                that the hosts field applies to both HTTP and TCP services. Service
+                inside the mesh, i.e., those found in the service registry, must always
+                be referred to using their alphanumeric names. IP addresses or CIDR
+                prefixes are allowed only for services defined via the Gateway.
+              items:
+                type: string
+              type: array
+            http:
+              description: An ordered list of route rules for HTTP traffic. The first
+                rule matching an incoming request is used.
+              items:
+                properties:
+                  appendHeaders:
+                    description: Additional HTTP headers to add before forwarding
+                      a request to the destination service.
+                    type: object
+                  corsPolicy:
+                    description: Cross-Origin Resource Sharing policy
+                    properties:
+                      allowCredentials:
+                        description: Indicates whether the caller is allowed to send
+                          the actual request (not the preflight) using credentials.
+                          Translates to Access-Control-Allow-Credentials header.
+                        type: boolean
+                      allowHeaders:
+                        description: List of HTTP headers that can be used when requesting
+                          the resource. Serialized to Access-Control-Allow-Methods
+                          header.
+                        items:
+                          type: string
+                        type: array
+                      allowMethods:
+                        description: List of HTTP methods allowed to access the resource.
+                          The content will be serialized into the Access-Control-Allow-Methods
+                          header.
+                        items:
+                          type: string
+                        type: array
+                      allowOrigin:
+                        description: The list of origins that are allowed to perform
+                          CORS requests. The content will be serialized into the Access-Control-Allow-Origin
+                          header. Wildcard * will allow all origins.
+                        items:
+                          type: string
+                        type: array
+                      exposeHeaders:
+                        description: A white list of HTTP headers that the browsers
+                          are allowed to access. Serialized into Access-Control-Expose-Headers
+                          header.
+                        items:
+                          type: string
+                        type: array
+                      maxAge:
+                        description: Specifies how long the the results of a preflight
+                          request can be cached. Translates to the Access-Control-Max-Age
+                          header.
+                        type: string
+                    type: object
+                  fault:
+                    description: Fault injection policy to apply on HTTP traffic.
+                    properties:
+                      abort:
+                        description: Abort Http request attempts and return error
+                          codes back to downstream service, giving the impression
+                          that the upstream service is faulty.
+                        properties:
+                          httpStatus:
+                            description: REQUIRED. HTTP status code to use to abort
+                              the Http request.
+                            format: int64
+                            type: integer
+                          percent:
+                            description: Percentage of requests to be aborted with
+                              the error code provided (0-100).
+                            format: int64
+                            type: integer
+                        required:
+                        - httpStatus
+                        type: object
+                      delay:
+                        description: Delay requests before forwarding, emulating various
+                          failures such as network issues, overloaded upstream service,
+                          etc.
+                        properties:
+                          exponentialDelay:
+                            description: (-- Add a delay (based on an exponential
+                              function) before forwarding the request. mean delay
+                              needed to derive the exponential delay values --)
+                            type: string
+                          fixedDelay:
+                            description: 'REQUIRED. Add a fixed delay before forwarding
+                              the request. Format: 1h/1m/1s/1ms. MUST be >=1ms.'
+                            type: string
+                          percent:
+                            description: Percentage of requests on which the delay
+                              will be injected (0-100).
+                            format: int64
+                            type: integer
+                        required:
+                        - fixedDelay
+                        type: object
+                    type: object
+                  match:
+                    description: Match conditions to be satisfied for the rule to
+                      be activated. All conditions inside a single match block have
+                      AND semantics, while the list of match blocks have OR semantics.
+                      The rule is matched if any one of the match blocks succeed.
+                    items:
+                      properties:
+                        authority:
+                          description: 'HTTP Authority values are case-sensitive and
+                            formatted as follows:  - `exact: "value"` for exact string
+                            match  - `prefix: "value"` for prefix-based match  - `regex:
+                            "value"` for ECMAscript style regex-based match'
+                          properties:
+                            exact:
+                              description: exact string match
+                              type: string
+                            prefix:
+                              description: prefix-based match
+                              type: string
+                            regex:
+                              description: ECMAscript style regex-based match
+                              type: string
+                            suffix:
+                              description: suffix-based match.
+                              type: string
+                          type: object
+                        gateways:
+                          description: Names of gateways where the rule should be
+                            applied to. Gateway names at the top of the VirtualService
+                            (if any) are overridden. The gateway match is independent
+                            of sourceLabels.
+                          items:
+                            type: string
+                          type: array
+                        headers:
+                          description: 'The header keys must be lowercase and use
+                            hyphen as the separator, e.g. _x-request-id_.  Header
+                            values are case-sensitive and formatted as follows:  -
+                            `exact: "value"` for exact string match  - `prefix: "value"`
+                            for prefix-based match  - `regex: "value"` for ECMAscript
+                            style regex-based match  **Note:** The keys `uri`, `scheme`,
+                            `method`, and `authority` will be ignored.'
+                          type: object
+                        method:
+                          description: 'HTTP Method values are case-sensitive and
+                            formatted as follows:  - `exact: "value"` for exact string
+                            match  - `prefix: "value"` for prefix-based match  - `regex:
+                            "value"` for ECMAscript style regex-based match'
+                          properties:
+                            exact:
+                              description: exact string match
+                              type: string
+                            prefix:
+                              description: prefix-based match
+                              type: string
+                            regex:
+                              description: ECMAscript style regex-based match
+                              type: string
+                            suffix:
+                              description: suffix-based match.
+                              type: string
+                          type: object
+                        port:
+                          description: Specifies the ports on the host that is being
+                            addressed. Many services only expose a single port or
+                            label ports with the protocols they support, in these
+                            cases it is not required to explicitly select the port.
+                          format: int32
+                          type: integer
+                        scheme:
+                          description: 'URI Scheme values are case-sensitive and formatted
+                            as follows:  - `exact: "value"` for exact string match  -
+                            `prefix: "value"` for prefix-based match  - `regex: "value"`
+                            for ECMAscript style regex-based match'
+                          properties:
+                            exact:
+                              description: exact string match
+                              type: string
+                            prefix:
+                              description: prefix-based match
+                              type: string
+                            regex:
+                              description: ECMAscript style regex-based match
+                              type: string
+                            suffix:
+                              description: suffix-based match.
+                              type: string
+                          type: object
+                        sourceLabels:
+                          description: One or more labels that constrain the applicability
+                            of a rule to workloads with the given labels. If the VirtualService
+                            has a list of gateways specified at the top, it should
+                            include the reserved gateway `mesh` in order for this
+                            field to be applicable.
+                          type: object
+                        uri:
+                          description: 'URI to match values are case-sensitive and
+                            formatted as follows:  - `exact: "value"` for exact string
+                            match  - `prefix: "value"` for prefix-based match  - `regex:
+                            "value"` for ECMAscript style regex-based match'
+                          properties:
+                            exact:
+                              description: exact string match
+                              type: string
+                            prefix:
+                              description: prefix-based match
+                              type: string
+                            regex:
+                              description: ECMAscript style regex-based match
+                              type: string
+                            suffix:
+                              description: suffix-based match.
+                              type: string
+                          type: object
+                      type: object
+                    type: array
+                  mirror:
+                    description: Mirror HTTP traffic to a another destination in addition
+                      to forwarding the requests to the intended destination. Mirrored
+                      traffic is on a best effort basis where the sidecar/gateway
+                      will not wait for the mirrored cluster to respond before returning
+                      the response from the original destination.  Statistics will
+                      be generated for the mirrored destination.
+                    properties:
+                      host:
+                        description: 'REQUIRED. The name of a service from the service
+                          registry. Service names are looked up from the platform''s
+                          service registry (e.g., Kubernetes services, Consul services,
+                          etc.) and from the hosts declared by [ServiceEntry](#ServiceEntry).
+                          Traffic forwarded to destinations that are not found in
+                          either of the two, will be dropped.  *Note for Kubernetes
+                          users*: When short names are used (e.g. "reviews" instead
+                          of "reviews.default.svc.cluster.local"), Istio will interpret
+                          the short name based on the namespace of the rule, not the
+                          service. A rule in the "default" namespace containing a
+                          host "reviews will be interpreted as "reviews.default.svc.cluster.local",
+                          irrespective of the actual namespace associated with the
+                          reviews service. _To avoid potential misconfigurations,
+                          it is recommended to always use fully qualified domain names
+                          over short names._'
+                        type: string
+                      port:
+                        description: Specifies the port on the host that is being
+                          addressed. If a service exposes only a single port it is
+                          not required to explicitly select the port.
+                        properties:
+                          name:
+                            description: Valid port name
+                            type: string
+                          number:
+                            description: Valid port number
+                            format: int32
+                            type: integer
+                        type: object
+                      subset:
+                        description: The name of a subset within the service. Applicable
+                          only to services within the mesh. The subset must be defined
+                          in a corresponding DestinationRule.
+                        type: string
+                    required:
+                    - host
+                    type: object
+                  redirect:
+                    description: A http rule can either redirect or forward (default)
+                      traffic. If traffic passthrough option is specified in the rule,
+                      route/redirect will be ignored. The redirect primitive can be
+                      used to send a HTTP 302 redirect to a different URI or Authority.
+                    properties:
+                      authority:
+                        description: On a redirect, overwrite the Authority/Host portion
+                          of the URL with this value.
+                        type: string
+                      uri:
+                        description: On a redirect, overwrite the Path portion of
+                          the URL with this value. Note that the entire path will
+                          be replaced, irrespective of the request URI being matched
+                          as an exact path or prefix.
+                        type: string
+                    type: object
+                  removeResponseHeaders:
+                    description: Http headers to remove before returning the response
+                      to the caller
+                    type: object
+                  retries:
+                    description: Retry policy for HTTP requests.
+                    properties:
+                      attempts:
+                        description: REQUIRED. Number of retries for a given request.
+                          The interval between retries will be determined automatically
+                          (25ms+). Actual number of retries attempted depends on the
+                          httpReqTimeout.
+                        format: int64
+                        type: integer
+                      perTryTimeout:
+                        description: 'Timeout per retry attempt for a given request.
+                          format: 1h/1m/1s/1ms. MUST BE >=1ms.'
+                        type: string
+                    required:
+                    - attempts
+                    - perTryTimeout
+                    type: object
+                  rewrite:
+                    description: Rewrite HTTP URIs and Authority headers. Rewrite
+                      cannot be used with Redirect primitive. Rewrite will be performed
+                      before forwarding.
+                    properties:
+                      authority:
+                        description: rewrite the Authority/Host header with this value.
+                        type: string
+                      uri:
+                        description: rewrite the path (or the prefix) portion of the
+                          URI with this value. If the original URI was matched based
+                          on prefix, the value provided in this field will replace
+                          the corresponding matched prefix.
+                        type: string
+                    type: object
+                  route:
+                    description: A http rule can either redirect or forward (default)
+                      traffic. The forwarding target can be one of several versions
