Release v4.1.3 (#6459)

Signed-off-by: hongming <coder.scala@gmail.com>

.github/workflows/build-multiarch.yaml

@@ -17,16 +17,16 @@ jobs:
       GO111MODULE: on
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
-      - name: Login to Aliyun
+      - name: Login to HUAWEICLOUD
         uses: docker/login-action@v3
         with:
-          registry: registry.cn-beijing.aliyuncs.com
-          username: ${{ secrets.ALIYUNCS_USERNAME }}
-          password: ${{ secrets.ALIYUNCS_PASSWORD }}
+          registry: swr.cn-southwest-2.myhuaweicloud.com
+          username: ${{ secrets.HUAWEICLOUD_USERNAME }}
+          password: ${{ secrets.HUAWEICLOUD_PASSWORD }}
 
       - name: Login to DOCKER
         uses: docker/login-action@v3
@@ -56,17 +56,18 @@ jobs:
         uses: docker/build-push-action@v6
         if: steps.chose_registry.outputs.env == 'prod'
         with:
+          context: ${{ github.workspace }}
           file: build/ks-apiserver/Dockerfile
           platforms: linux/amd64,linux/arm64
           push: true
           tags: |
             docker.io/kubesphere/ks-apiserver:${{ steps.chose_registry.outputs.tag }}
-            registry.cn-beijing.aliyuncs.com/kubesphereio/ks-apiserver:${{ steps.chose_registry.outputs.tag }}
 
       - name: Build and push ks-apiserver dev images
         uses: docker/build-push-action@v6
         if: steps.chose_registry.outputs.env == 'dev'
         with:
+          context: ${{ github.workspace }}
           file: build/ks-apiserver/Dockerfile
           platforms: linux/amd64,linux/arm64
           push: true
@@ -77,19 +78,34 @@ jobs:
         uses: docker/build-push-action@v6
         if: steps.chose_registry.outputs.env == 'prod'
         with:
+          context: ${{ github.workspace }}
           file: build/ks-controller-manager/Dockerfile
           platforms: linux/amd64,linux/arm64
           push: true
           tags: |
             docker.io/kubesphere/ks-controller-manager:${{ steps.chose_registry.outputs.tag }}
-            registry.cn-beijing.aliyuncs.com/kubesphereio/ks-controller-manager:${{ steps.chose_registry.outputs.tag }}
+
 
       - name: Build and push ks-controller-manager dev images
         uses: docker/build-push-action@v6
         if: steps.chose_registry.outputs.env == 'dev'
         with:
+          context: ${{ github.workspace }}
           file: build/ks-controller-manager/Dockerfile
           platforms: linux/amd64,linux/arm64
           push: true
           tags: |
             docker.io/kubespheredev/ks-controller-manager:${{ steps.chose_registry.outputs.tag }}
+
+      - name: Sync ks images to HUAWEICLOUD
+        if: steps.chose_registry.outputs.env == 'prod'
+        run: |
+          # apiserver
+          docker pull docker.io/kubesphere/ks-apiserver:${{ steps.chose_registry.outputs.tag }}
+          docker tag docker.io/kubesphere/ks-apiserver:${{ steps.chose_registry.outputs.tag }} swr.cn-southwest-2.myhuaweicloud.com/ks/kubesphere/ks-apiserver:${{ steps.chose_registry.outputs.tag }}
+          docker push swr.cn-southwest-2.myhuaweicloud.com/ks/kubesphere/ks-apiserver:${{ steps.chose_registry.outputs.tag }}
+          # controller-manager
+          docker pull docker.io/kubesphere/ks-controller-manager:${{ steps.chose_registry.outputs.tag }}
+          docker tag docker.io/kubesphere/ks-controller-manager:${{ steps.chose_registry.outputs.tag }} swr.cn-southwest-2.myhuaweicloud.com/ks/kubesphere/ks-controller-manager:${{ steps.chose_registry.outputs.tag }}
+          docker push swr.cn-southwest-2.myhuaweicloud.com/ks/kubesphere/ks-controller-manager:${{ steps.chose_registry.outputs.tag }}
+          

.github/workflows/sync-helm-chart.yaml

@@ -1,3 +1,5 @@
+name: SyncHelmChart
+
 on:
   workflow_dispatch:
   push:
@@ -5,36 +7,64 @@ on:
       - 'config/ks-core/**'
     branches:
       - 'master'
+      - 'release-*'
+    tags:
+      - 'helm-chart-*'
+      - 'v*'
 
 jobs:
   sync-chart:
-    runs-on: self-runner-kubesphere
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - name: Check out kubesphere/kubesphere
+        uses: actions/checkout@v4
         with:
+          path: kubesphere
+          fetch-depth: 0
+
+      - name: Check out kubesphere/helm-charts
+        uses: actions/checkout@v4
+        with:
+          repository: ks-ci-bot/helm-charts
+          token: ${{ secrets.CIBOT_ACCESS_TOKEN }}
+          path: helm-charts
           fetch-depth: 0
 
       - name: Setup SSH
-        uses: MrSquaare/ssh-setup-action@v2
+        uses: MrSquaare/ssh-setup-action@v3
         with:
+          working-directory: helm-charts
           host: github.com
           private-key: ${{ secrets.SSH_PRIVATE_KEY }}
 
-      - run: |
+      - name: Sync charts
+        run: |
+          cd helm-charts
           git config --global user.email "ci-bot@kubesphere.io"
           git config --global user.name "ks-ci-bot"
-          git clone git@github.com:kubesphere/helm-charts.git
-          rm -rf helm-charts/src/test/ks-core
-          cp -r config/ks-core helm-charts/src/test/
-          cd helm-charts/
+          git remote add ks git@github.com:kubesphere/helm-charts.git
+          git fetch ks master
+          git checkout -b sync/ks-core/${GITHUB_REF#refs/*/} ks/master
+          rm -rf src/test/ks-core
+          cp -r ../kubesphere/config/ks-core src/test/
+          if [[ ${GITHUB_REF#refs/*/} =~ ^helm-chart-[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            rm -rf src/main/ks-core
+            cp -r ../kubesphere/config/ks-core src/main/
+          fi
           git add .
           git commit -m "update ks-core helm chart"
-          git push origin master:sync/ks-core --force
+          git push origin sync/ks-core/${GITHUB_REF#refs/*/} --force
 
-      - env:
+      - name: Create Pull Request
+        env:
           GH_TOKEN: ${{ secrets.CIBOT_ACCESS_TOKEN }}
         run: |
-          cd helm-charts/
-          if [[ $(gh pr ls -H sync/ks-core -B master) == "" ]]; then
-            gh pr create -H sync/ks-core -B master --title "Update ks-core helm chart" --body "Update ks-core helm chart"
+          cd helm-charts
+          if [[ $(gh pr ls -R kubesphere/helm-charts -A ks-ci-bot -H sync/ks-core/${GITHUB_REF#refs/*/} -B master) == "" ]]; then
+            # Create a PR in the kubesphere/helm-charts repository
+            gh pr create -R kubesphere/helm-charts \
+              -B master \
+              -H ks-ci-bot:sync/ks-core/${GITHUB_REF#refs/*/} \
+              -t "Update ks-core helm chart from ${GITHUB_REF#refs/*/}" \
+              -b "Update ks-core helm chart"
           fi

LICENSE

@@ -18,7 +18,7 @@ KubeSphere is licensed under the Apache License 2.0, with the following addition
 
    b. Your contributed code may be utilized for commercial purposes.
 
-3. These additional conditions apply to all versions of KubeSphere, including those without a LICENSE file prior to KubeSphere's open-sourcing.
+3. These additional conditions apply exclusively to KubeSphere version 4.x and all future versions. Versions 3.4.x and earlier are not included under these terms and continue to be governed by their previous licenses.
 
 Apart from these additional conditions, all other rights and restrictions are governed by the Apache License 2.0, available at http://www.apache.org/licenses/LICENSE-2.0.
 

LICENSES/LICENSE

@@ -21,7 +21,7 @@ KubeSphere is licensed under the Apache License 2.0, with the following addition
 
    b. Your contributed code may be utilized for commercial purposes.
 
-3. These additional conditions apply to all versions of KubeSphere, including those without a LICENSE file prior to KubeSphere's open-sourcing.
+3. These additional conditions apply exclusively to KubeSphere version 4.x and all future versions. Versions 3.4.x and earlier are not included under these terms and continue to be governed by their previous licenses.
 
 Apart from these additional conditions, all other rights and restrictions are governed by the Apache License 2.0, available at http://www.apache.org/licenses/LICENSE-2.0.
 
@@ -41,5 +41,5 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 
-= LICENSE 1607c5af06ab423b8c4fa838e7ba9000
+= LICENSE 123cd141a9515e60fbd64c3dbcfa9e94
 ================================================================================

LICENSES/vendor/github.com/antlr/antlr4/runtime/Go/antlr/v4/LICENSE

@@ -1,30 +0,0 @@
-= vendor/github.com/antlr/antlr4/runtime/Go/antlr/v4 licensed under: =
-
-Copyright 2021 The ANTLR Project
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-    this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright notice,
-    this list of conditions and the following disclaimer in the documentation
-    and/or other materials provided with the distribution.
-
-    3. Neither the name of the copyright holder nor the names of its
-    contributors may be used to endorse or promote products derived from this
-    software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-= vendor/github.com/antlr/antlr4/runtime/Go/antlr/v4/LICENSE 7efb09a9ec943fd32bc2645ceaf109d0

LICENSES/vendor/github.com/antlr4-go/antlr/v4/LICENSE

@@ -0,0 +1,32 @@
+= vendor/github.com/antlr4-go/antlr/v4 licensed under: =
+
+Copyright (c) 2012-2023 The ANTLR Project. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+notice, this list of conditions and the following disclaimer in the
+documentation and/or other materials provided with the distribution.
+
+3. Neither name of copyright holders nor the names of its contributors
+may be used to endorse or promote products derived from this software
+without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR
+CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+= vendor/github.com/antlr4-go/antlr/v4/LICENSE f399e127495f9783cfbe2b3b2802555f

LICENSES/vendor/github.com/containerd/errdefs/LICENSE

@@ -1,7 +1,9 @@
+= vendor/github.com/containerd/errdefs licensed under: =
+
 
                                  Apache License
                            Version 2.0, January 2004
-                        http://www.apache.org/licenses/
+                        https://www.apache.org/licenses/
 
    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 
@@ -176,27 +178,18 @@
 
    END OF TERMS AND CONDITIONS
 
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
+   Copyright The containerd Authors
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at
 
-       http://www.apache.org/licenses/LICENSE-2.0
+       https://www.apache.org/licenses/LICENSE-2.0
 
    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
+
+= vendor/github.com/containerd/errdefs/LICENSE 1269f40c0d099c21a871163984590d89

LICENSES/vendor/github.com/containerd/platforms/LICENSE

@@ -1,7 +1,9 @@
+= vendor/github.com/containerd/platforms licensed under: =
+
 
                                  Apache License
                            Version 2.0, January 2004
-                        http://www.apache.org/licenses/
+                        https://www.apache.org/licenses/
 
    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 
@@ -176,27 +178,18 @@
 
    END OF TERMS AND CONDITIONS
 
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
+   Copyright The containerd Authors
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at
 
-       http://www.apache.org/licenses/LICENSE-2.0
+       https://www.apache.org/licenses/LICENSE-2.0
 
    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
+
+= vendor/github.com/containerd/platforms/LICENSE 1269f40c0d099c21a871163984590d89

LICENSES/vendor/github.com/coreos/go-oidc/v3/LICENSE

@@ -1,4 +1,4 @@
-= vendor/github.com/coreos/go-oidc licensed under: =
+= vendor/github.com/coreos/go-oidc/v3 licensed under: =
 
 Apache License
                            Version 2.0, January 2004
@@ -203,4 +203,4 @@ Apache License
    limitations under the License.
 
 
-= vendor/github.com/coreos/go-oidc/LICENSE d2794c0df5b907fdace235a619d80314
+= vendor/github.com/coreos/go-oidc/v3/LICENSE d2794c0df5b907fdace235a619d80314

LICENSES/vendor/github.com/cyphar/filepath-securejoin/LICENSE

@@ -1,7 +1,7 @@
 = vendor/github.com/cyphar/filepath-securejoin licensed under: =
 
 Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.
-Copyright (C) 2017 SUSE LLC. All rights reserved.
+Copyright (C) 2017-2024 SUSE LLC. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -29,4 +29,4 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-= vendor/github.com/cyphar/filepath-securejoin/LICENSE 8d322afab99e1998dbfcc712f94e824d
+= vendor/github.com/cyphar/filepath-securejoin/LICENSE 7e05df0b39896d74600ef94ab46dce89

LICENSES/vendor/github.com/fxamacker/cbor/v2/LICENSE

@@ -0,0 +1,24 @@
+= vendor/github.com/fxamacker/cbor/v2 licensed under: =
+
+MIT License
+
+Copyright (c) 2019-present Faye Amacker
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+= vendor/github.com/fxamacker/cbor/v2/LICENSE 827f5a2fa861382d35a3943adf9ebb86

LICENSES/vendor/github.com/go-jose/go-jose/v4/LICENSE

@@ -1,4 +1,4 @@
-= vendor/gopkg.in/square/go-jose.v2 licensed under: =
+= vendor/github.com/go-jose/go-jose/v4 licensed under: =
 
 
                                  Apache License
@@ -203,4 +203,4 @@
    See the License for the specific language governing permissions and
    limitations under the License.
 
-= vendor/gopkg.in/square/go-jose.v2/LICENSE 3b83ef96387f14655fc854ddc3c6bd57
+= vendor/github.com/go-jose/go-jose/v4/LICENSE 3b83ef96387f14655fc854ddc3c6bd57

LICENSES/vendor/github.com/go-task/slim-sprig/v3/LICENSE

@@ -1,4 +1,4 @@
-= vendor/github.com/go-task/slim-sprig licensed under: =
+= vendor/github.com/go-task/slim-sprig/v3 licensed under: =
 
 Copyright (C) 2013-2020 Masterminds
 
@@ -20,4 +20,4 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 
-= vendor/github.com/go-task/slim-sprig/LICENSE.txt 4ed8d725bea5f035fcea1ab05a767f78
+= vendor/github.com/go-task/slim-sprig/v3/LICENSE.txt 4ed8d725bea5f035fcea1ab05a767f78

LICENSES/vendor/github.com/kylelemons/godebug/LICENSE

@@ -1,4 +1,4 @@
-= vendor/google.golang.org/genproto licensed under: =
+= vendor/github.com/kylelemons/godebug licensed under: =
 
 
                                  Apache License
@@ -203,4 +203,4 @@
    See the License for the specific language governing permissions and
    limitations under the License.
 
