Upgrade u4a-component to v0.2.0

charts/u4a-component/Chart.yaml

@@ -15,13 +15,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.11
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.1.0"
+appVersion: "0.2.0"
 
 dependencies:
   - name: addon-component

charts/u4a-component/charts/addon-component/templates/NOTES.txt

@@ -1,4 +1,4 @@
-1. Get the {{ .Values.rbacResourceName }} ServiceAccount token by running these commands:
+1. Get the {{ .Values.clusterResPrefix }}-cluster-reader ServiceAccount token by running these commands:
 
-  export TOKENNAME=$(kubectl get serviceaccount/{{ .Values.rbacResourceName }} -n {{ .Release.Namespace }} -o jsonpath='{.secrets[0].name}')
+  export TOKENNAME=$(kubectl get serviceaccount/{{ .Values.clusterResPrefix }}-cluster-reader -n {{ .Release.Namespace }} -o jsonpath='{.secrets[0].name}')
   kubectl get secret $TOKENNAME -n {{ .Release.Namespace }} -o jsonpath='{.data.token}' | base64 -d

charts/u4a-component/charts/addon-component/templates/init-cluster/cluster-rbac.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: t7d.io.{{ .Values.rbacResourceName }}
+  name: kubebb.{{ .Values.clusterResPrefix }}-cluster-reader
 rules:
   - apiGroups:
       - capsule.clastix.io
@@ -62,32 +62,32 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: t7d.io.{{ .Values.rbacResourceName }}
+  name: kubebb.{{ .Values.clusterResPrefix }}-cluster-reader
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: t7d.io.{{ .Values.rbacResourceName }}
+  name: kubebb.{{ .Values.clusterResPrefix }}-cluster-reader
 subjects:
   - kind: ServiceAccount
-    name: {{ .Values.rbacResourceName }}
+    name: {{ .Values.clusterResPrefix }}-cluster-reader
     namespace: {{ .Release.Namespace }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .Values.rbacResourceName }}
+  name: {{ .Values.clusterResPrefix }}-cluster-reader
   namespace: {{ .Release.Namespace }}
 {{- if semverCompare ">=1.24" .Capabilities.KubeVersion.Version }}
 secrets:
-  - name: {{ .Values.rbacResourceName }}-secret
+  - name: {{ .Values.clusterResPrefix }}-cluster-reader-secret
     namespace: {{ .Release.Namespace }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Values.rbacResourceName }}-secret
+  name: {{ .Values.clusterResPrefix }}-cluster-reader-secret
   namespace: {{ .Release.Namespace }}
   annotations:
-    kubernetes.io/service-account.name: {{ .Values.rbacResourceName }}
+    kubernetes.io/service-account.name: {{ .Values.clusterResPrefix }}-cluster-reader
 type: kubernetes.io/service-account-token
 {{- end }}

charts/u4a-component/charts/addon-component/templates/init-cluster/resource-rbac.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: t7d.io.{{ .Values.clusterResPrefix }}-cluster-resource-reader
+  name: kubebb.{{ .Values.clusterResPrefix }}-cluster-resource-reader
 rules:
 - apiGroups:
   - capsule.clastix.io
@@ -30,11 +30,11 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: t7d.io.{{ .Values.clusterResPrefix }}-cluster-resource-reader
+  name: kubebb.{{ .Values.clusterResPrefix }}-cluster-resource-reader
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: t7d.io.{{ .Values.clusterResPrefix }}-cluster-resource-reader
+  name: kubebb.{{ .Values.clusterResPrefix }}-cluster-resource-reader
 subjects:
 - kind: Group
   name: resource-reader

charts/u4a-component/charts/addon-component/templates/kube-oidc-proxy/audit-policy-configmap.yaml

@@ -22,14 +22,10 @@ data:
         - group: "" # core API group
           resources: ["serviceaccounts","clusterrolebindings","clusterroles","rolebindings","roles"]
       # 2. CRDs, only enable 'write' verbs audit log for user/tenants/sa/role management, etc ...
-        - group: "t7d.io" # API group
-          resources: ["tenants","roletemplates","users"]
         - group: "cluster.karmada.io"
           resources: ["clusters"]
         - group: "capsule.clastix.io"
           resources: ["tenants", "capsuleconfigurations"]
-        - group: "common.tenxcloud.com" # core API group
-          resources: ["licenses"]
         - group: "core.kubebb.k8s.com.cn"
           resources: ["portals", "menus"]
         - group: "iam.tenxcloud.com"

charts/u4a-component/charts/addon-component/templates/kube-oidc-proxy/kube-oidc-proxy.yaml