+                      of a service (see glossary in beginning of document). Weights
+                      associated with the service version determine the proportion
+                      of traffic it receives.
+                    items:
+                      properties:
+                        destination:
+                          description: REQUIRED. Destination uniquely identifies the
+                            instances of a service to which the request/connection
+                            should be forwarded to.
+                          properties:
+                            host:
+                              description: 'REQUIRED. The name of a service from the
+                                service registry. Service names are looked up from
+                                the platform''s service registry (e.g., Kubernetes
+                                services, Consul services, etc.) and from the hosts
+                                declared by [ServiceEntry](#ServiceEntry). Traffic
+                                forwarded to destinations that are not found in either
+                                of the two, will be dropped.  *Note for Kubernetes
+                                users*: When short names are used (e.g. "reviews"
+                                instead of "reviews.default.svc.cluster.local"), Istio
+                                will interpret the short name based on the namespace
+                                of the rule, not the service. A rule in the "default"
+                                namespace containing a host "reviews will be interpreted
+                                as "reviews.default.svc.cluster.local", irrespective
+                                of the actual namespace associated with the reviews
+                                service. _To avoid potential misconfigurations, it
+                                is recommended to always use fully qualified domain
+                                names over short names._'
+                              type: string
+                            port:
+                              description: Specifies the port on the host that is
+                                being addressed. If a service exposes only a single
+                                port it is not required to explicitly select the port.
+                              properties:
+                                name:
+                                  description: Valid port name
+                                  type: string
+                                number:
+                                  description: Valid port number
+                                  format: int32
+                                  type: integer
+                              type: object
+                            subset:
+                              description: The name of a subset within the service.
+                                Applicable only to services within the mesh. The subset
+                                must be defined in a corresponding DestinationRule.
+                              type: string
+                          required:
+                          - host
+                          type: object
+                        weight:
+                          description: REQUIRED. The proportion of traffic to be forwarded
+                            to the service version. (0-100). Sum of weights across
+                            destinations SHOULD BE == 100. If there is only destination
+                            in a rule, the weight value is assumed to be 100.
+                          format: int64
+                          type: integer
+                      required:
+                      - destination
+                      - weight
+                      type: object
+                    type: array
+                  timeout:
+                    description: Timeout for HTTP requests.
+                    type: string
+                  websocketUpgrade:
+                    description: Indicates that a HTTP/1.1 client connection to this
+                      particular route should be allowed (and expected) to upgrade
+                      to a WebSocket connection. The default is false. Istio's reference
+                      sidecar implementation (Envoy) expects the first request to
+                      this route to contain the WebSocket upgrade headers. Otherwise,
+                      the request will be rejected. Note that Websocket allows secondary
+                      protocol negotiation which may then be subject to further routing
+                      rules based on the protocol selected.
+                    type: boolean
+                type: object
+              type: array
+            tcp:
+              description: An ordered list of route rules for TCP traffic. The first
+                rule matching an incoming request is used.
+              items:
+                properties:
+                  match:
+                    description: Match conditions to be satisfied for the rule to
+                      be activated. All conditions inside a single match block have
+                      AND semantics, while the list of match blocks have OR semantics.
+                      The rule is matched if any one of the match blocks succeed.
+                    items:
+                      properties:
+                        destinationSubnets:
+                          description: IPv4 or IPv6 ip address of destination with
+                            optional subnet.  E.g., a.b.c.d/xx form or just a.b.c.d.
+                          items:
+                            type: string
+                          type: array
+                        gateways:
+                          description: Names of gateways where the rule should be
+                            applied to. Gateway names at the top of the VirtualService
+                            (if any) are overridden. The gateway match is independent
+                            of sourceLabels.
+                          items:
+                            type: string
+                          type: array
+                        port:
+                          description: Specifies the port on the host that is being
+                            addressed. Many services only expose a single port or
+                            label ports with the protocols they support, in these
+                            cases it is not required to explicitly select the port.
+                          format: int64
+                          type: integer
+                        sourceLabels:
+                          description: One or more labels that constrain the applicability
+                            of a rule to workloads with the given labels. If the VirtualService
+                            has a list of gateways specified at the top, it should
+                            include the reserved gateway `mesh` in order for this
+                            field to be applicable.
+                          type: object
+                      type: object
+                    type: array
+                  route:
+                    description: The destinations to which the connection should be
+                      forwarded to. Weights must add to 100%.
+                    items:
+                      properties:
+                        destination:
+                          description: REQUIRED. Destination uniquely identifies the
+                            instances of a service to which the request/connection
+                            should be forwarded to.
+                          properties:
+                            host:
+                              description: 'REQUIRED. The name of a service from the
+                                service registry. Service names are looked up from
+                                the platform''s service registry (e.g., Kubernetes
+                                services, Consul services, etc.) and from the hosts
+                                declared by [ServiceEntry](#ServiceEntry). Traffic
+                                forwarded to destinations that are not found in either
+                                of the two, will be dropped.  *Note for Kubernetes
+                                users*: When short names are used (e.g. "reviews"
+                                instead of "reviews.default.svc.cluster.local"), Istio
+                                will interpret the short name based on the namespace
+                                of the rule, not the service. A rule in the "default"
+                                namespace containing a host "reviews will be interpreted
+                                as "reviews.default.svc.cluster.local", irrespective
+                                of the actual namespace associated with the reviews
+                                service. _To avoid potential misconfigurations, it
+                                is recommended to always use fully qualified domain
+                                names over short names._'
+                              type: string
+                            port:
+                              description: Specifies the port on the host that is
+                                being addressed. If a service exposes only a single
+                                port it is not required to explicitly select the port.
+                              properties:
+                                name:
+                                  description: Valid port name
+                                  type: string
+                                number:
+                                  description: Valid port number
+                                  format: int32
+                                  type: integer
+                              type: object
+                            subset:
+                              description: The name of a subset within the service.
+                                Applicable only to services within the mesh. The subset
+                                must be defined in a corresponding DestinationRule.
+                              type: string
+                          required:
+                          - host
+                          type: object
+                        weight:
+                          description: REQUIRED. The proportion of traffic to be forwarded
+                            to the service version. (0-100). Sum of weights across
+                            destinations SHOULD BE == 100. If there is only destination
+                            in a rule, the weight value is assumed to be 100.
+                          format: int64
+                          type: integer
+                      required:
+                      - destination
+                      - weight
+                      type: object
+                    type: array
+                required:
+                - match
+                - route
+                type: object
+              type: array
+            tls:
+              items:
+                properties:
+                  match:
+                    description: REQUIRED. Match conditions to be satisfied for the
+                      rule to be activated. All conditions inside a single match block
+                      have AND semantics, while the list of match blocks have OR semantics.
+                      The rule is matched if any one of the match blocks succeed.
+                    items:
+                      properties:
+                        destinationSubnets:
+                          description: IPv4 or IPv6 ip addresses of destination with
+                            optional subnet.  E.g., a.b.c.d/xx form or just a.b.c.d.
+                          items:
+                            type: string
+                          type: array
+                        gateways:
+                          description: Names of gateways where the rule should be
+                            applied to. Gateway names at the top of the VirtualService
+                            (if any) are overridden. The gateway match is independent
+                            of sourceLabels.
+                          items:
+                            type: string
+                          type: array
+                        port:
+                          description: Specifies the port on the host that is being
+                            addressed. Many services only expose a single port or
+                            label ports with the protocols they support, in these
+                            cases it is not required to explicitly select the port.
+                          format: int64
+                          type: integer
+                        sniHosts:
+                          description: REQUIRED. SNI (server name indicator) to match
+                            on. Wildcard prefixes can be used in the SNI value, e.g.,
+                            *.com will match foo.example.com as well as example.com.
+                            An SNI value must be a subset (i.e., fall within the domain)
+                            of the corresponding virtual service's hosts
+                          items:
+                            type: string
+                          type: array
+                        sourceLabels:
+                          description: One or more labels that constrain the applicability
+                            of a rule to workloads with the given labels. If the VirtualService
+                            has a list of gateways specified at the top, it should
+                            include the reserved gateway `mesh` in order for this
+                            field to be applicable.
+                          type: object
+                      required:
+                      - sniHosts
+                      type: object
+                    type: array
+                  route:
+                    description: The destination to which the connection should be
+                      forwarded to.
+                    items:
+                      properties:
+                        destination:
+                          description: REQUIRED. Destination uniquely identifies the
+                            instances of a service to which the request/connection
+                            should be forwarded to.
+                          properties:
+                            host:
+                              description: 'REQUIRED. The name of a service from the
+                                service registry. Service names are looked up from
+                                the platform''s service registry (e.g., Kubernetes
+                                services, Consul services, etc.) and from the hosts
+                                declared by [ServiceEntry](#ServiceEntry). Traffic
+                                forwarded to destinations that are not found in either
+                                of the two, will be dropped.  *Note for Kubernetes
+                                users*: When short names are used (e.g. "reviews"
+                                instead of "reviews.default.svc.cluster.local"), Istio
+                                will interpret the short name based on the namespace
+                                of the rule, not the service. A rule in the "default"
+                                namespace containing a host "reviews will be interpreted
+                                as "reviews.default.svc.cluster.local", irrespective
+                                of the actual namespace associated with the reviews
+                                service. _To avoid potential misconfigurations, it
+                                is recommended to always use fully qualified domain
+                                names over short names._'
+                              type: string
+                            port:
+                              description: Specifies the port on the host that is
+                                being addressed. If a service exposes only a single
+                                port it is not required to explicitly select the port.
+                              properties:
+                                name:
+                                  description: Valid port name
+                                  type: string
+                                number:
+                                  description: Valid port number
+                                  format: int32
+                                  type: integer
+                              type: object
+                            subset:
+                              description: The name of a subset within the service.
+                                Applicable only to services within the mesh. The subset
+                                must be defined in a corresponding DestinationRule.
+                              type: string
+                          required:
+                          - host
+                          type: object
+                        weight:
+                          description: REQUIRED. The proportion of traffic to be forwarded
+                            to the service version. (0-100). Sum of weights across
+                            destinations SHOULD BE == 100. If there is only destination
+                            in a rule, the weight value is assumed to be 100.
+                          format: int64
+                          type: integer
+                      required:
+                      - destination
+                      - weight
+                      type: object
+                    type: array
+                required:
+                - match
+                - route
+                type: object
+              type: array
+          required:
+          - hosts
+          type: object
+      required:
+      - spec
+  version: v1alpha3
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/network.kubesphere.io_namespacenetworkpolicies.yaml