-= vendor/google.golang.org/genproto/LICENSE 3b83ef96387f14655fc854ddc3c6bd57
+= vendor/github.com/kylelemons/godebug/LICENSE 3b83ef96387f14655fc854ddc3c6bd57

LICENSES/vendor/github.com/matttproud/golang_protobuf_extensions/v2/LICENSE

@@ -1,205 +0,0 @@
-= vendor/github.com/matttproud/golang_protobuf_extensions/v2 licensed under: =
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "{}"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright {yyyy} {name of copyright owner}
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-
-= vendor/github.com/matttproud/golang_protobuf_extensions/v2/LICENSE e3fc50a88d0a364313df4b21ef20c29e

LICENSES/vendor/github.com/onsi/ginkgo/LICENSE

@@ -1,24 +0,0 @@
-= vendor/github.com/onsi/ginkgo licensed under: =
-
-Copyright (c) 2013-2014 Onsi Fakhouri
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-= vendor/github.com/onsi/ginkgo/LICENSE 570603114d52313cb86c0206401c9af7

LICENSES/vendor/github.com/onsi/ginkgo/v2/LICENSE

@@ -21,4 +21,4 @@ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
 WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
-= vendor/github.com/onsi/ginkgo/LICENSE 570603114d52313cb86c0206401c9af7
+= vendor/github.com/onsi/ginkgo/v2/LICENSE 570603114d52313cb86c0206401c9af7

LICENSES/vendor/github.com/pquerna/cachecontrol/LICENSE

@@ -1,206 +0,0 @@
-= vendor/github.com/pquerna/cachecontrol licensed under: =
-
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-
-= vendor/github.com/pquerna/cachecontrol/LICENSE 3b83ef96387f14655fc854ddc3c6bd57

LICENSES/vendor/github.com/robfig/cron/v3/LICENSE

@@ -0,0 +1,25 @@
+= vendor/github.com/robfig/cron/v3 licensed under: =
+
+Copyright (C) 2012 Rob Figueiredo
+All Rights Reserved.
+
+MIT LICENSE
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+= vendor/github.com/robfig/cron/v3/LICENSE d924a63cb54a2a6c4bd28c50b2b0af59

LICENSES/vendor/github.com/x448/float16/LICENSE

@@ -0,0 +1,26 @@
+= vendor/github.com/x448/float16 licensed under: =
+
+MIT License
+
+Copyright (c) 2019 Montgomery Edwards⁴⁴⁸ and Faye Amacker
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+
+= vendor/github.com/x448/float16/LICENSE de8f8e025d57fe7ee0b67f30d571323b

LICENSES/vendor/golang.org/x/crypto/LICENSE

@@ -1,6 +1,6 @@
 = vendor/golang.org/x/crypto licensed under: =
 
-Copyright (c) 2009 The Go Authors. All rights reserved.
+Copyright 2009 The Go Authors.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -12,7 +12,7 @@ notice, this list of conditions and the following disclaimer.
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
-   * Neither the name of Google Inc. nor the names of its
+   * Neither the name of Google LLC nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 
@@ -28,4 +28,4 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-= vendor/golang.org/x/crypto/LICENSE 5d4950ecb7b26d2c5e4e7b4e0dd74707
+= vendor/golang.org/x/crypto/LICENSE 7998cb338f82d15c0eff93b7004d272a

LICENSES/vendor/golang.org/x/exp/LICENSE

@@ -1,6 +1,6 @@
 = vendor/golang.org/x/exp licensed under: =
 
-Copyright (c) 2009 The Go Authors. All rights reserved.
+Copyright 2009 The Go Authors.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -12,7 +12,7 @@ notice, this list of conditions and the following disclaimer.
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
-   * Neither the name of Google Inc. nor the names of its
+   * Neither the name of Google LLC nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 
@@ -28,4 +28,4 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-= vendor/golang.org/x/exp/LICENSE 5d4950ecb7b26d2c5e4e7b4e0dd74707
+= vendor/golang.org/x/exp/LICENSE 7998cb338f82d15c0eff93b7004d272a

LICENSES/vendor/golang.org/x/mod/LICENSE

@@ -1,6 +1,6 @@
 = vendor/golang.org/x/mod licensed under: =
 
-Copyright (c) 2009 The Go Authors. All rights reserved.
+Copyright 2009 The Go Authors.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -12,7 +12,7 @@ notice, this list of conditions and the following disclaimer.
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
-   * Neither the name of Google Inc. nor the names of its
+   * Neither the name of Google LLC nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 
@@ -28,4 +28,4 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-= vendor/golang.org/x/mod/LICENSE 5d4950ecb7b26d2c5e4e7b4e0dd74707
+= vendor/golang.org/x/mod/LICENSE 7998cb338f82d15c0eff93b7004d272a

LICENSES/vendor/golang.org/x/net/LICENSE

@@ -1,6 +1,6 @@
 = vendor/golang.org/x/net licensed under: =
 
-Copyright (c) 2009 The Go Authors. All rights reserved.
+Copyright 2009 The Go Authors.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -12,7 +12,7 @@ notice, this list of conditions and the following disclaimer.
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
-   * Neither the name of Google Inc. nor the names of its
+   * Neither the name of Google LLC nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 
@@ -28,4 +28,4 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-= vendor/golang.org/x/net/LICENSE 5d4950ecb7b26d2c5e4e7b4e0dd74707
+= vendor/golang.org/x/net/LICENSE 7998cb338f82d15c0eff93b7004d272a

LICENSES/vendor/golang.org/x/sys/LICENSE

@@ -1,6 +1,6 @@
 = vendor/golang.org/x/sys licensed under: =
 
-Copyright (c) 2009 The Go Authors. All rights reserved.
+Copyright 2009 The Go Authors.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -12,7 +12,7 @@ notice, this list of conditions and the following disclaimer.
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
-   * Neither the name of Google Inc. nor the names of its
+   * Neither the name of Google LLC nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 
@@ -28,4 +28,4 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-= vendor/golang.org/x/sys/LICENSE 5d4950ecb7b26d2c5e4e7b4e0dd74707
+= vendor/golang.org/x/sys/LICENSE 7998cb338f82d15c0eff93b7004d272a

LICENSES/vendor/golang.org/x/term/LICENSE

@@ -1,6 +1,6 @@
 = vendor/golang.org/x/term licensed under: =
 
-Copyright (c) 2009 The Go Authors. All rights reserved.
+Copyright 2009 The Go Authors.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -12,7 +12,7 @@ notice, this list of conditions and the following disclaimer.
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
-   * Neither the name of Google Inc. nor the names of its
+   * Neither the name of Google LLC nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 
@@ -28,4 +28,4 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-= vendor/golang.org/x/term/LICENSE 5d4950ecb7b26d2c5e4e7b4e0dd74707
+= vendor/golang.org/x/term/LICENSE 7998cb338f82d15c0eff93b7004d272a

LICENSES/vendor/golang.org/x/text/LICENSE

@@ -1,6 +1,6 @@
 = vendor/golang.org/x/text licensed under: =
 
-Copyright (c) 2009 The Go Authors. All rights reserved.
+Copyright 2009 The Go Authors.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -12,7 +12,7 @@ notice, this list of conditions and the following disclaimer.
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
-   * Neither the name of Google Inc. nor the names of its
+   * Neither the name of Google LLC nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 
@@ -28,4 +28,4 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-= vendor/golang.org/x/text/LICENSE 5d4950ecb7b26d2c5e4e7b4e0dd74707
+= vendor/golang.org/x/text/LICENSE 7998cb338f82d15c0eff93b7004d272a

LICENSES/vendor/golang.org/x/time/LICENSE

@@ -1,6 +1,6 @@
 = vendor/golang.org/x/time licensed under: =
 
-Copyright (c) 2009 The Go Authors. All rights reserved.
+Copyright 2009 The Go Authors.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -12,7 +12,7 @@ notice, this list of conditions and the following disclaimer.
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
-   * Neither the name of Google Inc. nor the names of its
+   * Neither the name of Google LLC nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 
@@ -28,4 +28,4 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-= vendor/golang.org/x/time/LICENSE 5d4950ecb7b26d2c5e4e7b4e0dd74707
+= vendor/golang.org/x/time/LICENSE 7998cb338f82d15c0eff93b7004d272a

LICENSES/vendor/golang.org/x/tools/LICENSE

@@ -1,6 +1,6 @@
 = vendor/golang.org/x/tools licensed under: =
 
-Copyright (c) 2009 The Go Authors. All rights reserved.
+Copyright 2009 The Go Authors.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -12,7 +12,7 @@ notice, this list of conditions and the following disclaimer.
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
-   * Neither the name of Google Inc. nor the names of its
+   * Neither the name of Google LLC nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 
@@ -28,4 +28,4 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-= vendor/golang.org/x/tools/LICENSE 5d4950ecb7b26d2c5e4e7b4e0dd74707
+= vendor/golang.org/x/tools/LICENSE 7998cb338f82d15c0eff93b7004d272a

LICENSES/vendor/google.golang.org/appengine/LICENSE

@@ -1,206 +0,0 @@
-= vendor/google.golang.org/appengine licensed under: =
-
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-
-= vendor/google.golang.org/appengine/LICENSE 3b83ef96387f14655fc854ddc3c6bd57

LICENSES/vendor/google.golang.org/genproto/googleapis/api/LICENSE

@@ -203,4 +203,4 @@
    See the License for the specific language governing permissions and
    limitations under the License.
 
-= vendor/google.golang.org/genproto/LICENSE 3b83ef96387f14655fc854ddc3c6bd57
+= vendor/google.golang.org/genproto/googleapis/api/LICENSE 3b83ef96387f14655fc854ddc3c6bd57

LICENSES/vendor/google.golang.org/genproto/googleapis/rpc/LICENSE

@@ -203,4 +203,4 @@
    See the License for the specific language governing permissions and
    limitations under the License.
 
-= vendor/google.golang.org/genproto/LICENSE 3b83ef96387f14655fc854ddc3c6bd57
+= vendor/google.golang.org/genproto/googleapis/rpc/LICENSE 3b83ef96387f14655fc854ddc3c6bd57

LICENSES/vendor/gopkg.in/evanphx/json-patch.v4/LICENSE

@@ -0,0 +1,29 @@
+= vendor/gopkg.in/evanphx/json-patch.v4 licensed under: =
+
+Copyright (c) 2014, Evan Phoenix
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without 
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+* Neither the name of the Evan Phoenix nor the names of its contributors 
+  may be used to endorse or promote products derived from this software 
+  without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE 
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+= vendor/gopkg.in/evanphx/json-patch.v4/LICENSE 96ae735ca1b4dcdb6b26f4ca4b8ba645

LICENSES/vendor/k8s.io/gengo/v2/LICENSE

@@ -1,4 +1,4 @@
-= vendor/k8s.io/gengo licensed under: =
+= vendor/k8s.io/gengo/v2 licensed under: =
 
 
                                  Apache License
@@ -203,4 +203,4 @@
    See the License for the specific language governing permissions and
    limitations under the License.
 
-= vendor/k8s.io/gengo/LICENSE ad09685d909e7a9f763d2bb62d4bd6fb
+= vendor/k8s.io/gengo/v2/LICENSE ad09685d909e7a9f763d2bb62d4bd6fb

Makefile

@@ -2,9 +2,6 @@
 CRD_OPTIONS ?= "crd:allowDangerousTypes=true"
 MANIFESTS="cluster/v1alpha1 iam/... quota/v1alpha2 storage/v1alpha1 tenant/... extensions/v1alpha1 core/v1alpha1 gateway/v1alpha2 application/v2"
 
-# App Version
-APP_VERSION = v3.2.0
-
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
 GOBIN=$(shell go env GOPATH)/bin
@@ -112,19 +109,15 @@ container-cross-push: ; $(info $(M)...Begin to build and push.)  @ ## Build and
 	hack/docker_build_multiarch.sh
 
 helm-package: ; $(info $(M)...Begin to helm-package.)  @ ## Helm-package.
-	ls config/crds/ | xargs -i cp -r config/crds/{} config/ks-core/crds/
-	helm package config/ks-core --app-version=${APP_VERSION} --version=0.1.0 -d ./bin
+	helm package config/ks-core -d ./bin
 
 helm-deploy: ; $(info $(M)...Begin to helm-deploy.)  @ ## Helm-deploy.
-	ls config/crds/ | xargs -i cp -r config/crds/{} config/ks-core/crds/
 	- kubectl create ns kubesphere-controls-system
 	helm upgrade --install ks-core ./config/ks-core -n kubesphere-system --create-namespace
-	kubectl apply -f https://raw.githubusercontent.com/kubesphere/ks-installer/master/roles/ks-core/prepare/files/ks-init/role-templates.yaml
 
 helm-uninstall: ; $(info $(M)...Begin to helm-uninstall.)  @ ## Helm-uninstall.
 	- kubectl delete ns kubesphere-controls-system
 	helm uninstall ks-core -n kubesphere-system
-	kubectl delete -f https://raw.githubusercontent.com/kubesphere/ks-installer/master/roles/ks-core/prepare/files/ks-init/role-templates.yaml
 
 # Run tests
 test: vet test-env ;$(info $(M)...Begin to run tests.)  @ ## Run tests.

build/ks-apiserver/Dockerfile

@@ -1,5 +1,5 @@
 # Build
-FROM golang:1.20.7 AS build_context
+FROM golang:1.23.7 AS build_context
 
 ENV OUTDIR=/out
 RUN mkdir -p ${OUTDIR}/usr/local/bin/
@@ -14,7 +14,7 @@ RUN mv /workspace/bin/cmd/ks-apiserver ${OUTDIR}/usr/local/bin/
 # Final image
 #############
 
-FROM alpine:3.18.3
+FROM alpine:3.21.3
 
 COPY --from=build_context /out/ /
 

build/ks-controller-manager/Dockerfile

@@ -1,22 +1,21 @@
 # Download dependencies
-FROM alpine:3.18.3 AS base_os_context
+FROM alpine:3.21.3 AS base_os_context
+
+RUN apk add --no-cache ca-certificates curl
 
 ENV OUTDIR=/out
 RUN mkdir -p ${OUTDIR}/usr/local/bin/
-RUN apk add --no-cache ca-certificates curl
 
+ARG TELEMETRY_VERSION=1.0.2
 ARG TARGETARCH
-
-ENV ARCH=$TARGETARCH
-
-RUN curl -LO https://github.com/kubesphere/telemetry/releases/download/v1.0.0/telemetry_1.0.0_linux_${ARCH}.tar.gz && \
-    tar -zxvf telemetry_1.0.0_linux_${ARCH}.tar.gz -C ${OUTDIR}/usr/local/bin/ telemetry
+RUN curl -LO https://github.com/kubesphere/telemetry/releases/download/v${TELEMETRY_VERSION}/telemetry_${TELEMETRY_VERSION}_linux_${TARGETARCH}.tar.gz && \
+    tar -zxvf telemetry_${TELEMETRY_VERSION}_linux_${TARGETARCH}.tar.gz -C ${OUTDIR}/usr/local/bin/ telemetry
 
