diff --git a/charts/u4a-component/Chart.yaml b/charts/u4a-component/Chart.yaml
index 026c944..5067925 100644
--- a/charts/u4a-component/Chart.yaml
+++ b/charts/u4a-component/Chart.yaml
@@ -15,13 +15,13 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.11
+version: 0.2.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
-appVersion: "0.1.0"
+appVersion: "0.2.0"
dependencies:
- name: addon-component
diff --git a/charts/u4a-component/charts/addon-component/templates/NOTES.txt b/charts/u4a-component/charts/addon-component/templates/NOTES.txt
index a6e5e7e..db5e72e 100644
--- a/charts/u4a-component/charts/addon-component/templates/NOTES.txt
+++ b/charts/u4a-component/charts/addon-component/templates/NOTES.txt
@@ -1,4 +1,4 @@
-1. Get the {{ .Values.rbacResourceName }} ServiceAccount token by running these commands:
+1. Get the {{ .Values.clusterResPrefix }}-cluster-reader ServiceAccount token by running these commands:
- export TOKENNAME=$(kubectl get serviceaccount/{{ .Values.rbacResourceName }} -n {{ .Release.Namespace }} -o jsonpath='{.secrets[0].name}')
+ export TOKENNAME=$(kubectl get serviceaccount/{{ .Values.clusterResPrefix }}-cluster-reader -n {{ .Release.Namespace }} -o jsonpath='{.secrets[0].name}')
kubectl get secret $TOKENNAME -n {{ .Release.Namespace }} -o jsonpath='{.data.token}' | base64 -d
diff --git a/charts/u4a-component/charts/addon-component/templates/init-cluster/cluster-rbac.yaml b/charts/u4a-component/charts/addon-component/templates/init-cluster/cluster-rbac.yaml
index 60084bc..077a99a 100644
--- a/charts/u4a-component/charts/addon-component/templates/init-cluster/cluster-rbac.yaml
+++ b/charts/u4a-component/charts/addon-component/templates/init-cluster/cluster-rbac.yaml
@@ -1,7 +1,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
- name: t7d.io.{{ .Values.rbacResourceName }}
+ name: kubebb.{{ .Values.clusterResPrefix }}-cluster-reader
rules:
- apiGroups:
- capsule.clastix.io
@@ -62,32 +62,32 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
- name: t7d.io.{{ .Values.rbacResourceName }}
+ name: kubebb.{{ .Values.clusterResPrefix }}-cluster-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: t7d.io.{{ .Values.rbacResourceName }}
+ name: kubebb.{{ .Values.clusterResPrefix }}-cluster-reader
subjects:
- kind: ServiceAccount
- name: {{ .Values.rbacResourceName }}
+ name: {{ .Values.clusterResPrefix }}-cluster-reader
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
- name: {{ .Values.rbacResourceName }}
+ name: {{ .Values.clusterResPrefix }}-cluster-reader
namespace: {{ .Release.Namespace }}
{{- if semverCompare ">=1.24" .Capabilities.KubeVersion.Version }}
secrets:
- - name: {{ .Values.rbacResourceName }}-secret
+ - name: {{ .Values.clusterResPrefix }}-cluster-reader-secret
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: Secret
metadata:
- name: {{ .Values.rbacResourceName }}-secret
+ name: {{ .Values.clusterResPrefix }}-cluster-reader-secret
namespace: {{ .Release.Namespace }}
annotations:
- kubernetes.io/service-account.name: {{ .Values.rbacResourceName }}
+ kubernetes.io/service-account.name: {{ .Values.clusterResPrefix }}-cluster-reader
type: kubernetes.io/service-account-token
{{- end }}
\ No newline at end of file
diff --git a/charts/u4a-component/charts/addon-component/templates/init-cluster/resource-rbac.yaml b/charts/u4a-component/charts/addon-component/templates/init-cluster/resource-rbac.yaml
index e355032..860707c 100644
--- a/charts/u4a-component/charts/addon-component/templates/init-cluster/resource-rbac.yaml
+++ b/charts/u4a-component/charts/addon-component/templates/init-cluster/resource-rbac.yaml
@@ -1,7 +1,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
- name: t7d.io.{{ .Values.clusterResPrefix }}-cluster-resource-reader
+ name: kubebb.{{ .Values.clusterResPrefix }}-cluster-resource-reader
rules:
- apiGroups:
- capsule.clastix.io
@@ -30,11 +30,11 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
- name: t7d.io.{{ .Values.clusterResPrefix }}-cluster-resource-reader
+ name: kubebb.{{ .Values.clusterResPrefix }}-cluster-resource-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: t7d.io.{{ .Values.clusterResPrefix }}-cluster-resource-reader
+ name: kubebb.{{ .Values.clusterResPrefix }}-cluster-resource-reader
subjects:
- kind: Group
name: resource-reader
diff --git a/charts/u4a-component/charts/addon-component/templates/kube-oidc-proxy/audit-policy-configmap.yaml b/charts/u4a-component/charts/addon-component/templates/kube-oidc-proxy/audit-policy-configmap.yaml
index ef33c6a..f5527e1 100644
--- a/charts/u4a-component/charts/addon-component/templates/kube-oidc-proxy/audit-policy-configmap.yaml
+++ b/charts/u4a-component/charts/addon-component/templates/kube-oidc-proxy/audit-policy-configmap.yaml
@@ -22,14 +22,10 @@ data:
- group: "" # core API group
resources: ["serviceaccounts","clusterrolebindings","clusterroles","rolebindings","roles"]