@@ -0,0 +1,259 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: namespacenetworkpolicies.network.kubesphere.io
+spec:
+  group: network.kubesphere.io
+  names:
+    categories:
+    - networking
+    kind: NamespaceNetworkPolicy
+    listKind: NamespaceNetworkPolicyList
+    plural: namespacenetworkpolicies
+    shortNames:
+    - nsnp
+    singular: namespacenetworkpolicy
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      description: NamespaceNetworkPolicy is the Schema for the namespacenetworkpolicies
+        API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: NamespaceNetworkPolicySpec provides the specification of a
+            NamespaceNetworkPolicy
+          properties:
+            egress:
+              description: List of egress rules to be applied to the selected pods.
+                Outgoing traffic is allowed if there are no NetworkPolicies selecting
+                the pod (and cluster policy otherwise allows the traffic), OR if the
+                traffic matches at least one egress rule across all of the NetworkPolicy
+                objects whose podSelector matches the pod. If this field is empty
+                then this NetworkPolicy limits all outgoing traffic (and serves solely
+                to ensure that the pods it selects are isolated by default). This
+                field is beta-level in 1.8
+              items:
+                description: NetworkPolicyEgressRule describes a particular set of
+                  traffic that is allowed out of pods matched by a NetworkPolicySpec's
+                  podSelector. The traffic must match both ports and to. This type
+                  is beta-level in 1.8
+                properties:
+                  ports:
+                    description: List of destination ports for outgoing traffic. Each
+                      item in this list is combined using a logical OR. If this field
+                      is empty or missing, this rule matches all ports (traffic not
+                      restricted by port). If this field is present and contains at
+                      least one item, then this rule allows traffic only if the traffic
+                      matches at least one port in the list.
+                    items:
+                      description: NetworkPolicyPort describes a port to allow traffic
+                        on
+                      properties:
+                        port:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          description: The port on the given protocol. This can either
+                            be a numerical or named port on a pod. If this field is
+                            not provided, this matches all port names and numbers.
+                          x-kubernetes-int-or-string: true
+                        protocol:
+                          description: The protocol (TCP, UDP, or SCTP) which traffic
+                            must match. If not specified, this field defaults to TCP.
+                          type: string
+                      type: object
+                    type: array
+                  to:
+                    description: List of destinations for outgoing traffic of pods
+                      selected for this rule. Items in this list are combined using
+                      a logical OR operation. If this field is empty or missing, this
+                      rule matches all destinations (traffic not restricted by destination).
+                      If this field is present and contains at least one item, this
+                      rule allows traffic only if the traffic matches at least one
+                      item in the to list.
+                    items:
+                      description: NetworkPolicyPeer describes a peer to allow traffic
+                        from. Only certain combinations of fields are allowed
+                      properties:
+                        ipBlock:
+                          description: IPBlock defines policy on a particular IPBlock.
+                            If this field is set then neither of the other fields
+                            can be.
+                          properties:
+                            cidr:
+                              description: CIDR is a string representing the IP Block
+                                Valid examples are "192.168.1.1/24"
+                              type: string
+                            except:
+                              description: Except is a slice of CIDRs that should
+                                not be included within an IP Block Valid examples
+                                are "192.168.1.1/24" Except values will be rejected
+                                if they are outside the CIDR range
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - cidr
+                          type: object
+                        namespace:
+                          properties:
+                            name:
+                              type: string
+                          required:
+                          - name
+                          type: object
+                        service:
+                          properties:
+                            name:
+                              type: string
+                            namespace:
+                              type: string
+                          required:
+                          - name
+                          - namespace
+                          type: object
+                      type: object
+                    type: array
+                type: object
+              type: array
+            ingress:
+              description: List of ingress rules to be applied to the selected pods.
+                Traffic is allowed to a pod if there are no NetworkPolicies selecting
+                the pod (and cluster policy otherwise allows the traffic), OR if the
+                traffic source is the pod's local node, OR if the traffic matches
+                at least one ingress rule across all of the NetworkPolicy objects
+                whose podSelector matches the pod. If this field is empty then this
+                NetworkPolicy does not allow any traffic (and serves solely to ensure
+                that the pods it selects are isolated by default)
+              items:
+                description: NetworkPolicyIngressRule describes a particular set of
+                  traffic that is allowed to the pods matched by a NetworkPolicySpec's
+                  podSelector. The traffic must match both ports and from.
+                properties:
+                  from:
+                    description: List of sources which should be able to access the
+                      pods selected for this rule. Items in this list are combined
+                      using a logical OR operation. If this field is empty or missing,
+                      this rule matches all sources (traffic not restricted by source).
+                      If this field is present and contains at least one item, this
+                      rule allows traffic only if the traffic matches at least one
+                      item in the from list.
+                    items:
+                      description: NetworkPolicyPeer describes a peer to allow traffic
+                        from. Only certain combinations of fields are allowed
+                      properties:
+                        ipBlock:
+                          description: IPBlock defines policy on a particular IPBlock.
+                            If this field is set then neither of the other fields
+                            can be.
+                          properties:
+                            cidr:
+                              description: CIDR is a string representing the IP Block
+                                Valid examples are "192.168.1.1/24"
+                              type: string
+                            except:
+                              description: Except is a slice of CIDRs that should
+                                not be included within an IP Block Valid examples
+                                are "192.168.1.1/24" Except values will be rejected
+                                if they are outside the CIDR range
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - cidr
+                          type: object
+                        namespace:
+                          properties:
+                            name:
+                              type: string
+                          required:
+                          - name
+                          type: object
+                        service:
+                          properties:
+                            name:
+                              type: string
+                            namespace:
+                              type: string
+                          required:
+                          - name
+                          - namespace
+                          type: object
+                      type: object
+                    type: array
+                  ports:
+                    description: List of ports which should be made accessible on
+                      the pods selected for this rule. Each item in this list is combined
+                      using a logical OR. If this field is empty or missing, this
+                      rule matches all ports (traffic not restricted by port). If
+                      this field is present and contains at least one item, then this
+                      rule allows traffic only if the traffic matches at least one
+                      port in the list.
+                    items:
+                      description: NetworkPolicyPort describes a port to allow traffic
+                        on
+                      properties:
+                        port:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          description: The port on the given protocol. This can either
+                            be a numerical or named port on a pod. If this field is
+                            not provided, this matches all port names and numbers.
+                          x-kubernetes-int-or-string: true
+                        protocol:
+                          description: The protocol (TCP, UDP, or SCTP) which traffic
+                            must match. If not specified, this field defaults to TCP.
+                          type: string
+                      type: object
+                    type: array
+                type: object
+              type: array
+            policyTypes:
+              description: List of rule types that the NetworkPolicy relates to. Valid
+                options are "Ingress", "Egress", or "Ingress,Egress". If this field
+                is not specified, it will default based on the existence of Ingress
+                or Egress rules; policies that contain an Egress section are assumed
+                to affect Egress, and all policies (whether or not they contain an
+                Ingress section) are assumed to affect Ingress. If you want to write
+                an egress-only policy, you must explicitly specify policyTypes [ "Egress"
+                ]. Likewise, if you want to write a policy that specifies that no
+                egress is allowed, you must specify a policyTypes value that include
+                "Egress" (since such a policy would not include an Egress section
+                and would otherwise default to just [ "Ingress" ]). This field is
+                beta-level in 1.8
+              items:
+                description: Policy Type string describes the NetworkPolicy type This
+                  type is beta-level in 1.8
+                type: string
+              type: array
+          type: object
+      type: object
+  version: v1alpha1
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/snapshot.storage.k8s.io_volumesnapshot.yaml