 # Add KS Core Helm Chart
 COPY config/ks-core ${OUTDIR}/var/helm-charts/ks-core
 
 # Build
-FROM golang:1.20.7 AS build_context
+FROM golang:1.23.7 AS build_context
 
 ENV OUTDIR=/out
 RUN mkdir -p ${OUTDIR}/usr/local/bin/
@@ -28,7 +27,7 @@ RUN make ks-controller-manager
 RUN mv /workspace/bin/cmd/controller-manager ${OUTDIR}/usr/local/bin/
 
 # Final Image
-FROM alpine:3.18.3
+FROM alpine:3.21.3
 
 COPY --from=base_os_context /out/ /
 COPY --from=build_context /out/ /

cmd/controller-manager/app/options/options.go

@@ -152,8 +152,8 @@ func (s *ControllerManagerOptions) Merge(conf *config.Config) {
 	if conf.TerminalOptions != nil {
 		s.TerminalOptions = conf.TerminalOptions
 	}
-	if conf.TelemetryOptions != nil {
-		s.TelemetryOptions = conf.TelemetryOptions
+	if conf.KubeconfigOptions != nil {
+		s.KubeconfigOptions = conf.KubeconfigOptions
 	}
 	if conf.HelmExecutorOptions != nil {
 		s.HelmExecutorOptions = conf.HelmExecutorOptions

cmd/controller-manager/app/server.go

@@ -40,11 +40,13 @@ import (
 	"kubesphere.io/kubesphere/pkg/controller/loginrecord"
 	"kubesphere.io/kubesphere/pkg/controller/namespace"
 	"kubesphere.io/kubesphere/pkg/controller/quota"
+	"kubesphere.io/kubesphere/pkg/controller/resourceprotection"
 	"kubesphere.io/kubesphere/pkg/controller/role"
 	"kubesphere.io/kubesphere/pkg/controller/rolebinding"
 	"kubesphere.io/kubesphere/pkg/controller/roletemplate"
 	"kubesphere.io/kubesphere/pkg/controller/secret"
 	"kubesphere.io/kubesphere/pkg/controller/serviceaccount"
+	"kubesphere.io/kubesphere/pkg/controller/serviceaccounttoken"
 	"kubesphere.io/kubesphere/pkg/controller/storageclass"
 	"kubesphere.io/kubesphere/pkg/controller/telemetry"
 	"kubesphere.io/kubesphere/pkg/controller/user"
@@ -59,6 +61,7 @@ import (
 func init() {
 	// core
 	runtime.Must(controller.Register(&core.ExtensionReconciler{}))
+	runtime.Must(controller.Register(&core.ExtensionVersionReconciler{}))
 	runtime.Must(controller.Register(&core.CategoryReconciler{}))
 	runtime.Must(controller.Register(&core.RepositoryReconciler{}))
 	runtime.Must(controller.Register(&core.InstallPlanReconciler{}))
@@ -98,7 +101,7 @@ func init() {
 	runtime.Must(controller.Register(&serviceaccount.Reconciler{}))
 	runtime.Must(controller.Register(&job.Reconciler{}))
 	runtime.Must(controller.Register(&storageclass.Reconciler{}))
-	runtime.Must(controller.Register(&telemetry.Runnable{}))
+	runtime.Must(controller.Register(&telemetry.Reconciler{}))
 	runtime.Must(controller.Register(&ksconfig.Webhook{}))
 	runtime.Must(controller.Register(&conversion.Webhook{}))
 	// kubeconfig
@@ -114,8 +117,11 @@ func init() {
 	runtime.Must(controller.Register(&application.AppVersionReconciler{}))
 	// k8s application
 	runtime.Must(controller.Register(&k8sapplication.Reconciler{}))
+	runtime.Must(controller.Register(&application.ReleaseWebhook{}))
 	// kubectl
 	runtime.Must(controller.Register(&kubectl.Reconciler{}))
+	runtime.Must(controller.Register(&serviceaccounttoken.Reconciler{}))
+	runtime.Must(controller.Register(&resourceprotection.Webhook{}))
 }
 
 func NewControllerManagerCommand() *cobra.Command {

cmd/ks-apiserver/app/options/options.go

@@ -26,6 +26,7 @@ import (
 	"kubesphere.io/kubesphere/pkg/apiserver/options"
 	"kubesphere.io/kubesphere/pkg/config"
 	"kubesphere.io/kubesphere/pkg/models/auth"
+	"kubesphere.io/kubesphere/pkg/models/registries/imagesearch"
 	resourcev1beta1 "kubesphere.io/kubesphere/pkg/models/resources/v1beta1"
 	"kubesphere.io/kubesphere/pkg/scheme"
 	genericoptions "kubesphere.io/kubesphere/pkg/server/options"
@@ -111,6 +112,10 @@ func (s *APIServerOptions) NewAPIServer(ctx context.Context) (*apiserver.APIServ
 		return nil, fmt.Errorf("unable to setup identity provider: %v", err)
 	}
 
+	if err := imagesearch.SharedImageSearchProviderController.WatchConfigurationChanges(ctx, apiServer.RuntimeCache); err != nil {
+		return nil, fmt.Errorf("unable to setup image search provider: %v", err)
+	}
+
 	if apiServer.ClusterClient, err = clusterclient.NewClusterClientSet(apiServer.RuntimeCache); err != nil {
 		return nil, fmt.Errorf("unable to create cluster client: %v", err)
 	}

config/ks-core/Chart.yaml

@@ -7,12 +7,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.1.0
+version: 1.1.4
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: "v4.1.1"
+appVersion: "v4.1.3"
 
 dependencies:
   - name: redis-ha

config/ks-core/charts/ks-crds/crds/application.kubesphere.io_applicationreleases.yaml

@@ -73,6 +73,8 @@ spec:
                 type: string
               appVersionID:
                 type: string
+              icon:
+                type: string
               values:
                 format: byte
                 type: string
@@ -94,7 +96,7 @@ spec:
                 items:
                   description: |-
                     RawMessage is a raw encoded JSON value.
-                    It implements Marshaler and Unmarshaler and can
+                    It implements [Marshaler] and [Unmarshaler] and can
                     be used to delay JSON decoding or precompute a JSON encoding.
                   format: byte
                   type: string

config/ks-core/charts/ks-crds/crds/application.kubesphere.io_repos.yaml

@@ -85,6 +85,7 @@ spec:
               url:
                 type: string
             required:
+            - syncPeriod
             - url
             type: object
           status:

config/ks-core/charts/ks-crds/crds/extensions.kubesphere.io_apiservices.yaml

@@ -92,16 +92,8 @@ spec:
             properties:
               conditions:
                 items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource.\n---\nThis struct is intended for
-                    direct use as an array at the field path .status.conditions.  For
-                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
-                    observations of a foo's current state.\n\t    // Known .status.conditions.type
-                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
-                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
-                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
-                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
-                    \   // other fields\n\t}"
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
                   properties:
                     lastTransitionTime:
                       description: |-
@@ -142,12 +134,7 @@ spec:
                       - Unknown
                       type: string
                     type:
-                      description: |-
-                        type of condition in CamelCase or in foo.example.com/CamelCase.
-                        ---
-                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
-                        useful (see .node.status.conditions), the ability to deconflict is important.
-                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
                       maxLength: 316
                       pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                       type: string

config/ks-core/charts/ks-crds/crds/extensions.kubesphere.io_extensionentries.yaml

@@ -49,16 +49,8 @@ spec:
             properties:
               conditions:
                 items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource.\n---\nThis struct is intended for
-                    direct use as an array at the field path .status.conditions.  For
-                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
-                    observations of a foo's current state.\n\t    // Known .status.conditions.type
-                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
-                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
-                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
-                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
-                    \   // other fields\n\t}"
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
                   properties:
                     lastTransitionTime:
                       description: |-
@@ -99,12 +91,7 @@ spec:
                       - Unknown
                       type: string
                     type:
-                      description: |-
-                        type of condition in CamelCase or in foo.example.com/CamelCase.
-                        ---
-                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
-                        useful (see .node.status.conditions), the ability to deconflict is important.
-                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
                       maxLength: 316
                       pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                       type: string

config/ks-core/charts/ks-crds/crds/extensions.kubesphere.io_jsbundles.yaml

@@ -55,10 +55,13 @@ spec:
                         description: The key to select.
                         type: string
                       name:
+                        default: ""
                         description: |-
                           Name of the referent.
+                          This field is effectively required, but due to backwards compatibility is
+                          allowed to be empty. Instances of this type with an empty value here are
+                          almost certainly wrong.
                           More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                          TODO: Add other useful fields. apiVersion, kind, uid?
                         type: string
                       namespace:
                         type: string
@@ -81,10 +84,13 @@ spec:
                           a valid secret key.
                         type: string
                       name:
+                        default: ""
                         description: |-
                           Name of the referent.
+                          This field is effectively required, but due to backwards compatibility is
+                          allowed to be empty. Instances of this type with an empty value here are
+                          almost certainly wrong.
                           More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                          TODO: Add other useful fields. apiVersion, kind, uid?
                         type: string
                       namespace:
                         type: string
@@ -140,16 +146,8 @@ spec:
             properties:
               conditions:
                 items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource.\n---\nThis struct is intended for
-                    direct use as an array at the field path .status.conditions.  For
-                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
-                    observations of a foo's current state.\n\t    // Known .status.conditions.type
-                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
-                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
-                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
-                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
-                    \   // other fields\n\t}"
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
                   properties:
                     lastTransitionTime:
                       description: |-
@@ -190,12 +188,7 @@ spec:
                       - Unknown
                       type: string
                     type:
-                      description: |-
-                        type of condition in CamelCase or in foo.example.com/CamelCase.
-                        ---
-                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
-                        useful (see .node.status.conditions), the ability to deconflict is important.
-                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
                       maxLength: 316
                       pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                       type: string

config/ks-core/charts/ks-crds/crds/extensions.kubesphere.io_reverseproxies.yaml

@@ -149,16 +149,8 @@ spec:
             properties:
               conditions:
                 items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource.\n---\nThis struct is intended for
-                    direct use as an array at the field path .status.conditions.  For
-                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
-                    observations of a foo's current state.\n\t    // Known .status.conditions.type
-                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
-                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
-                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
-                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
-                    \   // other fields\n\t}"
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
                   properties:
                     lastTransitionTime:
                       description: |-
@@ -199,12 +191,7 @@ spec:
                       - Unknown
                       type: string
                     type:
-                      description: |-
-                        type of condition in CamelCase or in foo.example.com/CamelCase.
-                        ---
-                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
-                        useful (see .node.status.conditions), the ability to deconflict is important.
-                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
                       maxLength: 316
                       pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                       type: string

config/ks-core/charts/ks-crds/crds/iam.kubesphere.io_builtinroles.yaml

@@ -73,11 +73,13 @@ spec:
                       items:
                         type: string
                       type: array
+                      x-kubernetes-list-type: atomic
                   required:
                   - key
                   - operator
                   type: object
                 type: array
+                x-kubernetes-list-type: atomic
               matchLabels:
                 additionalProperties:
                   type: string

config/ks-core/charts/ks-crds/crds/iam.kubesphere.io_clusterroles.yaml

@@ -55,11 +55,13 @@ spec:
                           items:
                             type: string
                           type: array
+                          x-kubernetes-list-type: atomic
                       required:
                       - key
                       - operator
                       type: object
                     type: array
+                    x-kubernetes-list-type: atomic
                   matchLabels:
                     additionalProperties:
                       type: string
@@ -109,6 +111,7 @@ spec:
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 nonResourceURLs:
                   description: |-
                     NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
@@ -117,24 +120,28 @@ spec:
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 resourceNames:
                   description: ResourceNames is an optional white list of names that
                     the rule applies to.  An empty set means that everything is allowed.
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 resources:
                   description: Resources is a list of resources this rule applies
                     to. '*' represents all resources.
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 verbs:
                   description: Verbs is a list of Verbs that apply to ALL the ResourceKinds
                     contained in this rule. '*' represents all verbs.
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
               required:
               - verbs
               type: object

config/ks-core/charts/ks-crds/crds/iam.kubesphere.io_globalroles.yaml

@@ -52,6 +52,7 @@ spec:
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 nonResourceURLs:
                   description: |-
                     NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
@@ -60,24 +61,28 @@ spec:
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 resourceNames:
                   description: ResourceNames is an optional white list of names that
                     the rule applies to.  An empty set means that everything is allowed.
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 resources:
                   description: Resources is a list of resources this rule applies
                     to. '*' represents all resources.
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 verbs:
                   description: Verbs is a list of Verbs that apply to ALL the ResourceKinds
                     contained in this rule. '*' represents all verbs.
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
               required:
               - verbs
               type: object
@@ -124,11 +129,13 @@ spec:
                           items:
                             type: string
                           type: array
+                          x-kubernetes-list-type: atomic
                       required:
                       - key
                       - operator
                       type: object
                     type: array
+                    x-kubernetes-list-type: atomic
                   matchLabels:
                     additionalProperties:
                       type: string
@@ -178,6 +185,7 @@ spec:
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 nonResourceURLs:
                   description: |-
                     NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
@@ -186,24 +194,28 @@ spec:
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 resourceNames:
                   description: ResourceNames is an optional white list of names that
                     the rule applies to.  An empty set means that everything is allowed.
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 resources:
                   description: Resources is a list of resources this rule applies
                     to. '*' represents all resources.
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 verbs:
                   description: Verbs is a list of Verbs that apply to ALL the ResourceKinds
                     contained in this rule. '*' represents all verbs.
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
               required:
               - verbs
               type: object

config/ks-core/charts/ks-crds/crds/iam.kubesphere.io_roles.yaml

@@ -55,11 +55,13 @@ spec:
                           items:
                             type: string
                           type: array
+                          x-kubernetes-list-type: atomic
                       required:
                       - key
                       - operator
                       type: object
                     type: array
+                    x-kubernetes-list-type: atomic
                   matchLabels:
                     additionalProperties:
                       type: string
@@ -109,6 +111,7 @@ spec:
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 nonResourceURLs:
                   description: |-
                     NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
@@ -117,24 +120,28 @@ spec:
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 resourceNames:
                   description: ResourceNames is an optional white list of names that
                     the rule applies to.  An empty set means that everything is allowed.
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 resources:
                   description: Resources is a list of resources this rule applies
                     to. '*' represents all resources.
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 verbs:
                   description: Verbs is a list of Verbs that apply to ALL the ResourceKinds
                     contained in this rule. '*' represents all verbs.
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
               required:
               - verbs
               type: object

