Merge pull request #144 from laihezhao/main

feat: add tdsf component

charts/tamp/Chart.yaml

@@ -0,0 +1,52 @@
+annotations:
+  core.kubebb.k8s.com.cn/classification: "API 网关"
+  core.kubebb.k8s.com.cn/displayname: API网关
+  core.kubebb.k8s.com.cn/restricted-namespaces: tamp-system
+  core.kubebb.k8s.com.cn/restricted-tenants: system-tenant
+apiVersion: v2
+name: tamp
+description: 提供 API 的完整生命周期管理，以及丰富的插件能力
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 5.6.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "v5.6.0"
+
+dependencies:
+  - name: gateway-management
+    condition: gateway-management.enabled
+    version: 5.6.0
+  - name: tamp-portal
+    condition: tamp-portal.enabled
+    version: 5.6.0
+  - name: minio
+    condition: minio.enabled
+    version: 5.6.0
+  - name: remote-role-component
+    condition: remote-role-component.enabled
+    version: 5.6.0
+icon: https://github.com/kubebb/website/blob/master/static/img/market/api.svg
+keywords:
+  - 安全认证
+  - 降本增效
+  - 高性能高可靠
+home: https://docs.tenxcloud.com/docs/TAMP/产品介绍
+sources:
+  - https://github.com/kubebb/components/charts/tamp
+

charts/tamp/README.md

@@ -0,0 +1,136 @@
+## 前提依赖
+
+以下组件已经在集群中部署：
+
+- u4a-component
+- logging-component
+- monitor-component
+
+## 使用 kubebb 部署 API 网关
+部署时，配置文件（value.yaml）相关参数按实际情况修改。
+- 替换其中minio的值，包括key,secret和endpoint
+-  global.minio.key
+-  global.minio.secret
+-  global.minio.endpoint
+- ingress相关配置，根据实际情况填写即可，替换其中hostName的值
+-  tamp-portal.ingress.hostName
+-  gateway-management.ingress.hostName
+
+
+## Helm方式部署 API 网关
+- 先部署minio，再部署gateway-management、tamp-portal
+
+### 管理集群安装
+- 先部署minio，再部署gateway-management、tamp-portal
+
+### 创建namespace
+```
+kubectl --as=admin --as-group=iam.tenxcloud.com create -f - <<EOF
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+     capsule.clastix.io/tenant: system-tenant
+  name: tamp-system
+EOF
+```
+### 安装minio(如果已有 minio 可跳过此步)
+
+- 根据实际情况修改 charts/minio/values.yaml中的值，如下所示：
+```
+image:
+  registry: xx # 仓库地址
+  repository: xx # 仓库名称
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: xxx # 镜像版本标识
+mountPath:
+  path: xxx  # 宿主机数据挂载路径
+nodeSelector:
+  # minio为有状态服务，需事先在指定节点上打上label
+  # 节点打标签操作： kubectl label nodes nodeName tamp-app=minio
+  tamp-app: minio 
+# 其他采用默认值即可
+```
+- 使用如下命令进行验证、安装
+```
+# 使用dry run 方式进行验证
+helm install tamp-minio . -n tamp-system -f values-minio.yaml --dry-run
+# 正式安装
+helm install tamp-minio . -n tamp-system -f values-minio.yaml
+```
+
+### 以上只是提供了minio的部署示例，后续可采用自行维护的minio实例
+
+- minio部署完之后，将minio的访问地址赋值到根目录下的values.yaml中global.minio.endpoint中(http://clusterIp:port(9000))
+改根路径下values.yaml文件中global.minio.key 和 secret值，进行自定义设置。
+
+
+
+### 安装gateway-management和tamp-portal
+- 根据实际情况修改 charts/gateway-management/values.yaml，具体如下：
+```
+image: # 镜像相关配置，按照实际情况填写即可
+  registry: xx
+  repository: xx
+  pullPolicy: Always
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: xxx
+
+serviceAccount:
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: "gateway-api" # pod所采用的的sa名称
+
+# 关于cluster的权限配置
+cluster:
+  namespace: "addon-system" # 使用默认值即可
+  serviceAccount: "host-cluster-reader" # 使用默认值即可
+
+clusterRole:
+  name: "gateway-api-host-cluster-reader"
+
+ingress: # ingress相关配置，根据实际情况填写即可
+  className: "portal-ingress" # 使用默认值即可
+  hostName: "portal.192.168.90.189.nip.io"
+  path: /tamp-api # 使用默认值即可
+  pathType: ImplementationSpecific # 使用默认值即可
+
+```
+- 根据实际情况修改 charts/tamp-portal/values.yaml，具体如下：
+```
+image: # 镜像相关配置
+  registry: xx
+  repository: xx
+  pullPolicy: Always
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: xx
+
+ingress: # ingress相关配置，根据实际情况填写即可
+  className: "portal-ingress" # 使用默认值即可
+  hostName: "portal.172.22.50.142.nip.io"
+  path: /tamp-public # 使用默认值即可
+  pathType: ImplementationSpecific # 使用默认值即可
+```
+
+### 使用dry run方式进行验证
+```
+helm install tamp . -n tamp-system -f values.yaml --dry-run
+# 正式部署
+helm install tamp . -n tamp-system -f values.yaml
+```
+## 卸载步骤
+```
+# 可在指定命名空间下查看安装的chart包名称
+helm list -n tamp-system
+# 选择指定的chart包进行卸载
+helm uninstall name -n tamp-system
+```
+
+## 纳管集群的权限配置
+- 使用如下命令进行验证、安装
+```
+# 使用dry run 方式进行验证
+helm install tamp-remote . -n tamp-system -f remote-values.yaml --dry-run
+# 正式安装
+helm install tamp-remote . -n tamp-system -f remote-values.yaml
+```