@@ -0,0 +1,503 @@
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.2.5
+    api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/260"
+  creationTimestamp: null
+  name: volumesnapshotclasses.snapshot.storage.k8s.io
+spec:
+  additionalPrinterColumns:
+    - JSONPath: .driver
+      name: Driver
+      type: string
+    - JSONPath: .deletionPolicy
+      description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass
+        should be deleted when its bound VolumeSnapshot is deleted.
+      name: DeletionPolicy
+      type: string
+    - JSONPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+  group: snapshot.storage.k8s.io
+  names:
+    kind: VolumeSnapshotClass
+    listKind: VolumeSnapshotClassList
+    plural: volumesnapshotclasses
+    singular: volumesnapshotclass
+  preserveUnknownFields: false
+  scope: Cluster
+  subresources: {}
+  validation:
+    openAPIV3Schema:
+      description: VolumeSnapshotClass specifies parameters that a underlying storage
+        system uses when creating a volume snapshot. A specific VolumeSnapshotClass
+        is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses
+        are non-namespaced
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        deletionPolicy:
+          description: deletionPolicy determines whether a VolumeSnapshotContent created
+            through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot
+            is deleted. Supported values are "Retain" and "Delete". "Retain" means
+            that the VolumeSnapshotContent and its physical snapshot on underlying
+            storage system are kept. "Delete" means that the VolumeSnapshotContent
+            and its physical snapshot on underlying storage system are deleted. Required.
+          enum:
+            - Delete
+            - Retain
+          type: string
+        driver:
+          description: driver is the name of the storage driver that handles this
+            VolumeSnapshotClass. Required.
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        parameters:
+          additionalProperties:
+            type: string
+          description: parameters is a key-value map with storage driver specific
+            parameters for creating snapshots. These values are opaque to Kubernetes.
+          type: object
+      required:
+        - deletionPolicy
+        - driver
+      type: object
+  version: v1beta1
+  versions:
+    - name: v1beta1
+      served: true
+      storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.2.5
+    api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/260"
+  creationTimestamp: null
+  name: volumesnapshotcontents.snapshot.storage.k8s.io
+spec:
+  additionalPrinterColumns:
+    - JSONPath: .status.readyToUse
+      description: Indicates if a snapshot is ready to be used to restore a volume.
+      name: ReadyToUse
+      type: boolean
+    - JSONPath: .status.restoreSize
+      description: Represents the complete size of the snapshot in bytes
+      name: RestoreSize
+      type: integer
+    - JSONPath: .spec.deletionPolicy
+      description: Determines whether this VolumeSnapshotContent and its physical snapshot
+        on the underlying storage system should be deleted when its bound VolumeSnapshot
+        is deleted.
+      name: DeletionPolicy
+      type: string
+    - JSONPath: .spec.driver
+      description: Name of the CSI driver used to create the physical snapshot on the
+        underlying storage system.
+      name: Driver
+      type: string
+    - JSONPath: .spec.volumeSnapshotClassName
+      description: Name of the VolumeSnapshotClass to which this snapshot belongs.
+      name: VolumeSnapshotClass
+      type: string
+    - JSONPath: .spec.volumeSnapshotRef.name
+      description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent
+        object is bound.
+      name: VolumeSnapshot
+      type: string
+    - JSONPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+  group: snapshot.storage.k8s.io
+  names:
+    kind: VolumeSnapshotContent
+    listKind: VolumeSnapshotContentList
+    plural: volumesnapshotcontents
+    singular: volumesnapshotcontent
+  preserveUnknownFields: false
+  scope: Cluster
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      description: VolumeSnapshotContent represents the actual "on-disk" snapshot
+        object in the underlying storage system
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        spec:
+          description: spec defines properties of a VolumeSnapshotContent created
+            by the underlying storage system. Required.
+          properties:
+            deletionPolicy:
+              description: deletionPolicy determines whether this VolumeSnapshotContent
+                and its physical snapshot on the underlying storage system should
+                be deleted when its bound VolumeSnapshot is deleted. Supported values
+                are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent
+                and its physical snapshot on underlying storage system are kept. "Delete"
+                means that the VolumeSnapshotContent and its physical snapshot on
+                underlying storage system are deleted. In dynamic snapshot creation
+                case, this field will be filled in with the "DeletionPolicy" field
+                defined in the VolumeSnapshotClass the VolumeSnapshot refers to. For
+                pre-existing snapshots, users MUST specify this field when creating
+                the VolumeSnapshotContent object. Required.
+              enum:
+                - Delete
+                - Retain
+              type: string
+            driver:
+              description: driver is the name of the CSI driver used to create the
+                physical snapshot on the underlying storage system. This MUST be the
+                same as the name returned by the CSI GetPluginName() call for that
+                driver. Required.
+              type: string
+            source:
+              description: source specifies from where a snapshot will be created.
+                This field is immutable after creation. Required.
+              properties:
+                snapshotHandle:
+                  description: snapshotHandle specifies the CSI "snapshot_id" of a
+                    pre-existing snapshot on the underlying storage system. This field
+                    is immutable.
+                  type: string
+                volumeHandle:
+                  description: volumeHandle specifies the CSI "volume_id" of the volume
+                    from which a snapshot should be dynamically taken from. This field
+                    is immutable.
+                  type: string
+              type: object
+            volumeSnapshotClassName:
+              description: name of the VolumeSnapshotClass to which this snapshot
+                belongs.
+              type: string
+            volumeSnapshotRef:
+              description: volumeSnapshotRef specifies the VolumeSnapshot object to
+                which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName
+                field must reference to this VolumeSnapshotContent's name for the
+                bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent
+                object, name and namespace of the VolumeSnapshot object MUST be provided
+                for binding to happen. This field is immutable after creation. Required.
+              properties:
+                apiVersion:
+                  description: API version of the referent.
+                  type: string
+                fieldPath:
+                  description: 'If referring to a piece of an object instead of an
+                    entire object, this string should contain a valid JSON/Go field
+                    access statement, such as desiredState.manifest.containers[2].
+                    For example, if the object reference is to a container within
+                    a pod, this would take on a value like: "spec.containers{name}"
+                    (where "name" refers to the name of the container that triggered
+                    the event) or if no container name is specified "spec.containers[2]"
+                    (container with index 2 in this pod). This syntax is chosen only
+                    to have some well-defined way of referencing a part of an object.
+                    TODO: this design is not final and this field is subject to change
+                    in the future.'
+                  type: string
+                kind:
+                  description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                  type: string
+                name:
+                  description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                  type: string
+                namespace:
+                  description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                  type: string
+                resourceVersion:
+                  description: 'Specific resourceVersion to which this reference is
+                    made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                  type: string
+                uid:
+                  description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                  type: string
+              type: object
+          required:
+            - deletionPolicy
+            - driver
+            - source
+            - volumeSnapshotRef
+          type: object
+        status:
+          description: status represents the current information of a snapshot.
+          properties:
+            creationTime:
+              description: creationTime is the timestamp when the point-in-time snapshot
+                is taken by the underlying storage system. In dynamic snapshot creation
+                case, this field will be filled in with the "creation_time" value
+                returned from CSI "CreateSnapshotRequest" gRPC call. For a pre-existing
+                snapshot, this field will be filled with the "creation_time" value
+                returned from the CSI "ListSnapshots" gRPC call if the driver supports
+                it. If not specified, it indicates the creation time is unknown. The
+                format of this field is a Unix nanoseconds time encoded as an int64.
+                On Unix, the command `date +%s%N` returns the current time in nanoseconds
+                since 1970-01-01 00:00:00 UTC.
+              format: int64
+              type: integer
+            error:
+              description: error is the latest observed error during snapshot creation,
+                if any.
+              properties:
+                message:
+                  description: 'message is a string detailing the encountered error
+                    during snapshot creation if specified. NOTE: message may be logged,
+                    and it should not contain sensitive information.'
+                  type: string
+                time:
+                  description: time is the timestamp when the error was encountered.
+                  format: date-time
+                  type: string
+              type: object
+            readyToUse:
+              description: readyToUse indicates if a snapshot is ready to be used
+                to restore a volume. In dynamic snapshot creation case, this field
+                will be filled in with the "ready_to_use" value returned from CSI
+                "CreateSnapshotRequest" gRPC call. For a pre-existing snapshot, this
+                field will be filled with the "ready_to_use" value returned from the
+                CSI "ListSnapshots" gRPC call if the driver supports it, otherwise,
+                this field will be set to "True". If not specified, it means the readiness
+                of a snapshot is unknown.
+              type: boolean
+            restoreSize:
+              description: restoreSize represents the complete size of the snapshot
+                in bytes. In dynamic snapshot creation case, this field will be filled
+                in with the "size_bytes" value returned from CSI "CreateSnapshotRequest"
+                gRPC call. For a pre-existing snapshot, this field will be filled
+                with the "size_bytes" value returned from the CSI "ListSnapshots"
+                gRPC call if the driver supports it. When restoring a volume from
+                this snapshot, the size of the volume MUST NOT be smaller than the
+                restoreSize if it is specified, otherwise the restoration will fail.
+                If not specified, it indicates that the size is unknown.
+              format: int64
+              minimum: 0
+              type: integer
+            snapshotHandle:
+              description: snapshotHandle is the CSI "snapshot_id" of a snapshot on
+                the underlying storage system. If not specified, it indicates that
+                dynamic snapshot creation has either failed or it is still in progress.
+              type: string
+          type: object
+      required:
+        - spec
+      type: object
+  version: v1beta1
+  versions:
+    - name: v1beta1
+      served: true
+      storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.2.5
+    api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/260"
+  creationTimestamp: null
+  name: volumesnapshots.snapshot.storage.k8s.io
+spec:
+  additionalPrinterColumns:
+    - JSONPath: .status.readyToUse
+      description: Indicates if a snapshot is ready to be used to restore a volume.
+      name: ReadyToUse
+      type: boolean
+    - JSONPath: .spec.source.persistentVolumeClaimName
+      description: Name of the source PVC from where a dynamically taken snapshot will
+        be created.
+      name: SourcePVC
+      type: string
+    - JSONPath: .spec.source.volumeSnapshotContentName
+      description: Name of the VolumeSnapshotContent which represents a pre-provisioned
+        snapshot.
+      name: SourceSnapshotContent
+      type: string
+    - JSONPath: .status.restoreSize
+      description: Represents the complete size of the snapshot.
+      name: RestoreSize
+      type: string
+    - JSONPath: .spec.volumeSnapshotClassName
+      description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot.
+      name: SnapshotClass
+      type: string
+    - JSONPath: .status.boundVolumeSnapshotContentName
+      description: The name of the VolumeSnapshotContent to which this VolumeSnapshot
+        is bound.
+      name: SnapshotContent
+      type: string
+    - JSONPath: .status.creationTime
+      description: Timestamp when the point-in-time snapshot is taken by the underlying
+        storage system.
+      name: CreationTime
+      type: date
+    - JSONPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+  group: snapshot.storage.k8s.io
+  names:
+    kind: VolumeSnapshot
+    listKind: VolumeSnapshotList
+    plural: volumesnapshots
+    singular: volumesnapshot
+  preserveUnknownFields: false
+  scope: Namespaced
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      description: VolumeSnapshot is a user's request for either creating a point-in-time
+        snapshot of a persistent volume, or binding to a pre-existing snapshot.
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        spec:
+          description: 'spec defines the desired characteristics of a snapshot requested
+            by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots
+            Required.'
+          properties:
+            source:
+              description: source specifies where a snapshot will be created from.
+                This field is immutable after creation. Required.
+              properties:
+                persistentVolumeClaimName:
+                  description: persistentVolumeClaimName specifies the name of the
+                    PersistentVolumeClaim object in the same namespace as the VolumeSnapshot
+                    object where the snapshot should be dynamically taken from. This
+                    field is immutable.
+                  type: string
+                volumeSnapshotContentName:
+                  description: volumeSnapshotContentName specifies the name of a pre-existing
+                    VolumeSnapshotContent object. This field is immutable.
+                  type: string
+              type: object
+            volumeSnapshotClassName:
+              description: 'volumeSnapshotClassName is the name of the VolumeSnapshotClass
+                requested by the VolumeSnapshot. If not specified, the default snapshot
+                class will be used if one exists. If not specified, and there is no
+                default snapshot class, dynamic snapshot creation will fail. Empty
+                string is not allowed for this field. TODO(xiangqian): a webhook validation
+                on empty string. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshot-classes'
+              type: string
+          required:
+            - source
+          type: object
+        status:
+          description: 'status represents the current information of a snapshot. NOTE:
+            status can be modified by sources other than system controllers, and must
+            not be depended upon for accuracy. Controllers should only use information
+            from the VolumeSnapshotContent object after verifying that the binding
+            is accurate and complete.'
+          properties:
+            boundVolumeSnapshotContentName:
+              description: 'boundVolumeSnapshotContentName represents the name of
+                the VolumeSnapshotContent object to which the VolumeSnapshot object
+                is bound. If not specified, it indicates that the VolumeSnapshot object
+                has not been successfully bound to a VolumeSnapshotContent object
+                yet. NOTE: Specified boundVolumeSnapshotContentName alone does not
+                mean binding       is valid. Controllers MUST always verify bidirectional
+                binding between       VolumeSnapshot and VolumeSnapshotContent to
+                avoid possible security issues.'
+              type: string
+            creationTime:
+              description: creationTime is the timestamp when the point-in-time snapshot
+                is taken by the underlying storage system. In dynamic snapshot creation
+                case, this field will be filled in with the "creation_time" value
+                returned from CSI "CreateSnapshotRequest" gRPC call. For a pre-existing
+                snapshot, this field will be filled with the "creation_time" value
+                returned from the CSI "ListSnapshots" gRPC call if the driver supports
+                it. If not specified, it indicates that the creation time of the snapshot
+                is unknown.
+              format: date-time
+              type: string
+            error:
+              description: error is the last observed error during snapshot creation,
+                if any. This field could be helpful to upper level controllers(i.e.,
+                application controller) to decide whether they should continue on
+                waiting for the snapshot to be created based on the type of error
+                reported.
+              properties:
+                message:
+                  description: 'message is a string detailing the encountered error
+                    during snapshot creation if specified. NOTE: message may be logged,
+                    and it should not contain sensitive information.'
+                  type: string
+                time:
+                  description: time is the timestamp when the error was encountered.
+                  format: date-time
+                  type: string
+              type: object
+            readyToUse:
+              description: readyToUse indicates if a snapshot is ready to be used
+                to restore a volume. In dynamic snapshot creation case, this field
+                will be filled in with the "ready_to_use" value returned from CSI
+                "CreateSnapshotRequest" gRPC call. For a pre-existing snapshot, this
+                field will be filled with the "ready_to_use" value returned from the
+                CSI "ListSnapshots" gRPC call if the driver supports it, otherwise,
+                this field will be set to "True". If not specified, it means the readiness
+                of a snapshot is unknown.
+              type: boolean
+            restoreSize:
+              anyOf:
+                - type: integer
+                - type: string
+              description: restoreSize represents the complete size of the snapshot
+                in bytes. In dynamic snapshot creation case, this field will be filled
+                in with the "size_bytes" value returned from CSI "CreateSnapshotRequest"
+                gRPC call. For a pre-existing snapshot, this field will be filled
+                with the "size_bytes" value returned from the CSI "ListSnapshots"
+                gRPC call if the driver supports it. When restoring a volume from
+                this snapshot, the size of the volume MUST NOT be smaller than the
+                restoreSize if it is specified, otherwise the restoration will fail.
+                If not specified, it indicates that the size is unknown.
+              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+              x-kubernetes-int-or-string: true
+          type: object
+      required:
+        - spec
+      type: object
+  version: v1beta1
+  versions:
+    - name: v1beta1
+      served: true
+      storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/storage.kubesphere.io_provisionercapabilities.yaml