config/ks-core/charts/ks-crds/crds/iam.kubesphere.io_roletemplates.yaml

@@ -64,6 +64,7 @@ spec:
                       items:
                         type: string
                       type: array
+                      x-kubernetes-list-type: atomic
                     nonResourceURLs:
                       description: |-
                         NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
@@ -72,6 +73,7 @@ spec:
                       items:
                         type: string
                       type: array
+                      x-kubernetes-list-type: atomic
                     resourceNames:
                       description: ResourceNames is an optional white list of names
                         that the rule applies to.  An empty set means that everything
@@ -79,18 +81,21 @@ spec:
                       items:
                         type: string
                       type: array
+                      x-kubernetes-list-type: atomic
                     resources:
                       description: Resources is a list of resources this rule applies
                         to. '*' represents all resources.
                       items:
                         type: string
                       type: array
+                      x-kubernetes-list-type: atomic
                     verbs:
                       description: Verbs is a list of Verbs that apply to ALL the
                         ResourceKinds contained in this rule. '*' represents all verbs.
                       items:
                         type: string
                       type: array
+                      x-kubernetes-list-type: atomic
                   required:
                   - verbs
                   type: object

config/ks-core/charts/ks-crds/crds/iam.kubesphere.io_workspaceroles.yaml

@@ -59,6 +59,7 @@ spec:
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 nonResourceURLs:
                   description: |-
                     NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
@@ -67,24 +68,28 @@ spec:
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 resourceNames:
                   description: ResourceNames is an optional white list of names that
                     the rule applies to.  An empty set means that everything is allowed.
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 resources:
                   description: Resources is a list of resources this rule applies
                     to. '*' represents all resources.
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 verbs:
                   description: Verbs is a list of Verbs that apply to ALL the ResourceKinds
                     contained in this rule. '*' represents all verbs.
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
               required:
               - verbs
               type: object
@@ -139,11 +144,13 @@ spec:
                           items:
                             type: string
                           type: array
+                          x-kubernetes-list-type: atomic
                       required:
                       - key
                       - operator
                       type: object
                     type: array
+                    x-kubernetes-list-type: atomic
                   matchLabels:
                     additionalProperties:
                       type: string
@@ -193,6 +200,7 @@ spec:
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 nonResourceURLs:
                   description: |-
                     NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
@@ -201,24 +209,28 @@ spec:
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 resourceNames:
                   description: ResourceNames is an optional white list of names that
                     the rule applies to.  An empty set means that everything is allowed.
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 resources:
                   description: Resources is a list of resources this rule applies
                     to. '*' represents all resources.
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
                 verbs:
                   description: Verbs is a list of Verbs that apply to ALL the ResourceKinds
                     contained in this rule. '*' represents all verbs.
                   items:
                     type: string
                   type: array
+                  x-kubernetes-list-type: atomic
               required:
               - verbs
               type: object

config/ks-core/charts/ks-crds/crds/kubesphere.io_extensions.yaml

@@ -86,18 +86,8 @@ spec:
                   properties:
                     conditions:
                       items:
-                        description: "Condition contains details for one aspect of
-                          the current state of this API Resource.\n---\nThis struct
-                          is intended for direct use as an array at the field path
-                          .status.conditions.  For example,\n\n\n\ttype FooStatus
-                          struct{\n\t    // Represents the observations of a foo's
-                          current state.\n\t    // Known .status.conditions.type are:
-                          \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
-                          +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    //
-                          +listType=map\n\t    // +listMapKey=type\n\t    Conditions
-                          []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\"
-                          patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
-                          \   // other fields\n\t}"
+                        description: Condition contains details for one aspect of
+                          the current state of this API Resource.
                         properties:
                           lastTransitionTime:
                             description: |-
@@ -139,12 +129,7 @@ spec:
                             - Unknown
                             type: string
                           type:
-                            description: |-
-                              type of condition in CamelCase or in foo.example.com/CamelCase.
-                              ---
-                              Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
-                              useful (see .node.status.conditions), the ability to deconflict is important.
-                              The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                            description: type of condition in CamelCase or in foo.example.com/CamelCase.
                             maxLength: 316
                             pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                             type: string
@@ -187,16 +172,8 @@ spec:
                 type: object
               conditions:
                 items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource.\n---\nThis struct is intended for
-                    direct use as an array at the field path .status.conditions.  For
-                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
-                    observations of a foo's current state.\n\t    // Known .status.conditions.type
-                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
-                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
-                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
-                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
-                    \   // other fields\n\t}"
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
                   properties:
                     lastTransitionTime:
                       description: |-
@@ -237,12 +214,7 @@ spec:
                       - Unknown
                       type: string
                     type:
-                      description: |-
-                        type of condition in CamelCase or in foo.example.com/CamelCase.
-                        ---
-                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
-                        useful (see .node.status.conditions), the ability to deconflict is important.
-                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
                       maxLength: 316
                       pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                       type: string

config/ks-core/charts/ks-crds/crds/kubesphere.io_extensionversions.yaml

@@ -51,10 +51,13 @@ spec:
                     description: The key to select.
                     type: string
                   name:
+                    default: ""
                     description: |-
                       Name of the referent.
+                      This field is effectively required, but due to backwards compatibility is
+                      allowed to be empty. Instances of this type with an empty value here are
+                      almost certainly wrong.
                       More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                      TODO: Add other useful fields. apiVersion, kind, uid?
                     type: string
                   namespace:
                     type: string

config/ks-core/charts/ks-crds/crds/kubesphere.io_installplans.yaml

@@ -84,11 +84,13 @@ spec:
                                   items:
                                     type: string
                                   type: array
+                                  x-kubernetes-list-type: atomic
                               required:
                               - key
                               - operator
                               type: object
                             type: array
+                            x-kubernetes-list-type: atomic
                           matchLabels:
                             additionalProperties:
                               type: string
@@ -134,18 +136,8 @@ spec:
                   properties:
                     conditions:
                       items:
-                        description: "Condition contains details for one aspect of
-                          the current state of this API Resource.\n---\nThis struct
-                          is intended for direct use as an array at the field path
-                          .status.conditions.  For example,\n\n\n\ttype FooStatus
-                          struct{\n\t    // Represents the observations of a foo's
-                          current state.\n\t    // Known .status.conditions.type are:
-                          \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
-                          +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    //
-                          +listType=map\n\t    // +listMapKey=type\n\t    Conditions
-                          []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\"
-                          patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
-                          \   // other fields\n\t}"
+                        description: Condition contains details for one aspect of
+                          the current state of this API Resource.
                         properties:
                           lastTransitionTime:
                             description: |-
@@ -187,12 +179,7 @@ spec:
                             - Unknown
                             type: string
                           type:
-                            description: |-
-                              type of condition in CamelCase or in foo.example.com/CamelCase.
-                              ---
-                              Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
-                              useful (see .node.status.conditions), the ability to deconflict is important.
-                              The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                            description: type of condition in CamelCase or in foo.example.com/CamelCase.
                             maxLength: 316
                             pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                             type: string
@@ -235,16 +222,8 @@ spec:
                 type: object
               conditions:
                 items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource.\n---\nThis struct is intended for
-                    direct use as an array at the field path .status.conditions.  For
-                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
-                    observations of a foo's current state.\n\t    // Known .status.conditions.type
-                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
-                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
-                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
-                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
-                    \   // other fields\n\t}"
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
                   properties:
                     lastTransitionTime:
                       description: |-
@@ -285,12 +264,7 @@ spec:
                       - Unknown
                       type: string
                     type:
-                      description: |-
-                        type of condition in CamelCase or in foo.example.com/CamelCase.
-                        ---
-                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
-                        useful (see .node.status.conditions), the ability to deconflict is important.
-                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
                       maxLength: 316
                       pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                       type: string

config/ks-core/charts/ks-crds/crds/kubesphere.io_repositories.yaml

@@ -50,12 +50,19 @@ spec:
                     type: string
                 type: object
               caBundle:
-                description: if the caBundle is empty, use --insecure-skip-tls-verify.
+                description: The caBundle (base64 string) is used in helmExecutor
+                  to verify the helm server.
                 type: string
+              depth:
+                description: The maximum number of synchronized versions for each
+                  extension. A value of 0 indicates that all versions will be synchronized.
+                  The default is 3.
+                type: integer
               description:
                 type: string
-              image:
-                type: string
+              insecure:
+                description: --insecure-skip-tls-verify. default false
+                type: boolean
               updateStrategy:
                 properties:
                   registryPoll:
@@ -65,6 +72,10 @@ spec:
                     required:
                     - interval
                     type: object
+                  timeout:
+                    type: string
+                required:
+                - timeout
                 type: object
               url:
                 type: string

config/ks-core/charts/ks-crds/crds/kubesphere.io_serviceaccounts.yaml

@@ -37,24 +37,8 @@ spec:
             type: object
           secrets:
             items:
-              description: |-
-                ObjectReference contains enough information to let you inspect or modify the referred object.
-                ---
-                New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
-                 1. Ignored fields.  It includes many fields which are not generally honored.  For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
-                 2. Invalid usage help.  It is impossible to add specific help for individual usage.  In most embedded usages, there are particular
-                    restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
-                    Those cannot be well described when embedded.
-                 3. Inconsistent validation.  Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
-                 4. The fields are both imprecise and overly precise.  Kind is not a precise mapping to a URL. This can produce ambiguity
-                    during interpretation and require a REST mapping.  In most cases, the dependency is on the group,resource tuple
-                    and the version of the actual struct is irrelevant.
-                 5. We cannot easily change it.  Because this type is embedded in many locations, updates to this type
-                    will affect numerous schemas.  Don't make new APIs embed an underspecified API type they do not control.
-
-
-                Instead of using this type, create a locally provided and used type that is well-focused on your reference.
-                For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
+              description: ObjectReference contains enough information to let you
+                inspect or modify the referred object.
               properties:
                 apiVersion:
                   description: API version of the referent.
@@ -68,7 +52,6 @@ spec:
                     the event) or if no container name is specified "spec.containers[2]" (container with
                     index 2 in this pod). This syntax is chosen only to have some well-defined way of
                     referencing a part of an object.
-                    TODO: this design is not final and this field is subject to change in the future.
                   type: string
                 kind:
                   description: |-

config/ks-core/charts/ks-crds/crds/quota.kubesphere.io_resourcequotas.yaml

@@ -88,11 +88,13 @@ spec:
                               items:
                                 type: string
                               type: array
+                              x-kubernetes-list-type: atomic
                           required:
                           - operator
                           - scopeName
                           type: object
                         type: array
+                        x-kubernetes-list-type: atomic
                     type: object
                     x-kubernetes-map-type: atomic
                   scopes:
@@ -104,6 +106,7 @@ spec:
                         match each object tracked by a quota
                       type: string
                     type: array
+                    x-kubernetes-list-type: atomic
                 type: object
               selector:
                 additionalProperties:

config/ks-core/charts/ks-crds/crds/tenant.kubesphere.io_workspacetemplates.yaml

@@ -97,11 +97,13 @@ spec:
                               items:
                                 type: string
                               type: array
+                              x-kubernetes-list-type: atomic
                           required:
                           - key
                           - operator
                           type: object
                         type: array
+                        x-kubernetes-list-type: atomic
                       matchLabels:
                         additionalProperties:
                           type: string
@@ -201,11 +203,13 @@ spec:
                               items:
                                 type: string
                               type: array
+                              x-kubernetes-list-type: atomic
                           required:
                           - key
                           - operator
                           type: object
                         type: array
+                        x-kubernetes-list-type: atomic
                       matchLabels:
                         additionalProperties:
                           type: string

config/ks-core/charts/ks-crds/scripts/install.sh

@@ -2,8 +2,7 @@
 
 CRDS_PATH=$1
 echo "ks-crds pre upgrade..."
-# shellcheck disable=SC1060
-for crd in `ls $CRDS_PATH|grep \.yaml$`; do
-  echo $crd
-  kubectl apply -f $CRDS_PATH/$crd
+for crd in "$CRDS_PATH"/*.yaml; do
+  basename "$crd"
+  kubectl apply -f "$crd"
 done

config/ks-core/charts/ks-crds/scripts/post-delete.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+CRD_NAMES=$1
+MAPPING_CONFIG=$2
+
+for extension in $(kubectl get installplan -o json | jq -r '.items[] | select(.status.state == "Installed") | .metadata.name'); do
+  namespace=$(kubectl get installplan "$extension" -o=jsonpath='{.status.targetNamespace}')
+  version=$(kubectl get extension "$extension" -o=jsonpath='{.status.installedVersion}')
+  extensionVersion="$extension-$version"
+  echo "Found extension $extensionVersion installed"
+  if helm status "$extension" --namespace "$namespace" &>/dev/null; then
+    helm mapkubeapis "$extension" --namespace "$namespace" --mapfile "$MAPPING_CONFIG"
+  fi
+  if helm status "$extension-agent" --namespace "$namespace" &>/dev/null; then
+    helm mapkubeapis "$extension-agent" --namespace "$namespace" --mapfile "$MAPPING_CONFIG"
+  fi
+done
+
+kubectl patch workspaces.tenant.kubesphere.io system-workspace -p '{"metadata":{"finalizers":[]}}' --type=merge
+kubectl patch workspacetemplates.tenant.kubesphere.io system-workspace -p '{"metadata":{"finalizers":[]}}' --type=merge
+
+for ns in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}' -l 'kubesphere.io/managed=true'); do
+  kubectl label ns "$ns" kubesphere.io/workspace- && \
+  kubectl patch ns "$ns" -p '{"metadata":{"ownerReferences":[]}}' --type=merge && \
+  echo '{"kind":"Namespace","apiVersion":"v1","metadata":{"name":"'"$ns"'","finalizers":null}}' | kubectl replace --raw "/api/v1/namespaces/$ns/finalize" -f -
+done
+
+for crd in $(kubectl get crds -o jsonpath='{.items[*].metadata.name}'); do
+  if [[ " ${CRD_NAMES[*]} " =~ ${crd} ]]; then
+    echo "Deleting CRD $crd"
+    scope=$(kubectl get crd "$crd" -o jsonpath='{.spec.scope}')
+    if [[ $scope == "Namespaced" ]]; then
+      kubectl get "$crd" -A --no-headers | awk '{print $1" "$2" ""'"$crd"'"}' | xargs -n 3 sh -c 'kubectl patch $2 -n $0 $1 -p "{\"metadata\":{\"finalizers\":null}}" --type=merge 2>/dev/null && kubectl delete $2 -n $0 $1 2>/dev/null'
+    else
+      kubectl get "$crd" -A --no-headers | awk '{print $1" ""'"$crd"'"}' | xargs -n 2 sh -c 'kubectl patch $1 $0 -p "{\"metadata\":{\"finalizers\":null}}" --type=merge 2>/dev/null && kubectl delete $1 $0 2>/dev/null'
+    fi
+    kubectl delete crd "$crd" 2>/dev/null
+  fi
+done