charts/tamp/charts/gateway-management/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/tamp/charts/gateway-management/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: gateway-management
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 5.6.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "v5.6.0"

charts/tamp/charts/gateway-management/templates/clusterrole-clusterreader.yaml

@@ -0,0 +1,134 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: Helm
+  name: {{ .Values.clusterRole.name }}
+rules:
+  - apiGroups:
+      - t7d.io
+    resources:
+      - tenantviews
+      - namespaceviews
+    verbs:
+      - get
+      - list
+  - nonResourceURLs:
+      - /select/0/prometheus/api/v1/query
+      - /select/0/prometheus/api/v1/series
+      - /select/0/prometheus/api/v1/query_range
+    verbs:
+      - get
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses
+    verbs:
+      - '*'
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterroles
+      - roles
+      - clusterrolebindings
+      - rolebindings
+    verbs:
+      - '*'
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - '*'
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - services
+      - endpoints
+      - persistentvolumeclaims
+      - events
+      - configmaps
+      - secrets
+      - serviceaccounts
+    verbs:
+      - '*'
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - daemonsets
+      - replicasets
+      - statefulsets
+    verbs:
+      - '*'
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+  - apiGroups:
+      - charts.helm.k8s.io
+    resources:
+      - '*'
+    verbs:
+      - '*'
+  - apiGroups:
+      - charts.konghq.com
+    resources:
+      - '*'
+    verbs:
+      - '*'
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+      - ingressclasses
+    verbs:
+      - '*'
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+      - networking.internal.knative.dev
+    resources:
+      - ingresses
+      - ingresses/status
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+  - apiGroups:
+      - configuration.konghq.com
+    resources:
+      - tcpingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - configuration.konghq.com
+    resources:
+      - kongplugins
+      - kongclusterplugins
+      - kongcredentials
+      - kongconsumers
+      - kongingresses
+      - tcpingresses
+    verbs:
+      - '*'
+  - apiGroups:
+      - gw.t7d.io
+    resources:
+      - '*'
+    verbs:
+      - '*'
+{{- if .Values.psp.create }}
+  - apiGroups:
+      - policy
+    resources:
+      - podsecuritypolicies
+    resourceNames:
+      - {{ .Values.gateway.name }}
+    verbs:
+      - '*'
+{{- end }}