@@ -0,0 +1,110 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: provisionercapabilities.storage.kubesphere.io
+spec:
+  group: storage.kubesphere.io
+  names:
+    kind: ProvisionerCapability
+    listKind: ProvisionerCapabilityList
+    plural: provisionercapabilities
+    singular: provisionercapability
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      description: ProvisionerCapability is the schema for the provisionercapability
+        API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: ProvisionerCapabilitySpec defines the desired state of ProvisionerCapability
+          properties:
+            features:
+              description: CapabilityFeatures describe storage features
+              properties:
+                snapshot:
+                  description: SnapshotFeature describe snapshot features
+                  properties:
+                    create:
+                      type: boolean
+                    list:
+                      type: boolean
+                  required:
+                  - create
+                  - list
+                  type: object
+                topology:
+                  type: boolean
+                volume:
+                  description: VolumeFeature describe volume features
+                  properties:
+                    attach:
+                      type: boolean
+                    clone:
+                      type: boolean
+                    create:
+                      type: boolean
+                    expandMode:
+                      type: string
+                    list:
+                      type: boolean
+                    stats:
+                      type: boolean
+                  required:
+                  - attach
+                  - clone
+                  - create
+                  - expandMode
+                  - list
+                  - stats
+                  type: object
+              required:
+              - snapshot
+              - topology
+              - volume
+              type: object
+            pluginInfo:
+              description: PluginInfo describes plugin info
+              properties:
+                name:
+                  type: string
+                version:
+                  type: string
+              required:
+              - name
+              - version
+              type: object
+          required:
+          - features
+          - pluginInfo
+          type: object
+      required:
+      - spec
+      type: object
+  version: v1alpha1
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/storage.kubesphere.io_storageclasscapabilities.yaml