# 2. CRDs, only enable 'write' verbs audit log for user/tenants/sa/role management, etc ...
- - group: "t7d.io" # API group
- resources: ["tenants","roletemplates","users"]
- group: "cluster.karmada.io"
resources: ["clusters"]
- group: "capsule.clastix.io"
resources: ["tenants", "capsuleconfigurations"]
- - group: "common.tenxcloud.com" # core API group
- resources: ["licenses"]
- group: "core.kubebb.k8s.com.cn"
resources: ["portals", "menus"]
- group: "iam.tenxcloud.com"
diff --git a/charts/u4a-component/charts/addon-component/templates/kube-oidc-proxy/kube-oidc-proxy.yaml b/charts/u4a-component/charts/addon-component/templates/kube-oidc-proxy/kube-oidc-proxy.yaml
index 6939abe..c286931 100644
--- a/charts/u4a-component/charts/addon-component/templates/kube-oidc-proxy/kube-oidc-proxy.yaml
+++ b/charts/u4a-component/charts/addon-component/templates/kube-oidc-proxy/kube-oidc-proxy.yaml
@@ -150,11 +150,11 @@ spec:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: t7d.io.kube-oidc-proxy
+ name: kubebb.kube-oidc-proxy
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: t7d.io.kube-oidc-proxy
+ name: kubebb.kube-oidc-proxy
subjects:
- kind: ServiceAccount
name: kube-oidc-proxy
@@ -163,7 +163,7 @@ subjects:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: t7d.io.kube-oidc-proxy
+ name: kubebb.kube-oidc-proxy
rules:
- apiGroups:
- ""
diff --git a/charts/u4a-component/charts/addon-component/templates/tenant-management/config.yaml b/charts/u4a-component/charts/addon-component/templates/tenant-management/config.yaml
index d0539ed..5b58338 100644
--- a/charts/u4a-component/charts/addon-component/templates/tenant-management/config.yaml
+++ b/charts/u4a-component/charts/addon-component/templates/tenant-management/config.yaml
@@ -1,7 +1,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
- name: t7d.io.capsule-manager-rolebinding
+ name: kubebb.capsule-manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
diff --git a/charts/u4a-component/charts/addon-component/values.yaml b/charts/u4a-component/charts/addon-component/values.yaml
index 8d5e104..55cac9e 100644
--- a/charts/u4a-component/charts/addon-component/values.yaml
+++ b/charts/u4a-component/charts/addon-component/values.yaml
@@ -4,7 +4,7 @@
# Rbac resource name of host or managed cluster's reader role
# such as host-cluster-reader, managed-cluster-reader
-rbacResourceName: host-cluster-reader
+clusterResPrefix: host
# Optional but the default: Use it if the managed Kubernetes didn't have OIDC configured on apiserver
kubeOidcProxy:
diff --git a/charts/u4a-component/charts/crds/Chart.yaml b/charts/u4a-component/charts/crds/Chart.yaml
index 6700324..f2d606e 100644
--- a/charts/u4a-component/charts/crds/Chart.yaml
+++ b/charts/u4a-component/charts/crds/Chart.yaml
@@ -21,4 +21,4 @@ version: 0.1.2
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
-appVersion: "0.1.0"
+appVersion: "0.1.2"
diff --git a/charts/u4a-component/templates/NOTES.txt b/charts/u4a-component/templates/NOTES.txt
index b56202d..8791218 100644
--- a/charts/u4a-component/templates/NOTES.txt
+++ b/charts/u4a-component/templates/NOTES.txt
@@ -1,4 +1,4 @@
-1. Get the {{ .Values.rbacResourceName }} ServiceAccount token by running these commands:
+1. Get the {{ .Values.clusterResPrefix }}-cluster-reader ServiceAccount token by running these commands:
- export TOKENNAME=$(kubectl get serviceaccount/{{ index .Values "addon-component" "rbacResourceName" }} -n {{ .Release.Namespace }} -o jsonpath='{.secrets[0].name}')
+ export TOKENNAME=$(kubectl get serviceaccount/{{ index .Values "addon-component" "clusterResPrefix" }}-cluster-reader -n {{ .Release.Namespace }} -o jsonpath='{.secrets[0].name}')
kubectl get secret $TOKENNAME -n {{ .Release.Namespace }} -o jsonpath='{.data.token}' | base64 -d
diff --git a/charts/u4a-component/templates/bff-server/bff-server-config.yaml b/charts/u4a-component/templates/bff-server/bff-server-config.yaml
new file mode 100644
index 0000000..aca93c5
--- /dev/null
+++ b/charts/u4a-component/templates/bff-server/bff-server-config.yaml
@@ -0,0 +1,130 @@
+apiVersion: v1
+data:
+ config.yaml: |
+ # 当前 server 的默认配置
+ # ⚠⚠ 修改不会实时生效,需要重启 server,开发时也一样 ⚠⚠
+ # ⚠⚠ 注意名称必须采用小驼峰命名,不能使用下划线 ⚠⚠
+ # 以下配置也可通过环境变量设置,且环境变量的优先级更高,比如端口就可以通过环境变量 web_port: 8090 来设置
+ web:
+ # server 端口
+ port: 8022
+ # 静态文件配置
+ static:
+ # 缓存
+ cache:
+ # 默认为 1 年缓存,单位:秒
+ maxAge: 31536000
+ # 日志配置
+ log:
+ # 支持 log,error,warn,debug,verbose 5 个日志等级的组合
+ levels: log,error,warn
+ # 请求体解析器配置
+ # 详见 https://github.com/expressjs/body-parser#bodyparserjsonoptions
+ # bodyParser:
+ # json:
+ # inflate: true
+ # limit: 5mb
+ oidc:
+ # oidc 服务端配置
+ server:
+ # oidc-server 的地址
+ url: https://oidc-server:5556/oidc
+ # oidc-server 的 ca 证书,默认不需要配置,会从 /etc/oidc-server/ca.crt 中读取
+ caCrt: ''
+ # oidc 测试客户端,用于调试
+ testClient:
+ id: ''
+ secret: ''
+ redirectUri: ''
+ connector:
+ id: {{ .Values.bffServer.connectorId }}
+ # 配置后会将 id token 设置到对应 cookie 中,用于类似 grafana 的 session cookie 认证场景
+ idTokenCookies:
+ # - key: grafana_session
+ # # 更多配置见 http://expressjs.com/en/5x/api.html#res.cookie
+ # path: /grafana
+ # httpOnly: true
+ # iam-provider 的配置
+ iamProvider:
+ server:
+ url: https://oidc-server
+ # dock-app 配置
+ dockApp:
+ # oidc 客户端配置
+ oidcClient:
+ id: {{ .Values.bffServer.clientId }}
+ secret: {{ .Values.bffServer.clientSecret }}
+ tce:
+ # 设置为 true 时,开启适配 tce@5.4 的兼容模式
+ enabled: false
+ # TCE session 的名称
+ sessionKey: tce
+ # TCE 地址,用于适配 tce@5.4 的退出逻辑
+ url: ''
+ # session 配置,详见 https://github.com/expressjs/session#options
+ session:
+ secret: 23b4ca9d-6eae-4d67-befd-7e98e0bfc839
+ name: bff
+ resave: false
+ saveUninitialized: false
+ rolling: true
+ cookie:
+ httpOnly: true
+ path: /
+ # 如果有组件是部署在其他子域名下的,则需要设置 domain 为根域名,这样才能共享 session
+ # domain: .172.22.96.136.nip.io
+ # redis store 配置,详见 https://github.com/tj/connect-redis#options
+ redisStore:
+ prefix: 'sess:bff:'
+ # 有效期,单位是秒,默认是 6 小时
+ ttl: 21600
+ # 登录策略
+ loginPolicy:
+ # 需要输入验证码的登录失败次数,默认是 3 次,设置为 0 后,默认展示验证码,每次登录均需要输入验证
+ captchaEnabledLoginFailedTimes: 3
+ # 是否启用禁用登录的策略
+ disabledPolicyEnabled: false
+ # 禁用登录的登录失败次数,默认是 8 次
+ loginDisabledFailedTimes: 8
+ # 禁用登录的时间,单位是分钟,默认是 15
+ loginDisabledMinutes: 15
+ # 是否开启登录限制模式,默认为关闭
+ # 设置为 on:开启基于用户的登录限制模式,一个账户同时只允许有一个实例登录
+ # 设置为 ip:开启基于 ip 的登录限制模式,一个账户同一个 ip 下允许多个实例登录
+ loginRestrictionMode: off
+ # redis 配置,目前用于存储 session ,配置详见 https://redis.github.io/ioredis/index.html#RedisOptions
+ redis:
+ host: bff-server-session-redis
+ port: 6379
+ password: ""
+ db: 0
+ # redis 命令超时参数,否则网络异常时可能导致请求一直 hang 住 TCS-4224