config/ks-core/charts/ks-crds/templates/post-delete-crd-job.yaml

@@ -0,0 +1,88 @@
+{{- $kubeVersion := .Capabilities.KubeVersion }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "{{ .Release.Name }}-post-delete-crd-scripts"
+  annotations:
+    "helm.sh/hook": post-delete
+    "helm.sh/hook-weight": "-3"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+data:
+  map.yaml: |
+    mappings:
+    {{- range $path, $_ := .Files.Glob "crds/**" }}
+    {{- $crd := $.Files.Get $path | fromYaml }}
+    {{- range $_, $version := $crd.spec.versions }}
+      - deprecatedAPI: "apiVersion: {{ $crd.spec.group }}/{{ $version.name }}\nkind: {{ $crd.spec.names.kind }}\n"
+        removedInVersion: "{{ $kubeVersion }}"
+    {{- end }}
+    {{- end }}
+{{ (.Files.Glob "scripts/post-delete.sh").AsConfig | indent 2 }}
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: "{{ .Release.Name }}-post-delete-crd"
+  annotations:
+    "helm.sh/hook": post-delete
+    "helm.sh/hook-weight": "-3"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: "{{ .Release.Name }}-post-delete-crd"
+  annotations:
+    "helm.sh/hook": post-delete
+    "helm.sh/hook-weight": "-3"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: "{{ .Release.Name }}-post-delete-crd"
+    namespace: {{ .Release.Namespace }}
+
+{{- $crdNameList := list }}
+{{- range $path, $_ := .Files.Glob "crds/**" }}
+{{- $crd := $.Files.Get $path | fromYaml }}
+{{- $crdNameList = append $crdNameList $crd.metadata.name }}
+{{- end }}
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ .Release.Name }}-post-delete-crd"
+  annotations:
+    "helm.sh/hook": post-delete
+    "helm.sh/hook-weight": "-2"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      serviceAccountName: "{{ .Release.Name }}-post-delete-crd"
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: post-delete-job
+          image: {{ template "kubectl.image" . }}
+          command:
+            - /bin/bash
+            - /scripts/post-delete.sh
+            - '{{ join " " $crdNameList }}'
+            - /scripts/map.yaml
+          volumeMounts:
+            - mountPath: /scripts
+              name: scripts
+      volumes:
+        - name: scripts
+          configMap:
+            name: "{{ .Release.Name }}-post-delete-crd-scripts"
+            defaultMode: 420

config/ks-core/charts/ks-crds/templates/pre-upgrade-crd-job.yaml

@@ -10,6 +10,34 @@ data:
 {{ (.Files.Glob "scripts/install.sh").AsConfig | indent 2 }}
 {{ (.Files.Glob "crds/*").AsConfig | indent 2 }}
 
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: "{{ .Release.Name }}-pre-upgrade-crd"
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-1"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: "{{ .Release.Name }}-pre-upgrade-crd"
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-1"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: "{{ .Release.Name }}-pre-upgrade-crd"
+    namespace: {{ .Release.Namespace }}
+
 ---
 apiVersion: batch/v1
 kind: Job
@@ -23,10 +51,13 @@ spec:
   template:
     spec:
       restartPolicy: Never
-      serviceAccountName: {{ include "ks-core.serviceAccountName" . }}
+      serviceAccountName: "{{ .Release.Name }}-pre-upgrade-crd"
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 8 }}
+      {{- end }}
       containers:
         - name: crd-install
-          image: {{ template "preUpgrade.image" . }}
+          image: {{ template "kubectl.image" . }}
           command:
             - /bin/bash
             - /scripts/install.sh
@@ -34,7 +65,6 @@ spec:
           volumeMounts:
             - mountPath: /scripts
               name: scripts
-          resources: {{- toYaml .Values.preUpgrade.resources | nindent 12 }}
       volumes:
         - name: scripts
           configMap:

config/ks-core/charts/ks-crds/values.yaml

@@ -1,12 +1,13 @@
-# Default values for ks-crds.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
+global:
+  imageRegistry: ""
+  imagePullSecrets: []
+  # - name: "image-pull-secret"
 
-preUpgrade:
+kubectl:
   image:
     registry: ""
-    repository: kubesphereio/kubectl
-    tag: "v1.27.12"
+    repository: kubesphere/kubectl
+    tag: "v1.27.16"
     pullPolicy: IfNotPresent
   resources:
     limits:
@@ -14,4 +15,4 @@ preUpgrade:
       memory: 1024Mi
     requests:
       cpu: 20m
-      memory: 100Mi
+      memory: 100Mi

config/ks-core/charts/redis-ha/templates/redis-ha-statefulset.yaml

@@ -102,8 +102,8 @@ spec:
             release: {{ .Release.Name }}
             {{ template "redis-ha.fullname" . }}: replica
       {{- end }}
-      {{- if .Values.imagePullSecrets }}
-      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 8 }}
       {{- end }}
       securityContext: {{ toYaml .Values.securityContext | nindent 8 }}
       serviceAccountName: {{ template "redis-ha.serviceAccountName" . }}

config/ks-core/charts/redis-ha/templates/redis-haproxy-deployment.yaml

@@ -109,8 +109,8 @@ spec:
           readOnly: true
         - name: data
           mountPath: /data
-      {{- if .Values.haproxy.imagePullSecrets }}
-      imagePullSecrets: {{ toYaml .Values.haproxy.imagePullSecrets | nindent 8 }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 8 }}
       {{- end }}
       containers:
       - name: haproxy

config/ks-core/charts/redis-ha/values.yaml

@@ -4,6 +4,8 @@
 
 global:
   imageRegistry: ""
+  imagePullSecrets: []
+  # - name: "image-pull-secret"
 
 image:
   registry: ""
@@ -12,13 +14,6 @@ image:
   digest: ""
   pullPolicy: IfNotPresent
 
-## Reference to one or more secrets to be used when pulling images
-## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-## This imagePullSecrets is only for redis images
-##
-imagePullSecrets: []
-# - name: "image-pull-secret"
-
 ## replicas number for each component
 replicas: 3
 
@@ -102,13 +97,6 @@ haproxy:
 
   ## Custom labels for the haproxy pod
   labels: {}
-
-  ## Reference to one or more secrets to be used when pulling images
-  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-  ##
-  imagePullSecrets: []
-  # - name: "image-pull-secret"
-
   annotations: {}
   resources: {}
   emptyDir: {}

config/ks-core/scripts/post-delete.sh

@@ -2,55 +2,9 @@
 
 # set -x
 
-CRD_NAMES=$1
-MAPPING_CONFIG=$2
-
-for extension in `kubectl get installplan -o json | jq -r '.items[] | select(.status.state == "Installed") | .metadata.name'`
-do
-  namespace=$(kubectl get installplan $extension -o=jsonpath='{.status.targetNamespace}')
-  version=$(kubectl get extension $extension -o=jsonpath='{.status.installedVersion}')
-  extensionversion=$extension-$version
-  echo "Found extension $extensionversion installed"
-  helm status $extension --namespace $namespace
-  if [ $? -eq 0 ]; then
-    helm mapkubeapis $extension --namespace $namespace --mapfile $MAPPING_CONFIG
-  fi
-  helm status $extension-agent --namespace $namespace
-  if [ $? -eq 0 ]; then
-    helm mapkubeapis $extension-agent --namespace $namespace --mapfile $MAPPING_CONFIG
-  fi
-done
-
-
-# remove namespace's finalizers && ownerReferences
-kubectl patch workspaces.tenant.kubesphere.io system-workspace -p '{"metadata":{"finalizers":[]}}' --type=merge
-kubectl patch workspacetemplates.tenant.kubesphere.io system-workspace -p '{"metadata":{"finalizers":[]}}' --type=merge
-for ns in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}' -l 'kubesphere.io/managed=true')
-do
-  kubectl label ns $ns kubesphere.io/workspace- && \
-  kubectl patch ns $ns -p '{"metadata":{"ownerReferences":[]}}' --type=merge && \
-  echo "{\"kind\":\"Namespace\",\"apiVersion\":\"v1\",\"metadata\":{\"name\":\"$ns\",\"finalizers\":null}}" | kubectl replace --raw "/api/v1/namespaces/$ns/finalize" -f -
-done
-
-
-# delete crds
-for crd in `kubectl get crds -o jsonpath="{.items[*].metadata.name}"`
-do
-  if [[ ${CRD_NAMES[@]/${crd}/} != ${CRD_NAMES[@]} ]]; then
-     scop=$(eval echo $(kubectl get crd ${crd} -o jsonpath="{.spec.scope}"))
-     if [[ $scop =~ "Namespaced" ]] ; then
-        kubectl get $crd -A --no-headers | awk '{print $1" "$2" ""'$crd'"}' | xargs -n 3 sh -c 'kubectl patch $2 -n $0 $1 -p "{\"metadata\":{\"finalizers\":null}}" --type=merge 2>/dev/null && kubectl delete $2 -n $0 $1 2>/dev/null'
-     else
-        kubectl get $crd -A --no-headers | awk '{print $1" ""'$crd'"}' | xargs -n 2 sh -c 'kubectl patch $1 $0 -p "{\"metadata\":{\"finalizers\":null}}" --type=merge 2>/dev/null && kubectl delete $1 $0 2>/dev/null'
-     fi
-     kubectl delete crd $crd 2>/dev/null;
-  fi
-done
-
-
 EXTENSION_RELATED_RESOURCES='jobs.batch roles.rbac.authorization.k8s.io rolebindings.rbac.authorization.k8s.io clusterroles.rbac.authorization.k8s.io clusterrolebindings.rbac.authorization.k8s.io'
 
 for resource in $EXTENSION_RELATED_RESOURCES;do
   echo "kubectl delete $resource -l kubesphere.io/extension-ref --all-namespaces"
   kubectl delete $resource -l kubesphere.io/managed=true --all-namespaces
-done
+done

config/ks-core/templates/NOTES.txt

@@ -8,7 +8,7 @@ Please be patient and wait for several seconds for the KubeSphere deployment to
 
     kubectl get pods -n {{ .Release.Namespace }}
 
-{{- if or (eq .Values.role "") (eq .Values.role "host") }}
+{{- if or (eq .Values.multicluster.role "") (eq .Values.multicluster.role "host") }}
 2. Access the KubeSphere Console
 
     Once the deployment is complete, you can access the KubeSphere console using the following URL:  {{"\n"}}

config/ks-core/templates/_helpers.tpl

@@ -103,8 +103,21 @@ Create the name of the secret of sa token.
 {{- end }}
 {{- end }}
 
-{{- define "role" -}}
-{{- if eq .Values.role "" }}
+{{- define "telemetry.enabled" -}}
+{{- $config := lookup "v1" "Secret" (printf "%s" .Release.Namespace) "io.kubesphere.config.platformconfig.telemetry" }}
+{{- if $config }}
+{{- with $config }}
+{{- with (fromYaml ((index .data "configuration.yaml") | b64dec)) }}
+{{- .enabled }}
+{{- end }}
+{{- end }}
+{{- else }}
+{{- true }}
+{{- end }}
+{{- end }}
+
+{{- define "multicluster.role" -}}
+{{- if eq $.Values.multicluster.role "" }}
 {{- with lookup "v1" "ConfigMap" (printf "%s" .Release.Namespace) "kubesphere-config" }}
 {{- with (fromYaml (index .data "kubesphere.yaml")) }}
 {{- if and .multicluster (.multicluster).clusterRole }}
@@ -114,36 +127,36 @@ Create the name of the secret of sa token.
 {{- .multicluster.clusterRole }}
 {{- end }}
 {{- else }}
-{{- $.Values.role | default "host" }}
+{{- $.Values.multicluster.role | default "host" }}
 {{- end }}
 {{- else }}
-{{- $.Values.role | default "host" }}
+{{- $.Values.multicluster.role | default "host" }}
 {{- end }}
 {{- else }}
-{{- $.Values.role | default "host" }}
+{{- $.Values.multicluster.role | default "host" }}
 {{- end }}
 {{- else }}
-{{- .Values.role }}
+{{- $.Values.multicluster.role }}
 {{- end }}
 {{- end }}
 
-{{- define "hostClusterName" -}}
-{{- if eq .Values.hostClusterName "" }}
+{{- define "multicluster.hostClusterName" -}}
+{{- if eq $.Values.multicluster.hostClusterName "" }}
 {{- with lookup "v1" "ConfigMap" (printf "%s" .Release.Namespace) "kubesphere-config" }}
 {{- with (fromYaml (index .data "kubesphere.yaml")) }}
 {{- if and .multicluster (.multicluster).hostClusterName }}
 {{- .multicluster.hostClusterName }}
 {{- else }}
-{{- $.Values.hostClusterName | default "host" }}
+{{- $.Values.multicluster.hostClusterName | default "host" }}
 {{- end }}
 {{- else }}
-{{- $.Values.hostClusterName | default "host" }}
+{{- $.Values.multicluster.hostClusterName | default "host" }}
 {{- end }}
 {{- else }}
-{{- $.Values.hostClusterName | default "host" }}
+{{- $.Values.multicluster.hostClusterName | default "host" }}
 {{- end }}
 {{- else }}
-{{- .Values.hostClusterName }}
+{{- $.Values.multicluster.hostClusterName }}
 {{- end }}
 {{- end }}
 

config/ks-core/templates/_images.tpl

@@ -1,15 +1,15 @@
 {{/*
 Return the proper image name
 */}}
-{{- define "ks-apiserver.image" -}}
+{{- define "apiserver.image" -}}
 {{ include "common.images.image" (dict "imageRoot" .Values.apiserver.image "global" .Values.global) }}
 {{- end -}}
 
-{{- define "ks-console.image" -}}
+{{- define "console.image" -}}
 {{ include "common.images.image" (dict "imageRoot" .Values.console.image "global" .Values.global) }}
 {{- end -}}
 
-{{- define "ks-controller-manager.image" -}}
+{{- define "controller.image" -}}
 {{ include "common.images.image" (dict "imageRoot" .Values.controller.image "global" .Values.global) }}
 {{- end -}}
 
@@ -33,8 +33,8 @@ Return the proper image name
 {{ include "common.images.image" (dict "imageRoot" .Values.redis.image "global" .Values.global) }}
 {{- end -}}
 
-{{- define "preUpgrade.image" -}}
-{{ include "common.images.image" (dict "imageRoot" .Values.preUpgrade.image "global" .Values.global) }}
+{{- define "extensionRepo.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.ksExtensionRepository.image "global" .Values.global) }}
 {{- end -}}
 