@@ -0,0 +1,101 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: storageclasscapabilities.storage.kubesphere.io
+spec:
+  group: storage.kubesphere.io
+  names:
+    kind: StorageClassCapability
+    listKind: StorageClassCapabilityList
+    plural: storageclasscapabilities
+    singular: storageclasscapability
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      description: StorageClassCapability is the Schema for the storage class capability
+        API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: StorageClassCapabilitySpec defines the desired state of StorageClassCapability
+          properties:
+            features:
+              description: CapabilityFeatures describe storage features
+              properties:
+                snapshot:
+                  description: SnapshotFeature describe snapshot features
+                  properties:
+                    create:
+                      type: boolean
+                    list:
+                      type: boolean
+                  required:
+                  - create
+                  - list
+                  type: object
+                topology:
+                  type: boolean
+                volume:
+                  description: VolumeFeature describe volume features
+                  properties:
+                    attach:
+                      type: boolean
+                    clone:
+                      type: boolean
+                    create:
+                      type: boolean
+                    expandMode:
+                      type: string
+                    list:
+                      type: boolean
+                    stats:
+                      type: boolean
+                  required:
+                  - attach
+                  - clone
+                  - create
+                  - expandMode
+                  - list
+                  - stats
+                  type: object
+              required:
+              - snapshot
+              - topology
+              - volume
+              type: object
+            provisioner:
+              type: string
+          required:
+          - features
+          - provisioner
+          type: object
+      required:
+      - spec
+      type: object
+  version: v1alpha1
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/tenant.kubesphere.io_workspaces.yaml