+ commandTimeout: 5000
+ # basic 认证,用于一些特殊 api 的认证
+ basic:
+ username: bff-server
+ password: ""
+ # 调试时的相关配置
+ debug:
+ # 配置为 true 可以关闭 session 的检查,只检查 token
+ skipSessionCheck: false
+ kubernetes:
+ cluster:
+ name: kube-oidc-proxy
+ server: {{ .Values.k8s.hostK8sApiWithOidc }}
+ skipTLSVerify: true
+ # bff-server 调用 k8s api 的超时时间,单位:秒
+ timeout: 30
+ # 保存集群系统配置的 secret 所在的命名空间
+ secretSystemNamespace: cluster-system
+ # 保存集群配置的 secret 所在的命名空间
+ secretConfigsNamespace: u4a-system
+ # bff-server 自己的 service account token,仅开发时使用,生产环境时会从 k8s 注入的 sa 文件中读取
+ bffSaToken: ''
+ # 集群相关配置,例如 es 等配置,仅用于开发调试,生产环境会从挂载的 cluster-configs secrets 中读取
+ clusterConfigs: {}
+
+kind: ConfigMap
+metadata:
+ name: bff-server-config
+ namespace: {{ .Release.Namespace }}
diff --git a/charts/u4a-component/templates/bff-server/bff-server.yaml b/charts/u4a-component/templates/bff-server/bff-server.yaml
index 89b3a51..07c0c99 100644
--- a/charts/u4a-component/templates/bff-server/bff-server.yaml
+++ b/charts/u4a-component/templates/bff-server/bff-server.yaml
@@ -41,13 +41,16 @@ spec:
- name: logos
configMap:
name: portal-logos
+ - name: bff-server-config-volume
+ configMap:
+ name: bff-server-config
containers:
- name: bff-server
image: {{ .Values.registryServer }}/{{ .Values.bffServer.image }}
livenessProbe:
failureThreshold: 4
httpGet:
- path: /health
+ path: /bff/health
port: 8022
scheme: HTTP
initialDelaySeconds: 10
@@ -57,7 +60,7 @@ spec:
readinessProbe:
failureThreshold: 4
httpGet:
- path: /health
+ path: /bff/health
port: 8022
scheme: HTTP
initialDelaySeconds: 10
@@ -70,24 +73,22 @@ spec:
- containerPort: 8023
protocol: TCP
env: # 主要是环境变量这里
- - name: DEX_SERVER_URL # dex 服务地址
- value: https://oidc-server:5556/oidc
- - name: DEX_CONNECTOR_ID # 我们自定义的 dex connector id
- value: {{ .Values.bffServer.connectorId }}
- - name: DEX_CLIENT_ID # dex client id,用于 dock-app 接入 oidc
- value: {{ .Values.bffServer.clientId }}
- - name: DEX_CLIENT_SECRET # dex client secret
- value: {{ .Values.bffServer.clientSecret }}
- - name: K8S_OIDC_PROXY_URL # k8s 管理集群上 oidc-proxy 的地址
- value: {{ .Values.k8s.hostK8sApiWithOidc }}
- - name: K8S_API_TIMEOUT
- value: "10"
+ - name: redis_password
+ valueFrom:
+ secretKeyRef:
+ name: bff-secret
+ key: redis_password
+ - name: basic_password
+ valueFrom:
+ secretKeyRef:
+ name: bff-secret
+ key: basic_password
resources:
limits:
cpu: 1
memory: 1Gi
requests:
- cpu: 200m
+ cpu: 100m
memory: 512Mi
imagePullPolicy: IfNotPresent
volumeMounts:
@@ -103,6 +104,9 @@ spec:
- mountPath: /usr/src/app/public/profile/img
name: logos
readOnly: true
+ - name: bff-server-config-volume
+ mountPath: /usr/src/app/configs/config.yaml
+ subPath: config.yaml
---
apiVersion: v1
kind: Service
diff --git a/charts/u4a-component/templates/bff-server/rbac.yaml b/charts/u4a-component/templates/bff-server/rbac.yaml
index 9099339..0449432 100644
--- a/charts/u4a-component/templates/bff-server/rbac.yaml
+++ b/charts/u4a-component/templates/bff-server/rbac.yaml
@@ -2,16 +2,8 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
- name: t7d.io.platform-resource-reader
+ name: kubebb.platform-resource-reader
rules:
-- apiGroups:
- - common.tenxcloud.com
- resources:
- - licenseusings
- - licenses
- verbs:
- - get
- - list
- apiGroups:
- iam.tenxcloud.com
resources:
@@ -47,22 +39,12 @@ rules:
verbs:
- get
- list
-- apiGroups:
- - component.t7d.io
- resources:
- - menus
- - components
- verbs:
- - list
- apiGroups:
- core.kubebb.k8s.com.cn
resources:
- menus
- portals
- - components
- - repositories
verbs:
- - get
- list
- apiGroups:
- extensions
@@ -77,11 +59,11 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
- name: t7d.io.platform-resource-reader
+ name: kubebb.platform-resource-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: t7d.io.platform-resource-reader
+ name: kubebb.platform-resource-reader
subjects:
- kind: Group
name: resource-reader
diff --git a/charts/u4a-component/templates/bff-server/redis.yaml b/charts/u4a-component/templates/bff-server/redis.yaml
new file mode 100644
index 0000000..b3ea082
--- /dev/null
+++ b/charts/u4a-component/templates/bff-server/redis.yaml
@@ -0,0 +1,76 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: bff-server-session-redis
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: bff-server
+ name: bff-server-session-redis
+spec:
+ progressDeadlineSeconds: 600
+ replicas: 1
+ revisionHistoryLimit: 10
+ selector:
+ matchLabels:
+ name: bff-server-session-redis
+ strategy:
+ rollingUpdate:
+ maxSurge: 25%
+ maxUnavailable: 25%
+ type: RollingUpdate
+ template:
+ metadata:
+ annotations:
+ imagetag_arch: amd64
+ imagetag_os: linux
+ sidecar.istio.io/inject: "false"
+ creationTimestamp: null
+ labels:
+ name: bff-server-session-redis
+ spec:
+ containers:
+ - env:
+ - name: PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: bff-secret
+ key: redis_password
+ image: {{ .Values.registryServer }}/{{ .Values.bffServer.sessionImage }}
+ imagePullPolicy: Always
+ lifecycle:
+ postStart:
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - redis-cli config set requirepass $PASSWORD
+ name: redis
+ ports:
+ - containerPort: 6379
+ protocol: TCP
+ resources:
+ limits:
+ cpu: "1"
+ memory: 512Mi
+ requests:
+ cpu: 100m
+ memory: 256Mi
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ name: bff-server-session-redis
+ name: bff-server-session-redis
+ namespace: {{ .Release.Namespace }}
+spec:
+ internalTrafficPolicy: Cluster
+ ports:
+ - name: tcp-redis-0
+ port: 6379
+ protocol: TCP
+ targetPort: 6379
+ selector:
+ name: bff-server-session-redis
+ sessionAffinity: None
+ type: ClusterIP
diff --git a/charts/u4a-component/templates/bff-server/secret.yaml b/charts/u4a-component/templates/bff-server/secret.yaml
new file mode 100644
index 0000000..6eb215f
--- /dev/null
+++ b/charts/u4a-component/templates/bff-server/secret.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+stringData:
+ redis_password: session-store-pwd
+ basic_password: FL_jq0qAlW_JkrEc4LskC
+kind: Secret
+metadata:
+ name: bff-secret
+ namespace: {{ .Release.Namespace }}
+type: Opaque
diff --git a/charts/u4a-component/templates/oidc-server/deploy.yaml b/charts/u4a-component/templates/oidc-server/deploy.yaml
index b946bb4..7cd8e5a 100644
--- a/charts/u4a-component/templates/oidc-server/deploy.yaml
+++ b/charts/u4a-component/templates/oidc-server/deploy.yaml
@@ -38,6 +38,15 @@ spec:
mountPath: /etc/oidc-server/cfg
- name: tls
mountPath: /etc/oidc-server/tls
+ readinessProbe:
+ httpGet:
+ {{- if .Values.oidcServer.debug }}