@@ -150,11 +150,11 @@ spec:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: t7d.io.kube-oidc-proxy
+  name: kubebb.kube-oidc-proxy
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: t7d.io.kube-oidc-proxy
+  name: kubebb.kube-oidc-proxy
 subjects:
 - kind: ServiceAccount
   name: kube-oidc-proxy
@@ -163,7 +163,7 @@ subjects:
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: t7d.io.kube-oidc-proxy
+  name: kubebb.kube-oidc-proxy
 rules:
 - apiGroups:
   - ""

charts/u4a-component/charts/addon-component/templates/tenant-management/config.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: t7d.io.capsule-manager-rolebinding
+  name: kubebb.capsule-manager-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

charts/u4a-component/charts/addon-component/values.yaml

@@ -4,7 +4,7 @@
 
 # Rbac resource name of host or managed cluster's reader role
 # such as host-cluster-reader, managed-cluster-reader
-rbacResourceName: host-cluster-reader
+clusterResPrefix: host
 
 # Optional but the default: Use it if the managed Kubernetes didn't have OIDC configured on apiserver
 kubeOidcProxy:

charts/u4a-component/charts/crds/Chart.yaml

@@ -21,4 +21,4 @@ version: 0.1.2
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.1.0"
+appVersion: "0.1.2"

charts/u4a-component/templates/NOTES.txt

@@ -1,4 +1,4 @@
-1. Get the {{ .Values.rbacResourceName }} ServiceAccount token by running these commands:
+1. Get the {{ .Values.clusterResPrefix }}-cluster-reader ServiceAccount token by running these commands:
 
-  export TOKENNAME=$(kubectl get serviceaccount/{{ index .Values "addon-component" "rbacResourceName" }} -n {{ .Release.Namespace }} -o jsonpath='{.secrets[0].name}')
+  export TOKENNAME=$(kubectl get serviceaccount/{{ index .Values "addon-component" "clusterResPrefix" }}-cluster-reader -n {{ .Release.Namespace }} -o jsonpath='{.secrets[0].name}')
   kubectl get secret $TOKENNAME -n {{ .Release.Namespace }} -o jsonpath='{.data.token}' | base64 -d

charts/u4a-component/templates/bff-server/bff-server-config.yaml

@@ -0,0 +1,130 @@
+apiVersion: v1
+data:
+  config.yaml: |
+    # 当前 server 的默认配置
+    # ⚠⚠ 修改不会实时生效，需要重启 server，开发时也一样 ⚠⚠
+    # ⚠⚠ 注意名称必须采用小驼峰命名，不能使用下划线 ⚠⚠
+    # 以下配置也可通过环境变量设置，且环境变量的优先级更高，比如端口就可以通过环境变量 web_port: 8090 来设置
+    web:
+      # server 端口
+      port: 8022
+      # 静态文件配置
+      static:
+        # 缓存
+        cache:
+          # 默认为 1 年缓存，单位：秒
+          maxAge: 31536000
+    # 日志配置
+    log:
+      # 支持 log,error,warn,debug,verbose 5 个日志等级的组合
+      levels: log,error,warn
+    # 请求体解析器配置
+    # 详见 https://github.com/expressjs/body-parser#bodyparserjsonoptions
+    # bodyParser:
+    #   json:
+    #     inflate: true
+    #     limit: 5mb
+    oidc:
+      # oidc 服务端配置
+      server:
+        # oidc-server 的地址
+        url: https://oidc-server:5556/oidc
+        # oidc-server 的 ca 证书，默认不需要配置，会从 /etc/oidc-server/ca.crt 中读取
+        caCrt: ''
+      # oidc 测试客户端，用于调试
+      testClient:
+        id: ''
+        secret: ''
+        redirectUri: ''
+      connector:
+        id: {{ .Values.bffServer.connectorId }}
+      # 配置后会将 id token 设置到对应 cookie 中，用于类似 grafana 的 session cookie 认证场景
+      idTokenCookies:
+        # - key: grafana_session
+        #   # 更多配置见 http://expressjs.com/en/5x/api.html#res.cookie
+        #   path: /grafana
+        #   httpOnly: true
+    # iam-provider 的配置
+    iamProvider:
+      server:
+        url: https://oidc-server
+    # dock-app 配置
+    dockApp:
+      # oidc 客户端配置
+      oidcClient:
+        id: {{ .Values.bffServer.clientId }}
+        secret: {{ .Values.bffServer.clientSecret }}
+      tce:
+        # 设置为 true 时，开启适配 [email protected] 的兼容模式
+        enabled: false
+        # TCE session 的名称
+        sessionKey: tce
+        # TCE 地址，用于适配 [email protected] 的退出逻辑
+        url: ''
+    # session 配置，详见 https://github.com/expressjs/session#options
+    session:
+      secret: 23b4ca9d-6eae-4d67-befd-7e98e0bfc839
+      name: bff
+      resave: false
+      saveUninitialized: false
+      rolling: true
+      cookie:
+        httpOnly: true
+        path: /
+        # 如果有组件是部署在其他子域名下的，则需要设置 domain 为根域名，这样才能共享 session
+        # domain: .172.22.96.136.nip.io
+      # redis store 配置，详见 https://github.com/tj/connect-redis#options
+      redisStore:
+        prefix: 'sess:bff:'
+        # 有效期，单位是秒，默认是 6 小时
+        ttl: 21600
+    # 登录策略
+    loginPolicy:
+      # 需要输入验证码的登录失败次数，默认是 3 次，设置为 0 后，默认展示验证码，每次登录均需要输入验证
+      captchaEnabledLoginFailedTimes: 3
+      # 是否启用禁用登录的策略
+      disabledPolicyEnabled: false
+      # 禁用登录的登录失败次数，默认是 8 次
+      loginDisabledFailedTimes: 8
+      # 禁用登录的时间，单位是分钟，默认是 15
+      loginDisabledMinutes: 15
+      # 是否开启登录限制模式，默认为关闭
+        # 设置为 on：开启基于用户的登录限制模式，一个账户同时只允许有一个实例登录
+        # 设置为 ip：开启基于 ip 的登录限制模式，一个账户同一个 ip 下允许多个实例登录
+      loginRestrictionMode: off
+    # redis 配置，目前用于存储 session ，配置详见 https://redis.github.io/ioredis/index.html#RedisOptions
+    redis:
+      host: bff-server-session-redis
+      port: 6379
+      password: ""
+      db: 0
+      # redis 命令超时参数，否则网络异常时可能导致请求一直 hang 住 TCS-4224
+      commandTimeout: 5000
+    # basic 认证，用于一些特殊 api 的认证
+    basic:
+      username: bff-server
+      password: ""
+    # 调试时的相关配置
+    debug:
+      # 配置为 true 可以关闭 session 的检查，只检查 token
+      skipSessionCheck: false
+    kubernetes:
+      cluster:
+        name: kube-oidc-proxy
+        server: {{ .Values.k8s.hostK8sApiWithOidc }}
+        skipTLSVerify: true
+      # bff-server 调用 k8s api 的超时时间，单位：秒
+      timeout: 30
+      # 保存集群系统配置的 secret 所在的命名空间
+      secretSystemNamespace: cluster-system
+      # 保存集群配置的 secret 所在的命名空间
+      secretConfigsNamespace: u4a-system
+      # bff-server 自己的 service account token，仅开发时使用，生产环境时会从 k8s 注入的 sa 文件中读取
+      bffSaToken: ''
+      # 集群相关配置，例如 es 等配置，仅用于开发调试，生产环境会从挂载的 cluster-configs secrets 中读取
+      clusterConfigs: {}
+
+kind: ConfigMap
+metadata:
+  name: bff-server-config
+  namespace: {{ .Release.Namespace }}