@@ -0,0 +1,58 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: workspaces.tenant.kubesphere.io
+spec:
+  group: tenant.kubesphere.io
+  names:
+    categories:
+    - tenant
+    kind: Workspace
+    listKind: WorkspaceList
+    plural: workspaces
+    singular: workspace
+  scope: Cluster
+  validation:
+    openAPIV3Schema:
+      description: Workspace is the Schema for the workspaces API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: WorkspaceSpec defines the desired state of Workspace
+          properties:
+            manager:
+              type: string
+            networkIsolation:
+              type: boolean
+          type: object
+        status:
+          description: WorkspaceStatus defines the observed state of Workspace
+          type: object
+      type: object
+  version: v1alpha1
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/tenant.kubesphere.io_workspacetemplates.yaml

@@ -0,0 +1,111 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: workspacetemplates.tenant.kubesphere.io
+spec:
+  group: tenant.kubesphere.io
+  names:
+    categories:
+    - tenant
+    kind: WorkspaceTemplate
+    listKind: WorkspaceTemplateList
+    plural: workspacetemplates
+    singular: workspacetemplate
+  scope: Cluster
+  validation:
+    openAPIV3Schema:
+      description: WorkspaceTemplate is the Schema for the workspacetemplates API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            overrides:
+              items:
+                properties:
+                  clusterName:
+                    type: string
+                  clusterOverrides:
+                    items:
+                      properties:
+                        op:
+                          type: string
+                        path:
+                          type: string
+                        value:
+                          type: object
+                      required:
+                      - path
+                      - value
+                      type: object
+                    type: array
+                required:
+                - clusterName
+                - clusterOverrides
+                type: object
+              type: array
+            placement:
+              properties:
+                clusterSelector:
+                  properties:
+                    matchLabels:
+                      additionalProperties:
+                        type: string
+                      type: object
+                  type: object
+                clusters:
+                  items:
+                    properties:
+                      name:
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  type: array
+              type: object
+            template:
+              properties:
+                metadata:
+                  type: object
+                spec:
+                  description: WorkspaceSpec defines the desired state of Workspace
+                  properties:
+                    manager:
+                      type: string
+                    networkIsolation:
+                      type: boolean
+                  type: object
+              required:
+              - spec
+              type: object
+          required:
+          - placement
+          - template
+          type: object
+      type: object
+  version: v1alpha2
+  versions:
+  - name: v1alpha2
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/default/kustomization.yaml

@@ -0,0 +1,49 @@
+# Add namespace to all resources.
+namespace: t-system
+
+# Value of this field is prepended to the
+# names of all resources, e.g. a deployment named
+# "wordpress" becomes "alices-wordpress".
+# Note that it should also match with the prefix (text before '-') of the namespace
+# field above.
+namePrefix: t-
+
+# Labels to add to all resources and selectors.
+#commonLabels:
+#  someName: someValue
+
+# Each entry in this list must resolve to an existing
+# resource definition in YAML. These are the resource
+# files that kustomize reads, modifies and emits as a
+# YAML string, with resources separated by document
+# markers ("---").
+resources:
+- ../rbac/rbac_role.yaml
+- ../rbac/rbac_role_binding.yaml
+- ../manager/manager.yaml
+  # Comment the following 3 lines if you want to disable
+  # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
+  # which protects your /metrics endpoint.
+#- ../rbac/auth_proxy_service.yaml
+#- ../rbac/auth_proxy_role.yaml
+#- ../rbac/auth_proxy_role_binding.yaml
+
+patches:
+- manager_image_patch.yaml
+  # Protect the /metrics endpoint by putting it behind auth.
+  # Only one of manager_auth_proxy_patch.yaml and
+  # manager_prometheus_metrics_patch.yaml should be enabled.
+- manager_auth_proxy_patch.yaml
+  # If you want your controller-manager to expose the /metrics
+  # endpoint w/o any authn/z, uncomment the following line and
+  # comment manager_auth_proxy_patch.yaml.
+  # Only one of manager_auth_proxy_patch.yaml and
+  # manager_prometheus_metrics_patch.yaml should be enabled.
+#- manager_prometheus_metrics_patch.yaml
+
+vars:
+- name: WEBHOOK_SECRET_NAME
+  objref:
+    kind: Secret
+    name: webhook-server-secret
+    apiVersion: v1

config/default/manager_auth_proxy_patch.yaml

@@ -0,0 +1,24 @@
+# This patch injects a sidecar container which is an HTTP proxy for the controller manager.
+# It performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: kube-rbac-proxy
+        image: quay.io/coreos/kube-rbac-proxy:v0.4.0
+        args:
+        - "--secure-listen-address=0.0.0.0:8443"
+        - "--upstream=http://127.0.0.1:8080/"
+        - "--logtostderr=true"
+        - "--v=10"
+        ports:
+        - containerPort: 8443
+          name: https
+      - name: manager
+        args:
+        - "--metrics-addr=127.0.0.1:8080"

config/default/manager_image_patch.yaml

@@ -0,0 +1,12 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      # Change the value of image field below to your controller image URL
+      - image: kubespheredev/controller-manager:latest
+        name: manager

config/default/manager_prometheus_metrics_patch.yaml

@@ -0,0 +1,19 @@
+# This patch enables Prometheus scraping for the manager pod.
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    metadata:
+      annotations:
+        prometheus.io/scrape: 'true'
+    spec:
+      containers:
+      # Expose the prometheus metrics on default port
+      - name: manager
+        ports:
+        - containerPort: 8080
+          name: metrics
+          protocol: TCP

config/default/provisonercapability/aws-ebs.yaml

@@ -0,0 +1,20 @@
+apiVersion: storage.kubesphere.io/v1alpha1
+kind: ProvisionerCapability
+metadata:
+  name: kubernetes-io-aws-ebs
+spec:
+  pluginInfo:
+    name: kubernetes.io/aws-ebs
+    version: ""
+  features:
+    topology: false
+    volume:
+      create: true
+      attach: true
+      clone: false
+      list: false
+      stats: false
+      expandMode: ONLINE
+    snapshot:
+      create: false
+      list: false

config/default/provisonercapability/azure-disk.yaml

@@ -0,0 +1,20 @@
+apiVersion: storage.kubesphere.io/v1alpha1
+kind: ProvisionerCapability
+metadata:
+  name: kubernetes-io-azure-disk
+spec:
+  pluginInfo:
+    name: kubernetes.io/azure-disk
+    version: ""
+  features:
+    topology: false
+    volume:
+      create: true
+      attach: true
+      clone: false
+      list: false
+      stats: false
+      expandMode: OFFLINE
+    snapshot:
+      create: false
+      list: false