 {{- define "common.images.image" -}}
@@ -53,42 +53,4 @@ Return the proper image name
     {{- $termination = .imageRoot.digest | toString -}}
 {{- end -}}
 {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}}
-{{- end -}}
-
-{{/*
-Return the proper Docker Image Registry Secret Names
-*/}}
-{{- define "apiserver.imagePullSecrets" -}}
-{{- include "common.images.pullSecrets" (dict "images" (list .Values.apiserver.image) "global" .Values.global) -}}
-{{- end -}}
-
-{{- define "console.imagePullSecrets" -}}
-{{- include "common.images.pullSecrets" (dict "images" (list .Values.console.image) "global" .Values.global) -}}
-{{- end -}}
-
-{{- define "controller.imagePullSecrets" -}}
-{{- include "common.images.pullSecrets" (dict "images" (list .Values.controller.image) "global" .Values.global) -}}
-{{- end -}}
-
-{{- define "common.images.pullSecrets" -}}
-  {{- $pullSecrets := list }}
-
-  {{- if .global }}
-    {{- range .global.imagePullSecrets -}}
-      {{- $pullSecrets = append $pullSecrets . -}}
-    {{- end -}}
-  {{- end -}}
-
-  {{- range .images -}}
-    {{- range .pullSecrets -}}
-      {{- $pullSecrets = append $pullSecrets . -}}
-    {{- end -}}
-  {{- end -}}
-
-  {{- if (not (empty $pullSecrets)) }}
-imagePullSecrets:
-    {{- range $pullSecrets }}
-  - name: {{ . }}
-    {{- end }}
-  {{- end }}
-{{- end -}}
+{{- end -}}

config/ks-core/templates/builtinroles.yaml

@@ -173,6 +173,8 @@ role:
         iam.kubesphere.io/scope: "workspace"
     templateNames:
       - workspace-view-workspace-settings
+      - workspace-view-members
+      - workspace-view-roles
   apiVersion: iam.kubesphere.io/v1beta1
   kind: WorkspaceRole
   metadata:
@@ -181,16 +183,7 @@ role:
       kubesphere.io/description: '{"zh": "查看企业空间设置。", "en": "View workspace settings."}'
       iam.kubesphere.io/auto-aggregate: "true"
     name: regular
-  rules:
-    - apiGroups:
-        - '*'
-      resources:
-        - workspaces
-        - workspacemembers
-      verbs:
-        - get
-        - list
-        - watch
+  rules: []
 
 ---
 apiVersion: iam.kubesphere.io/v1beta1
@@ -208,6 +201,9 @@ role:
     templateNames:
       - workspace-create-projects
       - workspace-view-workspace-settings
+      - workspace-view-members
+      - workspace-view-roles
+      - workspace-view-app-repos
   apiVersion: iam.kubesphere.io/v1beta1
   kind: WorkspaceRole
   metadata:

config/ks-core/templates/cert-manager.yaml

@@ -15,7 +15,6 @@ apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   name: letsencrypt
-  namespace: {{ .Release.Namespace }}
 spec:
   acme:
     email: {{ .Values.letsEncrypt.email }}
@@ -27,7 +26,7 @@ spec:
     privateKeySecretRef:
       name: letsencrypt-{{ .Values.letsEncrypt.environment }}
     {{- if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") }}
-    http01: { }
+    http01: {}
     {{- else }}
     solvers:
       - http01:
@@ -55,7 +54,6 @@ apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   name: self-signed
-  namespace: {{ .Release.Namespace }}
 spec:
   selfSigned: {}
 {{- end }}
@@ -79,7 +77,6 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: ks-apiserver-certificate
-  namespace: {{ .Release.Namespace }}
 spec:
   # Secret names are always required.
   secretName: ks-apiserver-tls-certs
@@ -124,7 +121,6 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: ks-console-certificate
-  namespace: {{ .Release.Namespace }}
 spec:
   # Secret names are always required.
   secretName: ks-console-tls-certs

config/ks-core/templates/customresourcefilters.yaml

@@ -10,5 +10,4 @@ stringData:
 kind: Secret
 metadata:
   name: extensions.customresourcefilters
-  namespace: kubesphere-system
 type: config.kubesphere.io/custom-resource-filter

config/ks-core/templates/dynamic-upgrade-job.yaml

@@ -0,0 +1,57 @@
+{{- if .Values.upgrade.enabled }}
+{{- if .Values.upgrade.dynamic }}
+{{- if .Values.upgrade.config }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ks-upgrade-dynamic-config
+data:
+  config-patch.yaml: |
+    {{- toYaml .Values.upgrade.config | nindent 4 }}
+{{- end }}
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: dynamic-upgrade
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      serviceAccountName: {{ include "ks-core.serviceAccountName" . }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: dynamic-upgrade-job
+          image: {{ template "upgrade.image" . }}
+          imagePullPolicy: {{ .Values.upgrade.image.pullPolicy }}
+          command:
+            - ks-upgrade
+            - dynamic-upgrade
+            - --logtostderr=true
+            - --config=/etc/kubesphere/config.yaml
+            {{- if .Values.upgrade.config }}
+            - --config=/etc/kubesphere/config-patch.yaml
+            {{- end }}
+          volumeMounts:
+            - mountPath: /tmp/ks-upgrade
+              name: data
+            {{- if .Values.upgrade.config }}
+            - mountPath: /etc/kubesphere/config-patch.yaml
+              name: config
+              subPath: config-patch.yaml
+            {{- end }}
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: {{ .Values.upgrade.persistenceVolume.name }}
+        {{- if .Values.upgrade.config }}
+        - name: config
+          configMap:
+            name: ks-upgrade-dynamic-config
+            defaultMode: 420
+        {{- end }}
+{{- end }}
+{{- end }}

config/ks-core/templates/extension-categories.yaml

@@ -1,4 +1,4 @@
-{{ if eq (include "role" .) "host" }}
+{{ if eq (include "multicluster.role" .) "host" }}
 ---
 apiVersion: kubesphere.io/v1alpha1
 kind: Category
@@ -6,12 +6,21 @@ metadata:
   name: ai-machine-learning
 spec:
   displayName:
-    en: AI / Machine learning
-    zh: AI / 机器学习
+    en: AI / LLM
+    zh: 人工智能 / 大模型
 
 ---
 apiVersion: kubesphere.io/v1alpha1
 kind: Category
+metadata:
+  name: deepseek
+spec:
+  displayName:
+    en: DeepSeek
+    zh: DeepSeek
+---
+apiVersion: kubesphere.io/v1alpha1
+kind: Category
 metadata:
   name: database
 spec:

config/ks-core/templates/extension-museum.yaml

@@ -0,0 +1,88 @@
+{{- if and (eq (include "multicluster.role" .) "host") .Values.ksExtensionRepository.enabled }}
+
+{{- $ca := genCA "self-signed-ca" 3650 }}
+{{- $cn := printf "%s-extensions-museum" .Release.Name }}
+{{- $altName1 := printf "extensions-museum.%s" .Release.Namespace }}
+{{- $altName2 := printf "extensions-museum.%s.svc" .Release.Namespace }}
+{{- $cert := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }}
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: extensions-museum
+  labels:
+    app: extensions-museum
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: extensions-museum
+  template:
+    metadata:
+      labels:
+        app: extensions-museum
+      annotations:
+        # force restart ks-apiserver after the upgrade is complete if kubesphere-config changes
+        checksum/cert: {{ sha256sum $cert.Cert }}
+    spec:
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: extensions-museum
+          image: {{ template "extensionRepo.image" . }}
+          command:
+            - "/chartmuseum"
+            - "--storage-local-rootdir"
+            - "/charts"
+            - "--storage"
+            - "local"
+            - "--tls-cert"
+            - "/etc/certs/tls.crt"
+            - "--tls-key"
+            - "/etc/certs/tls.key"
+          ports:
+            - containerPort: 8080
+          volumeMounts:
+            - name: certs
+              mountPath: /etc/certs/
+      volumes:
+        - name: certs
+          secret:
+            secretName: extensions-museum-certs
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: extensions-museum-certs
+type: kubernetes.io/tls
+data:
+  ca.crt: {{ b64enc $ca.Cert }}
+  tls.crt: {{ b64enc $cert.Cert }}
+  tls.key: {{ b64enc $cert.Key }}
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: extensions-museum
+spec:
+  selector:
+    app: extensions-museum
+  ports:
+    - protocol: TCP
+      port: 443
+      targetPort: 8080
+
+---
+apiVersion: kubesphere.io/v1alpha1
+kind: Repository
+metadata:
+  name: extensions-museum
+spec:
+  url: https://extensions-museum.{{ .Release.Namespace }}.svc
+  caBundle: {{ b64enc $ca.Cert }}
+status:
+  lastSyncTime: null
+{{end}}

config/ks-core/templates/globalroles.yaml

@@ -68,6 +68,7 @@ rules:
       - config.kubesphere.io
     resources:
       - configs
+      - platformconfigs
     verbs:
       - get
       - list
@@ -248,4 +249,20 @@ rules:
       - users
     verbs:
       - create
-      - list
+      - list
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: GlobalRole
+metadata:
+  name: ks-console
+rules:
+  - apiGroups:
+      - extensions.kubesphere.io
+      - config.kubesphere.io
+    resources:
+      - '*'
+    verbs:
+      - get
+      - list
+      - watch

config/ks-core/templates/ingress.yaml

@@ -3,7 +3,6 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: ks-console
-  namespace: {{ .Release.Namespace }}
   annotations:
     {{- if .Values.internalTLS }}
     {{- if eq .Values.ingress.ingressClassName "nginx" }}

config/ks-core/templates/ks-agent.yaml

@@ -1,13 +1,11 @@
-{{ if eq (include "role" .) "member" }}
+{{ if eq (include "multicluster.role" .) "member" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
     app: ks-agent
-    tier: backend
     version: {{ .Chart.AppVersion }}
   name: ks-agent
-  namespace: kubesphere-system
 spec:
   strategy:
     rollingUpdate:
@@ -31,7 +29,9 @@ spec:
         tier: backend
     spec:
       serviceAccountName: {{ template "ks-core.serviceAccountName" . }}
-      {{- include "controller.imagePullSecrets" . | nindent 6 }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 8 }}
+      {{- end }}
       {{- if .Values.nodeSelector }}
       nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
       {{- end }}
@@ -48,7 +48,7 @@ spec:
       terminationGracePeriodSeconds: 30
       containers:
         - name: ks-apiserver
-          image: {{ template "ks-apiserver.image" . }}
+          image: {{ template "apiserver.image" . }}
           imagePullPolicy: {{ .Values.apiserver.image.pullPolicy }}
           {{- if .Values.apiserver.containerPorts }}
           ports: {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.containerPorts "context" $) | nindent 12 }}
@@ -81,7 +81,7 @@ spec:
           {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.extraVolumeMounts "context" $) | nindent 12 }}
           {{- end }}
         - name: ks-controller-manager
-          image: {{ template "ks-controller-manager.image" . }}
+          image: {{ template "controller.image" . }}
           imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
           {{- if .Values.controller.containerPorts }}
           ports: {{- include "common.tplvalues.render" (dict "value" .Values.controller.containerPorts "context" $) | nindent 12 }}
@@ -100,7 +100,7 @@ spec:
             - mountPath: /etc/kubesphere/
               name: kubesphere-config
             - mountPath: /tmp/k8s-webhook-server/serving-certs
-              name: webhook-secret
+              name: webhook-cert
             - mountPath: /etc/localtime
               name: host-time
               readOnly: true
@@ -112,7 +112,7 @@ spec:
           configMap:
             name: kubesphere-config
             defaultMode: 420
-        - name: webhook-secret
+        - name: webhook-cert
           secret:
             defaultMode: 420
             secretName: ks-controller-manager-webhook-cert

config/ks-core/templates/ks-apiserver.yaml

@@ -1,13 +1,11 @@
-{{ if eq (include "role" .) "host" }}
+{{ if eq (include "multicluster.role" .) "host" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
     app: ks-apiserver
-    tier: backend
     version: {{ .Chart.AppVersion }}
   name: ks-apiserver
-  namespace: kubesphere-system
 spec:
   strategy:
     rollingUpdate:
@@ -29,7 +27,9 @@ spec:
         checksum/config: {{ include (print $.Template.BasePath "/kubesphere-config.yaml") . | sha256sum }}
     spec:
       serviceAccountName: {{ template "ks-core.serviceAccountName" . }}
-      {{- include "apiserver.imagePullSecrets" . | nindent 6 }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 8 }}
+      {{- end }}
       affinity:
       {{- with .Values.affinity }}
         {{- toYaml . | nindent 8 }}
@@ -62,7 +62,7 @@ spec:
       {{- end }}
       containers:
         - name: ks-apiserver
-          image: {{ template "ks-apiserver.image" . }}
+          image: {{ template "apiserver.image" . }}
           imagePullPolicy: {{ .Values.apiserver.image.pullPolicy }}
           {{- if .Values.apiserver.containerPorts }}
           ports: {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.containerPorts "context" $) | nindent 12 }}
@@ -85,7 +85,7 @@ spec:
           livenessProbe:
             failureThreshold: 8
             httpGet:
-              path: /version
+              path: /livez
               port: 9090
             {{- if .Values.internalTLS }}
               scheme: HTTPS
@@ -107,14 +107,14 @@ spec:
             - name: tls-cert
               mountPath: /etc/kubesphere/pki/
           {{- end }}
-          {{ if .Values.ha.enabled }}
+          {{- if .Values.ha.enabled }}
           env:
             - name: KUBESPHERE_CACHE_OPTIONS_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: redis-secret
                   key: auth
-          {{ end }}
+          {{- end }}
       volumes:
         - configMap:
             defaultMode: 420
@@ -133,4 +133,4 @@ spec:
             secretName: ks-apiserver-tls-certs
             defaultMode: 420
         {{- end }}
-{{ end }}
+{{ end }}

config/ks-core/templates/ks-console-config.yaml

@@ -31,5 +31,4 @@ data:
       enableNodeListTerminal: {{ .Values.console.config.enableNodeListTerminal }}
 kind: ConfigMap
 metadata:
-  name: ks-console-config
-  namespace: kubesphere-system
+  name: ks-console-config