+ path: /healthz
+ {{- else }}
+ path: /oidc/healthz
+ {{- end }}
+ port: 5556
+ scheme: HTTPS
resources:
limits:
cpu: 1
@@ -57,6 +66,13 @@ spec:
value: {{ .Values.bffServer.connectorId }}
- name: DEX_CLIENT_ID
value: {{ .Values.bffServer.clientId }}
+ - name: basic_password
+ valueFrom:
+ secretKeyRef:
+ name: bff-secret
+ key: basic_password
+ - name: BFF_URL
+ value: {{ .Values.deploymentConfig.bffHost }}
resources:
limits:
cpu: 1
diff --git a/charts/u4a-component/templates/oidc-server/iam-provider-rbac.yaml b/charts/u4a-component/templates/oidc-server/iam-provider-rbac.yaml
index 9912250..8c9ed7d 100644
--- a/charts/u4a-component/templates/oidc-server/iam-provider-rbac.yaml
+++ b/charts/u4a-component/templates/oidc-server/iam-provider-rbac.yaml
@@ -2,7 +2,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
- name: t7d.io.iam-provider
+ name: kubebb.iam-provider
rules:
- apiGroups:
- iam.tenxcloud.com
@@ -58,12 +58,12 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
- name: t7d.io.iam-provider
+ name: kubebb.iam-provider
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: t7d.io.iam-provider
+ name: kubebb.iam-provider
subjects:
- kind: ServiceAccount
name: oidc-server
diff --git a/charts/u4a-component/templates/oidc-server/iam_v1alpha1_connector3rd.yaml b/charts/u4a-component/templates/oidc-server/iam_v1alpha1_connector3rd.yaml
index 66636cc..246cdd7 100644
--- a/charts/u4a-component/templates/oidc-server/iam_v1alpha1_connector3rd.yaml
+++ b/charts/u4a-component/templates/oidc-server/iam_v1alpha1_connector3rd.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.iamProvider.enabled -}}
+{{- if .Values.oidcServer.enabled -}}
apiVersion: iam.tenxcloud.com/v1alpha1
kind: Connector3rd
metadata:
@@ -8,14 +8,46 @@ metadata:
"helm.sh/hook-weight": "-5"
spec:
connectors:
- - name: gitlab
+ - description: gitlab description
+ enabled: false
+ icon: '{"name":"gitlab","data":""}'
id: gitlab
+ name: gitlab
+ - description: github description
enabled: false
- icon: "{\"name\":\"gitlab\",\"data\":\"\"}"
- description: "gitlab description"
- - name: github
+ icon: '{"name":"github","data":""}'
id: github
+ name: github
+ - description: oauth description
+ enabled: false
+ icon: '{"name":"custom-menu-icon-by-upload-oauth2.0","data":""}'
+ id: oauth
+ name: oauth
+ - description: ldap description
enabled: false
- icon: "{\"name\":\"github\",\"data\":\"\"}"
- description: "github description"
-{{- end }}
\ No newline at end of file
+ icon: '{"name":"custom-menu-icon-by-upload-LDAP","data":""}'
+ id: ldap
+ name: ldap
+{{- end }}
diff --git a/charts/u4a-component/templates/oidc-server/rbac.yaml b/charts/u4a-component/templates/oidc-server/rbac.yaml
index b5eb0b9..481eebe 100644
--- a/charts/u4a-component/templates/oidc-server/rbac.yaml
+++ b/charts/u4a-component/templates/oidc-server/rbac.yaml
@@ -2,7 +2,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
- name: t7d.io.oidc-server
+ name: kubebb.oidc-server
labels:
system/component: u4a
system/u4a: oidc-server
@@ -66,16 +66,16 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
- name: t7d.io.oidc-server
+ name: kubebb.oidc-server
labels:
system/component: u4a
system/u4a: oidc-server
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: t7d.io.oidc-server