config/default/provisonercapability/azure-file.yaml

@@ -0,0 +1,20 @@
+apiVersion: storage.kubesphere.io/v1alpha1
+kind: ProvisionerCapability
+metadata:
+  name: kubernetes-io-azure-file
+spec:
+  pluginInfo:
+    name: kubernetes.io/azure-file
+    version: ""
+  features:
+    topology: false
+    volume:
+      create: true
+      attach: true
+      clone: false
+      list: false
+      stats: false
+      expandMode: OFFLINE
+    snapshot:
+      create: false
+      list: false

config/default/provisonercapability/cinder.yaml

@@ -0,0 +1,20 @@
+apiVersion: storage.kubesphere.io/v1alpha1
+kind: ProvisionerCapability
+metadata:
+  name: kubernetes-io-cinder
+spec:
+  pluginInfo:
+    name: kubernetes.io/cinder
+    version: ""
+  features:
+    topology: false
+    volume:
+      create: true
+      attach: true
+      clone: false
+      list: false
+      stats: false
+      expandMode: ONLINE
+    snapshot:
+      create: false
+      list: false

config/default/provisonercapability/gce-pd.yaml

@@ -0,0 +1,20 @@
+apiVersion: storage.kubesphere.io/v1alpha1
+kind: ProvisionerCapability
+metadata:
+  name: kubernetes-io-gce-pd
+spec:
+  pluginInfo:
+    name: kubernetes.io/gce-pd
+    version: ""
+  features:
+    topology: false
+    volume:
+      create: true
+      attach: true
+      clone: false
+      list: false
+      stats: false
+      expandMode: ONLINE
+    snapshot:
+      create: false
+      list: false

config/default/provisonercapability/glusterfs.yaml

@@ -0,0 +1,20 @@
+apiVersion: storage.kubesphere.io/v1alpha1
+kind: ProvisionerCapability
+metadata:
+  name: kubernetes-io-glusterfs
+spec:
+  pluginInfo:
+    name: kubernetes.io/glusterfs
+    version: ""
+  features:
+    topology: false
+    volume:
+      create: true
+      attach: true
+      clone: false
+      list: false
+      stats: false
+      expandMode: OFFLINE
+    snapshot:
+      create: false
+      list: false

config/default/provisonercapability/portworx-volume.yaml

@@ -0,0 +1,20 @@
+apiVersion: storage.kubesphere.io/v1alpha1
+kind: ProvisionerCapability
+metadata:
+  name: kubernetes-io-portworx-volume
+spec:
+  pluginInfo:
+    name: kubernetes.io/portworx-volume
+    version: ""
+  features:
+    topology: false
+    volume:
+      create: true
+      attach: true
+      clone: false
+      list: false
+      stats: false
+      expandMode: OFFLINE
+    snapshot:
+      create: false
+      list: false

config/default/provisonercapability/rbd.yaml

@@ -0,0 +1,20 @@
+apiVersion: storage.kubesphere.io/v1alpha1
+kind: ProvisionerCapability
+metadata:
+  name: kubernetes-io-rbd
+spec:
+  pluginInfo:
+    name: kubernetes.io/rbd
+    version: ""
+  features:
+    topology: false
+    volume:
+      create: true
+      attach: true
+      clone: false
+      list: false
+      stats: false
+      expandMode: ONLINE
+    snapshot:
+      create: false
+      list: false

config/manager/manager.yaml

@@ -0,0 +1,83 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    control-plane: controller-manager
+    controller-tools.k8s.io: "1.0"
+  name: system
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: controller-manager-service
+  namespace: system
+  labels:
+    control-plane: controller-manager
+    controller-tools.k8s.io: "1.0"
+spec:
+  selector:
+    control-plane: controller-manager
+    controller-tools.k8s.io: "1.0"
+  ports:
+  - port: 443
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: controller-manager
+  namespace: system
+  labels:
+    control-plane: controller-manager
+    controller-tools.k8s.io: "1.0"
+spec:
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+      controller-tools.k8s.io: "1.0"
+  serviceName: controller-manager-service
+  template:
+    metadata:
+      labels:
+        control-plane: controller-manager
+        controller-tools.k8s.io: "1.0"
+    spec:
+      containers:
+      - command:
+        - ./controller-manager
+        image: kubespheredev/controller-manager:latest
+        imagePullPolicy: Always
+        name: manager
+        env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: SECRET_NAME
+            value: $(WEBHOOK_SECRET_NAME)
+        resources:
+          limits:
+            cpu: 100m
+            memory: 30Mi
+          requests:
+            cpu: 100m
+            memory: 20Mi
+        ports:
+        - containerPort: 9876
+          name: webhook-server
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /tmp/cert
+          name: cert
+          readOnly: true
+      terminationGracePeriodSeconds: 10
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: webhook-server-secret
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: webhook-server-secret
+  namespace: system

config/rbac/auth_proxy_role.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: proxy-role
+rules:
+- apiGroups: ["authentication.k8s.io"]
+  resources:
+  - tokenreviews
+  verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+  resources:
+  - subjectaccessreviews
+  verbs: ["create"]

config/rbac/auth_proxy_role_binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: proxy-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: proxy-role
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: system

config/rbac/auth_proxy_service.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    prometheus.io/port: "8443"
+    prometheus.io/scheme: https
+    prometheus.io/scrape: "true"
+  labels:
+    control-plane: controller-manager
+    controller-tools.k8s.io: "1.0"
+  name: controller-manager-metrics-service
+  namespace: system
+spec:
+  ports:
+  - name: https
+    port: 8443
+    targetPort: https
+  selector:
+    control-plane: controller-manager
+    controller-tools.k8s.io: "1.0"

config/rbac/rbac_role.yaml

@@ -0,0 +1,171 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: manager-role
+rules:
+- apiGroups:
+  - core.kubesphere.io
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - core.kubesphere.io
+  resources:
+  - namespaces/status
+  verbs:
+  - get
+  - update
+  - patch
+- apiGroups:
+  - core.kubesphere.io
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - core.kubesphere.io
+  resources:
+  - namespaces/status
+  verbs:
+  - get
+  - update
+  - patch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - apps
+  resources:
+  - deployments/status
+  verbs:
+  - get
+  - update
+  - patch
+- apiGroups:
+  - devops.kubesphere.io
+  resources:
+  - s2ibinaries
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - devops.kubesphere.io
+  resources:
+  - s2ibinaries/status
+  verbs:
+  - get
+  - update
+  - patch
+- apiGroups:
+  - tenant.kubesphere.io
+  resources:
+  - workspaces
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - tenant.kubesphere.io
+  resources:
+  - workspaces/status
+  verbs:
+  - get
+  - update
+  - patch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - "storage.k8s.io"
+  resources:
+  - storageclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - "snapshot.storage.k8s.io"
+  resources:
+  - volumesnapshotclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - "storage.kubesphere.io"
+  resources:
+  - storageclasscapabilities
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete

config/rbac/rbac_role_binding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  creationTimestamp: null
+  name: manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: manager-role
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: system

config/rbac/role.yaml

@@ -0,0 +1,54 @@
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: manager-role
+rules:
+- apiGroups:
+  - crd.projectcalico.org
+  resources:
+  - clusterinformations
+  - felixconfigurations
+  - globalfelixconfigs
+  - globalnetworkpolicies
+  - globalnetworksets
+  - hostendpoints
+  - ipamblocks
+  - ippools
+  - networkpolicies
+  - networksets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - network.kubesphere.io
+  resources:
+  - namespacenetworkpolicies
+  - workspacenetworkpolicies
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - tenant.kubesphere.io
+  resources:
+  - workspaces
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch

config/samples/devops_v1alpha1_s2ibinary.yaml

@@ -0,0 +1,6 @@
+apiVersion: devops.kubesphere.io/v1alpha1
+kind: S2iBinary
+metadata:
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: s2ibinary-sample