config/ks-core/templates/ks-console.yaml

@@ -1,13 +1,36 @@
-{{ if eq (include "role" .) "host" }}
+{{ if eq (include "multicluster.role" .) "host" }}
+apiVersion: kubesphere.io/v1alpha1
+kind: ServiceAccount
+metadata:
+  name: ks-console
+  namespace: kubesphere-system
+secrets: []
+
+---
+apiVersion: iam.kubesphere.io/v1beta1
+kind: GlobalRoleBinding
+metadata:
+  labels:
+    iam.kubesphere.io/role-ref: ks-console
+  name: ks-console
+roleRef:
+  apiGroup: iam.kubesphere.io
+  kind: GlobalRole
+  name: ks-console
+subjects:
+  - apiGroup: kubesphere.io
+    kind: ServiceAccount
+    name: ks-console
+    namespace: kubesphere-system
+
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
     app: ks-console
-    tier: frontend
     version: {{ .Chart.AppVersion }}
   name: ks-console
-  namespace: kubesphere-system
 spec:
   strategy:
     rollingUpdate:
@@ -27,10 +50,11 @@ spec:
       annotations:
         # force restart ks-console after the upgrade is complete if ks-console-config changes
         checksum/config: {{ include (print $.Template.BasePath "/ks-console-config.yaml") . | sha256sum }}
+        kubesphere.io/serviceaccount-name: ks-console
     spec:
-      serviceAccount: {{ template "ks-core.serviceAccountName" . }}
-      serviceAccountName: {{ template "ks-core.serviceAccountName" . }}
-      {{- include "console.imagePullSecrets" . | nindent 6 }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 8 }}
+      {{- end }}
       {{- if .Values.nodeSelector }}
       nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
       {{- end }}
@@ -46,7 +70,7 @@ spec:
                   app: ks-console
               topologyKey: kubernetes.io/hostname
               namespaces:
-                - {{ .Release.Namespace | quote }}
+              - {{ .Release.Namespace | quote }}
         {{- else }}
           preferredDuringSchedulingIgnoredDuringExecution:
             - weight: 100
@@ -58,28 +82,28 @@ spec:
                 namespaces:
                   - {{ .Release.Namespace | quote }}
         {{- end }}
-        {{- if .Values.tolerations }}
+      {{- if .Values.tolerations }}
       tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }}
       {{- end }}
       {{- if .Values.internalTLS }}
       initContainers:
         - name: init-ca
           image: {{ template "kubectl.image" . }}
-          command: [ "/bin/sh", "-c" ]
-          args: [ "cp /tmp/ca.crt /usr/local/share/ca-certificates/ \
+          command: ["/bin/sh", "-c"]
+          args: ["cp /tmp/ca.crt /usr/local/share/ca-certificates/ \
                   && update-ca-certificates && cp /etc/ssl/certs/ca-certificates.crt /certs/"]
           volumeMounts:
-          - name: tls-cert
-            mountPath: /tmp/ca.crt
-            subPath: ca.crt
-            readOnly: false
-          - name: sys-cert
-            mountPath: /certs
-            readOnly: false
+            - name: tls-cert
+              mountPath: /tmp/ca.crt
+              subPath: ca.crt
+              readOnly: false
+            - name: sys-cert
+              mountPath: /certs
+              readOnly: false
       {{- end }}
       containers:
         - name: ks-console
-          image: {{ template "ks-console.image" . }}
+          image: {{ template "console.image" . }}
           imagePullPolicy: {{ .Values.console.image.pullPolicy }}
           {{- if .Values.console.containerPorts }}
           ports: {{- include "common.tplvalues.render" (dict "value" .Values.console.containerPorts "context" $) | nindent 12 }}
@@ -147,14 +171,13 @@ spec:
         - name: sys-cert
           emptyDir: {}
         {{- end }}
----
 
+---
 apiVersion: v1
 kind: Service
 metadata:
   labels:
     app: ks-console
-    tier: frontend
     version: {{ .Chart.AppVersion }}
   annotations:
     {{- if .Values.internalTLS }}
@@ -165,21 +188,19 @@ metadata:
   name: ks-console
 spec:
   ports:
-  - name: nginx
-  {{- if .Values.internalTLS }}
-    port: 443
-  {{- else }}
-    port: 80
+    - name: nginx
+{{- if .Values.internalTLS }}
+      port: 443
+{{- else }}
+      port: 80
+{{- end }}
+      protocol: TCP
+      targetPort: 8000
+  {{- with .Values.console.nodePort }}
+      nodePort: {{ . }}
   {{- end }}
-    protocol: TCP
-    targetPort: 8000
-    {{- with .Values.console.nodePort }}
-    nodePort:
-      {{- toYaml . | nindent 6 }}
-    {{- end }}
   selector:
     app: ks-console
-    tier: frontend
 {{- if .Values.console.nodePort }}
   type: NodePort
 {{- else}}

config/ks-core/templates/ks-controller-manager.yaml

@@ -1,18 +1,16 @@
-{{ if eq (include "role" .) "host" }}
+{{ if eq (include "multicluster.role" .) "host" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
     app: ks-controller-manager
-    tier: backend
     version: {{ .Chart.AppVersion }}
   name: ks-controller-manager
-  namespace: kubesphere-system
 spec:
   strategy:
     rollingUpdate:
-      maxSurge: 1
-      maxUnavailable: 0
+      maxSurge: 0
+      maxUnavailable: 1
     type: RollingUpdate
   progressDeadlineSeconds: 600
   replicas: {{ if .Values.ha.enabled }}3{{ else }}1{{ end }}
@@ -31,7 +29,9 @@ spec:
         checksum/config: {{ include (print $.Template.BasePath "/kubesphere-config.yaml") . | sha256sum }}
     spec:
       serviceAccountName: {{ template "ks-core.serviceAccountName" . }}
-      {{- include "controller.imagePullSecrets" . | nindent 6 }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 8 }}
+      {{- end }}
       {{- if .Values.nodeSelector }}
       nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
       {{- end }}
@@ -68,7 +68,7 @@ spec:
       terminationGracePeriodSeconds: 30
       containers:
         - name: ks-controller-manager
-          image: {{ template "ks-controller-manager.image" . }}
+          image: {{ template "controller.image" . }}
           imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
           {{- if .Values.controller.containerPorts }}
           ports: {{- include "common.tplvalues.render" (dict "value" .Values.controller.containerPorts "context" $) | nindent 12 }}
@@ -87,7 +87,7 @@ spec:
             - mountPath: /etc/kubesphere/
               name: kubesphere-config
             - mountPath: /tmp/k8s-webhook-server/serving-certs
-              name: webhook-secret
+              name: webhook-cert
             - mountPath: /etc/localtime
               name: host-time
               readOnly: true
@@ -99,7 +99,7 @@ spec:
           configMap:
             name: kubesphere-config
             defaultMode: 420
-        - name: webhook-secret
+        - name: webhook-cert
           secret:
             defaultMode: 420
             secretName: ks-controller-manager-webhook-cert

config/ks-core/templates/kubesphere-config.yaml

@@ -1,3 +1,8 @@
+{{- if ne .Release.Namespace "kubesphere-system" }}
+{{- fail "This Helm release must be installed in the 'kubesphere-system' namespace." }}
+{{- end }}
+
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -13,7 +18,7 @@ data:
         url: {{ include "portal.url" . | quote }}
         jwtSecret: {{ include "jwtSecret" . | quote }}
         maximumClockSkew: {{ .Values.authentication.issuer.maximumClockSkew | default "10s" }}
-        {{- if eq (include "role" .) "member" }}
+        {{- if eq (include "multicluster.role" .) "member" }}
         accessTokenMaxAge: 0s
         {{- else }}
         accessTokenMaxAge: {{ .Values.authentication.issuer.accessTokenMaxAge }}
@@ -30,22 +35,28 @@ data:
       bucket: {{ .Values.s3.bucket | default "uploads"  }}
       {{- end }}
     multicluster:
-      clusterRole: {{ include "role" . | quote }}
-      hostClusterName: {{ include "hostClusterName" . | include "validateHostClusterName" | quote }}
+      clusterRole: {{ include "multicluster.role" . | quote }}
+      hostClusterName: {{ include "multicluster.hostClusterName" . | include "validateHostClusterName" | quote }}
+    kubeconfig:
+      # service-account-token client-certificate oidc-token webhook-token
+      authMode: {{ (.Values.kubeconfig).authMode | default "client-certificate" }}
     terminal:
       kubectl:
-        image: {{ template "kubectl.image" . }}
+        image: {{ include "kubectl.image" . | quote }}
       node:
-        image:  {{ template "nodeShell.image" . }}
+        image: {{ include "nodeShell.image" . | quote }}
       uploadFileLimit: 100Mi
     helmExecutor:
-      image: {{ template "helm.image" . }}
+      image: {{ include "helm.image" . | quote }}
       timeout: {{ .Values.helmExecutor.timeout }}
       historyMax: {{ .Values.helmExecutor.historyMax }}
       jobTTLAfterFinished: {{ .Values.helmExecutor.jobTTLAfterFinished }}
       {{- if .Values.helmExecutor.resources }}
       resources: {{- toYaml .Values.helmExecutor.resources | nindent 8 }}
       {{- end }}
+      {{- if .Values.helmExecutor.affinity }}
+      affinity: {{- toYaml .Values.helmExecutor.affinity | nindent 8 }}
+      {{- end }}
     extension:
       imageRegistry: {{ default .Values.extension.imageRegistry "" | quote }}
       {{- if .Values.extension.nodeSelector }}
@@ -69,17 +80,7 @@ data:
       appSelector: {{ .Values.composedApp.appSelector | quote }}
     kubesphere:
       tls: {{ .Values.internalTLS }}
-    {{- if and .Values.cloud.enabled (eq (include "role" .) "host") }}
-    telemetry:
-      {{- if eq .Values.cloud.env "clouddev.kubesphere.io" }}
-      ksCloudURL: "https://clouddev.kubesphere.io"
-      {{- else if eq .Values.cloud.env "kubesphere.cloud" }}
-      ksCloudURL: "https://kubesphere.cloud"
-      {{- else if and .Values.cloud.customEnv .Values.cloud.customEnv.url }}
-      ksCloudURL: {{ $.Values.cloud.customEnv.url | quote }}
-      {{- end }}
-    {{- end }}
-    {{- if .Values.ha.enabled -}}
+    {{- if and (eq (include "multicluster.role" .) "host") .Values.ha.enabled -}}
     {{- if .Values.ha.cache }}
     cache: {{- toYaml .Values.ha.cache | nindent 6}}
     {{- else }}

config/ks-core/templates/oauthclient-config.yaml

@@ -1,4 +1,4 @@
-{{ if eq (include "role" .) "host" }}
+{{ if eq (include "multicluster.role" .) "host" }}
 apiVersion: v1
 stringData:
   configuration.yaml: |
@@ -13,7 +13,6 @@ stringData:
 kind: Secret
 metadata:
   name: oauthclient-kubesphere
-  namespace: kubesphere-system
   labels:
     config.kubesphere.io/type: oauthclient
 type: config.kubesphere.io/oauthclient

config/ks-core/templates/platformconfig-telemetry.yaml

@@ -0,0 +1,11 @@
+{{- if eq (include "multicluster.role" .) "host" }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: io.kubesphere.config.platformconfig.telemetry
+type: config.kubesphere.io/generic-platform-config
+stringData:
+  configuration.yaml: |
+    enabled: {{ include "telemetry.enabled" . }}
+    endpoint: "https://kubesphere.cloud"
+{{- end }}

config/ks-core/templates/post-delete-job.yaml

@@ -1,4 +1,3 @@
-{{- $kubeVersion := .Capabilities.KubeVersion }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -8,19 +7,9 @@ metadata:
     "helm.sh/hook-weight": "-1"
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
 data:
-  map.yaml: |
-    mappings:
-    {{- range $path, $_ := .Files.Glob "charts/ks-crds/crds/**" }}
-    {{- $crd := $.Files.Get $path | fromYaml }}
-    {{- range $_, $version := $crd.spec.versions }}
-      - deprecatedAPI: "apiVersion: {{ $crd.spec.group }}/{{ $version.name }}\nkind: {{ $crd.spec.names.kind }}\n"
-        removedInVersion: "{{ $kubeVersion }}"
-    {{- end }}
-    {{- end }}
 {{ (.Files.Glob "scripts/post-delete.sh").AsConfig | indent 2 }}
 
 ---
-
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -31,7 +20,6 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 
 ---
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -50,13 +38,6 @@ subjects:
     namespace: {{ .Release.Namespace }}
 
 ---
-
-{{- $crdNameList := list }}
-{{- range $path, $_ := .Files.Glob "charts/ks-crds/crds/**" }}
-{{- $crd := $.Files.Get $path | fromYaml }}
-{{- $crdNameList = append $crdNameList $crd.metadata.name }}
-{{- end }}
-
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -70,14 +51,15 @@ spec:
     spec:
       restartPolicy: Never
       serviceAccountName: "{{ .Release.Name }}-post-delete"
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 8 }}
+      {{- end }}
       containers:
         - name: post-delete-job
           image: {{ template "kubectl.image" . }}
           command:
             - /bin/bash
             - /scripts/post-delete.sh
-            - '{{ join " " $crdNameList }}'
-            - /scripts/map.yaml
           volumeMounts:
             - mountPath: /scripts
               name: scripts

config/ks-core/templates/post-patch-system-ns-job.yaml

@@ -3,7 +3,7 @@ kind: Job
 metadata:
   name: "{{ .Release.Name }}-post-patch-system-ns"
   annotations:
-    "helm.sh/hook": post-install
+    "helm.sh/hook": post-install,post-upgrade
     "helm.sh/hook-weight": "-5"
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
 spec:
@@ -11,9 +11,12 @@ spec:
     spec:
       restartPolicy: Never
       serviceAccountName: {{ include "ks-core.serviceAccountName" . }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 8 }}
+      {{- end }}
       containers:
         - name: post-patch-system-ns
-          image:  {{ template "kubectl.image" . }}
+          image: {{ template "kubectl.image" . }}
           command:
             - /bin/bash
             - -c
@@ -23,6 +26,5 @@ spec:
               do
                 kubectl label ns $ns kubesphere.io/workspace=system-workspace
                 kubectl label ns $ns kubesphere.io/managed=true
-              done
-              kubectl get ns -l 'kubesphere.io/workspace,!kubesphere.io/managed' --no-headers -o custom-columns=NAME:.metadata.name | \
-              xargs -I {} kubectl label ns {} kubesphere.io/managed=true
+                kubectl label ns $ns kubesphere.io/protected-resource=true
+              done

config/ks-core/templates/post-patch-user-job.yaml

@@ -0,0 +1,40 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ .Release.Name }}-post-patch-user"
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "-4"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      serviceAccountName: {{ include "ks-core.serviceAccountName" . }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: post-patch-user
+          image: {{ template "kubectl.image" . }}
+          command:
+            - /bin/bash
+            - -c
+            - |
+              #!/bin/bash
+              # Get all users with the specified label
+              kubectl get users -l iam.kubesphere.io/identify-provider \
+                -o custom-columns=\
+              NAME:.metadata.name,\
+              IDP:".metadata.labels['iam\.kubesphere\.io/identify-provider']",\
+              UID:".metadata.labels['iam\.kubesphere\.io/origin-uid']" \
+                --no-headers | while read -r username idp uid; do
+                  # Check if variables are not empty and not <none>
+                  if [ ! -z "$username" ] && [ ! -z "$idp" ] && [ ! -z "$uid" ] && \
+                    [ "$idp" != "<none>" ] && [ "$uid" != "<none>" ]; then
+                      # Set annotation
+                      annotation_key="iam.kubesphere.io/identity-provider.${idp}"
+                      kubectl annotate --overwrite user "${username}" "${annotation_key}=${uid}"
+                      echo "Updated user ${username} with annotation ${annotation_key}=${uid}"
+                  fi
+              done