+ name: kubebb.oidc-server
subjects:
- kind: ServiceAccount
name: oidc-server
namespace: {{ .Release.Namespace }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/u4a-component/templates/post-create-menu.yaml b/charts/u4a-component/templates/post-create-menu.yaml
index 64bd1e2..179c558 100644
--- a/charts/u4a-component/templates/post-create-menu.yaml
+++ b/charts/u4a-component/templates/post-create-menu.yaml
@@ -137,6 +137,37 @@ spec:
textEn: Cluster Resources
status: {}
+---
+apiVersion: core.kubebb.k8s.com.cn/v1alpha1
+kind: Menu
+metadata:
+ creationTimestamp: null
+ labels:
+ portal: oidc
+ name: platform-management-cluster-roles
+spec:
+ getTitleForReplaceSider: {}
+ icon: '{"name":"nav-user","data":""}'
+ parentOwnerReferences:
+ apiVersion: core.kubebb.k8s.com.cn/v1alpha1
+ blockOwnerDeletion: false
+ controller: false
+ kind: Menu
+ name: management-cluster
+ uid: ""
+ pathname: /oidc/management/clusters/:clusterID/roles
+ rankingInColumn: 500
+ tenant: true
+ text: 集群角色
+ textEn: Cluster Roles
+status: {}
+
---
apiVersion: core.kubebb.k8s.com.cn/v1alpha1
kind: Menu
diff --git a/charts/u4a-component/templates/post-create-portals.yaml b/charts/u4a-component/templates/post-create-portals.yaml
index e8df168..6142596 100644
--- a/charts/u4a-component/templates/post-create-portals.yaml
+++ b/charts/u4a-component/templates/post-create-portals.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.oidcServer.enabled -}}
apiVersion: core.kubebb.k8s.com.cn/v1alpha1
kind: Portal
metadata:
@@ -8,3 +9,4 @@ metadata:
spec:
entry: /oidc-public/index.html
path: /oidc
+{{- end }}
\ No newline at end of file
diff --git a/charts/u4a-component/values.yaml b/charts/u4a-component/values.yaml
index 5c53912..5e2f8c2 100644
--- a/charts/u4a-component/values.yaml
+++ b/charts/u4a-component/values.yaml
@@ -52,9 +52,9 @@ ingress:
# Optional but the default: Use Kubernetes CRD for user provider - iam provider
iamProvider:
enabled: true
- image: kubebb/iam-provider:v0.1.6-20231102
+ image: kubebb/iam-provider:v0.2.0-20240128
groupController:
- image: kubebb/iam-controller:v0.1.0-20231024
+ image: kubebb/iam-controller:v0.2.0-20240128
# Required: Use dex as the odic service
oidcServer:
@@ -63,7 +63,7 @@ oidcServer:
cert:
ipAddresses: *oidcIPs
dnsNames: *dnsNames
- image: kubebb/oidc-server-ce:v0.1.0
+ image: kubebb/oidc-server:v0.2.0
issuer: https://{{ .Values.deploymentConfig.bffHost }}/oidc
storageType: kubernetes
webHttps: 0.0.0.0:5556
@@ -79,6 +79,7 @@ oidcServer:
- id: *clientId
redirectURIs:
- https://{{ .Values.deploymentConfig.bffHost }}/
+ - https://{{ .Values.deploymentConfig.bffHost }}/dock-app
name: *clientName
secret: *clientSecret
# Enable and update the ip if nip.io is NOT accessible in deployed environment
@@ -94,7 +95,8 @@ oidcServer:
# Optional but the default: BFF server for all API endpoints
bffServer:
enabled: true
- image: kubebb/bff-server-ce:main
+ image: kubebb/bff-server:v0.2.0-20231204
+ sessionImage: kubebb/redis:5.0.1-alpine3.8
host: *bffHost
connectorId: k8scrd
clientId: *clientId
@@ -116,7 +118,7 @@ k8s:
# Install if it's host cluster
resourceView:
enabled: true
- image: kubebb/resource-viewer-ce:v0.1.0
+ image: kubebb/resource-viewer:v0.2.0-20221024
addon-component:
enabled: true