charts/u4a-component/templates/bff-server/bff-server.yaml

@@ -41,13 +41,16 @@ spec:
         - name: logos
           configMap:
             name: portal-logos
+        - name: bff-server-config-volume
+          configMap:
+            name: bff-server-config
       containers:
         - name: bff-server
           image: {{ .Values.registryServer }}/{{ .Values.bffServer.image }}
           livenessProbe:
             failureThreshold: 4
             httpGet:
-              path: /health
+              path: /bff/health
               port: 8022
               scheme: HTTP
             initialDelaySeconds: 10
@@ -57,7 +60,7 @@ spec:
           readinessProbe:
             failureThreshold: 4
             httpGet:
-              path: /health
+              path: /bff/health
               port: 8022
               scheme: HTTP
             initialDelaySeconds: 10
@@ -70,24 +73,22 @@ spec:
             - containerPort: 8023
               protocol: TCP
           env: # 主要是环境变量这里
-            - name: DEX_SERVER_URL # dex 服务地址
-              value: https://oidc-server:5556/oidc
-            - name: DEX_CONNECTOR_ID # 我们自定义的 dex connector id
-              value: {{ .Values.bffServer.connectorId }}
-            - name: DEX_CLIENT_ID # dex client id，用于 dock-app 接入 oidc
-              value: {{ .Values.bffServer.clientId }}
-            - name: DEX_CLIENT_SECRET # dex client secret
-              value: {{ .Values.bffServer.clientSecret }}
-            - name: K8S_OIDC_PROXY_URL # k8s 管理集群上 oidc-proxy 的地址
-              value: {{ .Values.k8s.hostK8sApiWithOidc }}
-            - name: K8S_API_TIMEOUT
-              value: "10"
+            - name: redis_password
+              valueFrom:
+                secretKeyRef:
+                  name: bff-secret
+                  key: redis_password
+            - name: basic_password
+              valueFrom:
+                secretKeyRef:
+                  name: bff-secret
+                  key: basic_password
           resources:
             limits:
               cpu: 1
               memory: 1Gi
             requests:
-              cpu: 200m
+              cpu: 100m
               memory: 512Mi
           imagePullPolicy: IfNotPresent
           volumeMounts:
@@ -103,6 +104,9 @@ spec:
             - mountPath: /usr/src/app/public/profile/img
               name: logos
               readOnly: true
+            - name: bff-server-config-volume
+              mountPath: /usr/src/app/configs/config.yaml
+              subPath: config.yaml
 ---
 apiVersion: v1
 kind: Service