config/ks-core/templates/post-upgrade-job.yaml

@@ -0,0 +1,48 @@
+{{- if .Values.upgrade.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Release.Name }}-post-upgrade
+  annotations:
+    "helm.sh/hook": post-upgrade
+    "helm.sh/hook-weight": "0"
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      serviceAccountName: {{ include "ks-core.serviceAccountName" . }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: post-upgrade-job
+          image: {{ template "upgrade.image" . }}
+          imagePullPolicy: {{ .Values.upgrade.image.pullPolicy }}
+          command:
+            - ks-upgrade
+            - post-upgrade
+            - --logtostderr=true
+            - --config=/etc/kubesphere/config.yaml
+            {{- if .Values.upgrade.config }}
+            - --config=/etc/kubesphere/config-patch.yaml
+            {{- end }}
+          volumeMounts:
+            {{- if .Values.upgrade.config }}
+            - mountPath: /etc/kubesphere/config-patch.yaml
+              name: config
+              subPath: config-patch.yaml
+            {{- end }}
+            - mountPath: /tmp/ks-upgrade
+              name: data
+      volumes:
+        {{- if .Values.upgrade.config }}
+        - name: config
+          configMap:
+            name: {{ .Release.Name }}-upgrade-config
+            defaultMode: 420
+        {{- end }}
+        - name: data
+          persistentVolumeClaim:
+            claimName: {{ .Values.upgrade.persistenceVolume.name }}
+{{- end }}

config/ks-core/templates/pre-upgrade-job.yaml

@@ -0,0 +1,83 @@
+{{- if .Values.upgrade.enabled }}
+{{- if .Values.upgrade.config }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-upgrade-config
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-1"
+data:
+  config-patch.yaml: |
+    {{- toYaml .Values.upgrade.config | nindent 4 }}
+{{- end }}
+
+---
+{{- if not (lookup "v1" "PersistentVolumeClaim" .Release.Namespace .Values.upgrade.persistenceVolume.name) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ .Values.upgrade.persistenceVolume.name }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-1"
+  labels:
+    app: ks-upgrade
+    version: {{ .Chart.AppVersion }}
+spec:
+  accessModes:
+    - {{ .Values.upgrade.persistenceVolume.accessMode | quote }}
+  resources:
+    requests:
+      storage: {{ .Values.upgrade.persistenceVolume.size | quote }}
+  storageClassName: {{ .Values.upgrade.persistenceVolume.storageClassName }}
+{{-  end }}
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Release.Name }}-pre-upgrade
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "0"
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      serviceAccountName: {{ include "ks-core.serviceAccountName" . }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: pre-upgrade-job
+          image: {{ template "upgrade.image" . }}
+          imagePullPolicy: {{ .Values.upgrade.image.pullPolicy }}
+          command:
+            - ks-upgrade
+            - pre-upgrade
+            - --logtostderr=true
+            - --config=/etc/kubesphere/config.yaml
+            {{- if .Values.upgrade.config }}
+            - --config=/etc/kubesphere/config-patch.yaml
+            {{- end }}
+          volumeMounts:
+            {{- if .Values.upgrade.config }}
+            - mountPath: /etc/kubesphere/config-patch.yaml
+              name: config
+              subPath: config-patch.yaml
+            {{- end }}
+            - mountPath: /tmp/ks-upgrade
+              name: data
+      volumes:
+        {{- if .Values.upgrade.config }}
+        - name: config
+          configMap:
+            name: {{ .Release.Name }}-upgrade-config
+            defaultMode: 420
+        {{- end }}
+        - name: data
+          persistentVolumeClaim:
+            claimName: {{ .Values.upgrade.persistenceVolume.name }}
+{{- end }}

config/ks-core/templates/prepare-upgrade-job.yaml

@@ -0,0 +1,52 @@
+{{- if .Values.upgrade.enabled }}
+{{- if .Values.upgrade.prepare }}
+{{- if .Values.upgrade.config }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ks-upgrade-prepare-config
+data:
+  config-patch.yaml: |
+    {{- toYaml .Values.upgrade.config | nindent 4 }}
+{{- end }}
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: prepare-upgrade
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      serviceAccountName: {{ include "ks-core.serviceAccountName" . }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: prepare-upgrade-job
+          image: {{ template "upgrade.image" . }}
+          imagePullPolicy: {{ .Values.upgrade.image.pullPolicy }}
+          command:
+            - ks-upgrade
+            - prepare-upgrade
+            - --logtostderr=true
+            - --config=/etc/kubesphere/config.yaml
+            {{- if .Values.upgrade.config }}
+            - --config=/etc/kubesphere/config-patch.yaml
+            {{- end }}
+          {{- if .Values.upgrade.config }}
+          volumeMounts:
+            - mountPath: /etc/kubesphere/config-patch.yaml
+              name: config
+              subPath: config-patch.yaml
+          {{- end }}
+      {{- if .Values.upgrade.config }}
+      volumes:
+        - name: config
+          configMap:
+            name: ks-upgrade-prepare-config
+            defaultMode: 420
+      {{- end }}
+{{- end }}
+{{- end }}

config/ks-core/templates/redis.yaml

@@ -1,15 +1,20 @@
+{{- if eq (include "multicluster.role" .) "host" }}
 {{- if and .Values.ha.enabled (not .Values.ha.cache) }}
 {{- if lookup "v1" "Secret" "kubesphere-system" "redis-secret" }}
 {{- lookup "v1" "Secret" "kubesphere-system" "redis-secret" | toYaml }}
 {{- else }}
+{{-  $auth := randAlphaNum 15 }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: redis-secret
-  namespace: kubesphere-system
 type: Opaque
-data:
-  auth: {{  randAlphaNum 15 | b64enc }}
+stringData:
+  auth: {{ $auth | quote }}
+  redis.conf: |
+    requirepass {{ $auth }}
+    masterauth {{ $auth }}
+    port {{ .Values.redis.port | default 6379 }}
 {{- end }}
 {{- end }}
 
@@ -20,27 +25,21 @@ kind: Deployment
 metadata:
   labels:
     app: redis
-    tier: database
-    version: redis-4.0
   name: redis
-  namespace: kubesphere-system
 spec:
   replicas: {{ .Values.redis.replicaCount }}
   selector:
     matchLabels:
       app: redis
-      tier: database
   template:
     metadata:
       labels:
         app: redis
-        tier: database
-        version: redis-4.0
     spec:
       containers:
         - image: {{ template "redis.image" . }}
           imagePullPolicy: {{ .Values.redis.image.pullPolicy }}
-          command: ['sh', '-c', 'cat /tmp/redis/redis.conf | sed "s/REDIS_PASSWORD/$KUBESPHERE_CACHE_OPTIONS_PASSWORD/" > /data/redis.conf | redis-server /data/redis.conf']
+          command: ['sh', '-c', 'redis-server /etc/redis/redis.conf']
           name: redis
           args: ["/data/redis.conf"]
           env:
@@ -51,7 +50,8 @@ spec:
                   key: auth
           volumeMounts:
             - name: redis-config
-              mountPath: "/tmp/redis"
+              mountPath: "/etc/redis/redis.conf"
+              subPath: redis.conf
               readOnly: true
 {{- if .Values.redis.persistentVolume.enabled }}
             - mountPath: /data
@@ -70,8 +70,8 @@ spec:
               memory: 100Mi
       volumes:
         - name: redis-config
-          configMap:
-            name: redis-configmap
+          secret:
+            secretName: redis-secret
 {{- if .Values.redis.persistentVolume.enabled }}
         - name: redis-pvc
           persistentVolumeClaim:
@@ -94,20 +94,6 @@ spec:
       {{- if .Values.tolerations }}
       tolerations: {{- toYaml .Values.tolerations | nindent 8 }}{{- end }}
 
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: redis-configmap
-  labels:
-    app: redis
-    tier: database
-    version: redis-4.0
-data:
-  redis.conf: |
-    requirepass REDIS_PASSWORD
-    masterauth REDIS_PASSWORD
-    port {{ .Values.redis.port | default 6379 }}
 
 ---
 apiVersion: v1
@@ -115,9 +101,7 @@ kind: Service
 metadata:
   labels:
     app: redis
-    tier: database
   name: redis
-  namespace: kubesphere-system
 spec:
   ports:
     - name: redis
@@ -126,7 +110,6 @@ spec:
       targetPort: {{ .Values.redis.port | default 6379 }}
   selector:
     app: redis
-    tier: database
   sessionAffinity: None
   type: ClusterIP
 
@@ -136,7 +119,6 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: redis-pvc
-  namespace: kubesphere-system
 spec:
   accessModes:
     - ReadWriteOnce
@@ -146,3 +128,4 @@ spec:
 {{- end }}
 
 {{- end }}
+{{- end }}

config/ks-core/templates/roletemplate-categories.yaml

@@ -234,8 +234,6 @@ spec:
     en: Project Settings
     zh: '项目设置'
 
----
-  # category
 ---
 apiVersion: iam.kubesphere.io/v1beta1
 kind: Category

config/ks-core/templates/roletemplates.yaml

@@ -1103,6 +1103,8 @@ metadata:
     iam.kubesphere.io/category: workspace-access-control
     iam.kubesphere.io/scope: "workspace"
     iam.kubesphere.io/aggregate-to-viewer: ""
+    iam.kubesphere.io/aggregate-to-self-provisioner: ""
+    iam.kubesphere.io/aggregate-to-regular: ""
     kubesphere.io/managed: 'true'
   name: workspace-view-members
 spec:
@@ -1168,6 +1170,8 @@ metadata:
     iam.kubesphere.io/category: workspace-access-control
     iam.kubesphere.io/scope: "workspace"
     iam.kubesphere.io/aggregate-to-viewer: ""
+    iam.kubesphere.io/aggregate-to-regular: ""
+    iam.kubesphere.io/aggregate-to-self-provisioner: ""
     kubesphere.io/managed: 'true'
   name: workspace-view-roles
 spec:
@@ -1659,7 +1663,6 @@ metadata:
     iam.kubesphere.io/dependencies: '["namespace-view-serviceaccount"]'
     iam.kubesphere.io/role-template-rules: '{"serviceaccounts": "manage"}'
   labels:
-    iam.kubesphere.io/aggregate-to-operator: ""
     iam.kubesphere.io/category: namespace-configuration-management
     iam.kubesphere.io/scope: "namespace"
     kubesphere.io/managed: "true"
@@ -1788,7 +1791,9 @@ metadata:
     iam.kubesphere.io/category: workspace-app
     iam.kubesphere.io/scope: workspace
     kubesphere.io/managed: "true"
+    iam.kubesphere.io/aggregate-to-self-provisioner: ""
     iam.kubesphere.io/aggregate-to-viewer: ""
+    iam.kubesphere.io/aggregate-to-regular: ""
   name: workspace-view-app-repos
 spec:
   description:
@@ -1818,7 +1823,6 @@ metadata:
     iam.kubesphere.io/category: workspace-app
     iam.kubesphere.io/scope: workspace
     kubesphere.io/managed: "true"
-    iam.kubesphere.io/aggregate-to-self-provisioner: ""
     iam.kubesphere.io/aggregate-to-admin: ""
   name: workspace-manage-app-repos
 spec:
@@ -1943,7 +1947,6 @@ metadata:
     iam.kubesphere.io/category: workspace-app
     iam.kubesphere.io/scope: workspace
     kubesphere.io/managed: "true"
-    iam.kubesphere.io/aggregate-to-self-provisioner: ""
     iam.kubesphere.io/aggregate-to-admin: ""
   name: workspace-manage-app-templates
 spec:

config/ks-core/templates/serviceaccount.yaml

@@ -3,7 +3,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "ks-core.serviceAccountName" . }}
-  namespace: kubesphere-system
   labels:
     {{- include "ks-core.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}
@@ -45,5 +44,5 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ include "ks-core.serviceAccountName" . }}
-    namespace: kubesphere-system
+    namespace: {{ .Release.Namespace }}
 {{- end }}

config/ks-core/templates/services.yaml

@@ -1,14 +1,10 @@
 apiVersion: v1
 kind: Service
 metadata:
-  annotations:
-    kubernetes.io/created-by: kubesphere.io/ks-apiserver
   labels:
     app: ks-apiserver
-    tier: backend
     version: {{ .Chart.AppVersion }}
   name: ks-apiserver
-  namespace: kubesphere-system
 spec:
   ports:
     - protocol: TCP
@@ -19,45 +15,38 @@ spec:
     {{- end }}
       targetPort: 9090
     {{- with .Values.apiserver.nodePort }}
-      nodePort:
-      {{- toYaml . | nindent 8 }}
+      nodePort: {{ . }}
     {{- end }}
   selector:
-    {{- if eq (include "role" .) "host" }}
+    {{- if eq (include "multicluster.role" .) "host" }}
     app: ks-apiserver
     {{- else }}
     app: ks-agent
     {{- end }}
-    tier: backend
-    # version: {{ .Chart.AppVersion }}
 {{- if .Values.apiserver.nodePort }}
   type: NodePort
 {{- else}}
   type: ClusterIP
 {{- end}}
----
 
+---
 apiVersion: v1
 kind: Service
 metadata:
   labels:
     app: ks-controller-manager
-    tier: backend
     version: {{ .Chart.AppVersion }}
   name: ks-controller-manager
-  namespace: kubesphere-system
 spec:
   ports:
     - port: 443
       protocol: TCP
       targetPort: 8443
   selector:
-    {{- if eq (include "role" .) "host" }}
+    {{- if eq (include "multicluster.role" .) "host" }}
     app: ks-controller-manager
     {{- else }}
     app: ks-agent
     {{- end }}
-    tier: backend
-    # version: {{ .Chart.AppVersion }}
   sessionAffinity: None
   type: ClusterIP

config/ks-core/templates/tls-secrets.yaml

@@ -7,7 +7,6 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: ks-apiserver-tls-certs
-  namespace: {{ .Release.Namespace }}
 type: Opaque
 data:
   ca.crt: {{  b64enc $ca.Cert }}
@@ -22,7 +21,6 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: ks-console-tls-certs
-  namespace: {{ .Release.Namespace }}
 type: Opaque
 data:
   ca.crt: {{ b64enc $ca.Cert }}
@@ -37,7 +35,6 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ .Values.ingress.tls.secretName }}
-  namespace: {{ .Release.Namespace }}
 type: Opaque
 data:
   ca.crt: {{  b64enc $ca.Cert }}