From 41dcfbd0916ab8114535de45793fd8d7944e51b3 Mon Sep 17 00:00:00 2001 From: jiahui Date: Thu, 2 Apr 2026 11:15:07 +0800 Subject: [PATCH 1/2] =?UTF-8?q?support=20core=20helm=20refactor:=20core/?= =?UTF-8?q?=20=E2=94=9C=E2=94=80=E2=94=80=20frontend/=20=E2=94=82=C2=A0?= =?UTF-8?q?=C2=A0=20=E2=94=9C=E2=94=80=E2=94=80=20desktop-frontend=20?= =?UTF-8?q?=E2=94=82=C2=A0=C2=A0=20=E2=94=9C=E2=94=80=E2=94=80=20costcente?= =?UTF-8?q?r-frontend=20=E2=94=82=C2=A0=C2=A0=20=E2=94=94=E2=94=80?= =?UTF-8?q?=E2=94=80=20license-frontend=20=E2=94=9C=E2=94=80=E2=94=80=20co?= =?UTF-8?q?ntroller/=20=E2=94=82=C2=A0=C2=A0=20=E2=94=9C=E2=94=80=E2=94=80?= =?UTF-8?q?=20user-controller=20=E2=94=82=C2=A0=C2=A0=20=E2=94=9C=E2=94=80?= =?UTF-8?q?=E2=94=80=20account-controller=20=E2=94=82=C2=A0=C2=A0=20?= =?UTF-8?q?=E2=94=9C=E2=94=80=E2=94=80=20license-controller=20=E2=94=82?= =?UTF-8?q?=C2=A0=C2=A0=20=E2=94=94=E2=94=80=E2=94=80=20resources-controll?= =?UTF-8?q?er=20=E2=94=9C=E2=94=80=E2=94=80=20service/=20=E2=94=82=C2=A0?= =?UTF-8?q?=C2=A0=20=E2=94=94=E2=94=80=E2=94=80=20account-service=20?= =?UTF-8?q?=E2=94=94=E2=94=80=E2=94=80=20job=20/=20misc=20=C2=A0=C2=A0?= =?UTF-8?q?=C2=A0=20=E2=94=9C=E2=94=80=E2=94=80=20init-job=20=C2=A0=C2=A0?= =?UTF-8?q?=C2=A0=20=E2=94=94=E2=94=80=E2=94=80=20init-heartbeat?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../account-controller-values.yaml | 32 +++ .../charts/account-controller/values.yaml | 67 +++--- .../charts/heartbeat/heartbeat-values.yaml | 10 + .../deploy/charts/heartbeat/values.yaml | 8 - .../deploy/heartbeat-cronjob-entrypoint.sh | 17 +- .../charts/job-init/job-init-values.yaml | 10 + .../init/deploy/charts/job-init/values.yaml | 21 +- .../job/init/deploy/job-init-entrypoint.sh | 18 +- .../license-controller-values.yaml | 23 ++ .../charts/license-controller/values.yaml | 33 +-- .../deploy/license-controller-entrypoint.sh | 30 ++- .../resources-controller-values.yaml | 20 ++ .../templates/configmap.yaml | 41 ++-- .../charts/resources-controller/values.yaml | 34 ++- .../deploy/resources-controller-entrypoint.sh | 160 ++++---------- controllers/user/deploy/Kubefile | 4 +- controllers/user/deploy/README.md | 2 +- .../{user => user-controller}/.helmignore | 0 .../{user => user-controller}/Chart.yaml | 0 .../crds/user.sealos.io_deleterequests.yaml | 0 .../user.sealos.io_operationrequests.yaml | 0 .../crds/user.sealos.io_users.yaml | 0 .../templates/_helpers.tpl | 0 .../templates/cert.yaml | 0 .../templates/deployment.yaml | 0 .../templates/rbac.yaml | 0 .../templates/service.yaml | 0 .../templates/serviceaccount.yaml | 0 .../templates/webhook.yaml | 0 .../user-controller-values.yaml | 12 ++ .../{user => user-controller}/values.yaml | 19 +- controllers/user/deploy/entrypoint.sh | 10 - .../user/deploy/user-controller-entrypoint.sh | 33 +++ frontend/providers/costcenter/deploy/Kubefile | 11 +- .../charts/costcenter-frontend/Chart.yaml | 6 + .../costcenter-frontend-values.yaml | 49 +++++ .../templates/_helpers.tpl | 49 +++++ .../templates/configmap.yaml | 39 ++++ .../templates/deployment.yaml | 56 +++++ .../templates/service.yaml | 15 ++ .../charts/costcenter-frontend/values.yaml | 44 ++++ .../deploy/costcenter-frontend-entrypoint.sh | 119 +++++++++++ .../deploy/manifests/appcr.yaml.tmpl | 19 -- .../deploy/manifests/configmap.yaml.tmpl | 46 ---- .../deploy/manifests/deploy.yaml.tmpl | 83 -------- .../deploy/manifests/ingress.yaml.tmpl | 51 ----- .../deploy/charts/license-frontend/Chart.yaml | 6 + .../license-frontend-values.yaml | 17 ++ .../license-frontend/templates/_helpers.tpl | 68 ++++++ .../license-frontend/templates/configmap.yaml | 8 + .../templates/deployment.yaml | 67 ++++++ .../license-frontend/templates/ingress.yaml | 41 ++++ .../license-frontend/templates/rbac.yaml | 83 ++++++++ .../license-frontend/templates/secret.yaml | 7 + .../license-frontend/templates/service.yaml | 15 ++ .../templates/serviceaccount.yaml | 11 + .../charts/license-frontend/values.yaml | 61 ++++++ frontend/providers/license/deploy/install.sh | 4 - .../deploy/license-frontend-entrypoint.sh | 91 ++++++++ .../license/deploy/manifests/appcr.yaml.tmpl | 17 -- .../license/deploy/manifests/deploy.yaml.tmpl | 201 ------------------ .../license/deploy/manifests/env.yaml.tmpl | 7 - .../deploy/manifests/ingress.yaml.tmpl | 51 ----- .../account-service-values.yaml | 33 +++ .../account-service/templates/rbac.yaml | 25 +++ service/account/deploy/manifests/config.json | 1 - .../account/deploy/manifests/deploy.yaml.tmpl | 114 ---------- .../deploy/manifests/ingress.yaml.tmpl | 37 ---- 68 files changed, 1259 insertions(+), 897 deletions(-) create mode 100644 controllers/account/deploy/charts/account-controller/account-controller-values.yaml create mode 100644 controllers/job/heartbeat/deploy/charts/heartbeat/heartbeat-values.yaml create mode 100644 controllers/job/init/deploy/charts/job-init/job-init-values.yaml create mode 100644 controllers/license/deploy/charts/license-controller/license-controller-values.yaml create mode 100644 controllers/resources/deploy/charts/resources-controller/resources-controller-values.yaml rename controllers/user/deploy/charts/{user => user-controller}/.helmignore (100%) rename controllers/user/deploy/charts/{user => user-controller}/Chart.yaml (100%) rename controllers/user/deploy/charts/{user => user-controller}/crds/user.sealos.io_deleterequests.yaml (100%) rename controllers/user/deploy/charts/{user => user-controller}/crds/user.sealos.io_operationrequests.yaml (100%) rename controllers/user/deploy/charts/{user => user-controller}/crds/user.sealos.io_users.yaml (100%) rename controllers/user/deploy/charts/{user => user-controller}/templates/_helpers.tpl (100%) rename controllers/user/deploy/charts/{user => user-controller}/templates/cert.yaml (100%) rename controllers/user/deploy/charts/{user => user-controller}/templates/deployment.yaml (100%) rename controllers/user/deploy/charts/{user => user-controller}/templates/rbac.yaml (100%) rename controllers/user/deploy/charts/{user => user-controller}/templates/service.yaml (100%) rename controllers/user/deploy/charts/{user => user-controller}/templates/serviceaccount.yaml (100%) rename controllers/user/deploy/charts/{user => user-controller}/templates/webhook.yaml (100%) create mode 100644 controllers/user/deploy/charts/user-controller/user-controller-values.yaml rename controllers/user/deploy/charts/{user => user-controller}/values.yaml (89%) delete mode 100644 controllers/user/deploy/entrypoint.sh create mode 100644 controllers/user/deploy/user-controller-entrypoint.sh create mode 100644 frontend/providers/costcenter/deploy/charts/costcenter-frontend/Chart.yaml create mode 100644 frontend/providers/costcenter/deploy/charts/costcenter-frontend/costcenter-frontend-values.yaml create mode 100644 frontend/providers/costcenter/deploy/charts/costcenter-frontend/templates/_helpers.tpl create mode 100644 frontend/providers/costcenter/deploy/charts/costcenter-frontend/templates/configmap.yaml create mode 100644 frontend/providers/costcenter/deploy/charts/costcenter-frontend/templates/deployment.yaml create mode 100644 frontend/providers/costcenter/deploy/charts/costcenter-frontend/templates/service.yaml create mode 100644 frontend/providers/costcenter/deploy/charts/costcenter-frontend/values.yaml create mode 100755 frontend/providers/costcenter/deploy/costcenter-frontend-entrypoint.sh delete mode 100644 frontend/providers/costcenter/deploy/manifests/appcr.yaml.tmpl delete mode 100644 frontend/providers/costcenter/deploy/manifests/configmap.yaml.tmpl delete mode 100644 frontend/providers/costcenter/deploy/manifests/deploy.yaml.tmpl delete mode 100644 frontend/providers/costcenter/deploy/manifests/ingress.yaml.tmpl create mode 100644 frontend/providers/license/deploy/charts/license-frontend/Chart.yaml create mode 100644 frontend/providers/license/deploy/charts/license-frontend/license-frontend-values.yaml create mode 100644 frontend/providers/license/deploy/charts/license-frontend/templates/_helpers.tpl create mode 100644 frontend/providers/license/deploy/charts/license-frontend/templates/configmap.yaml create mode 100644 frontend/providers/license/deploy/charts/license-frontend/templates/deployment.yaml create mode 100644 frontend/providers/license/deploy/charts/license-frontend/templates/ingress.yaml create mode 100644 frontend/providers/license/deploy/charts/license-frontend/templates/rbac.yaml create mode 100644 frontend/providers/license/deploy/charts/license-frontend/templates/secret.yaml create mode 100644 frontend/providers/license/deploy/charts/license-frontend/templates/service.yaml create mode 100644 frontend/providers/license/deploy/charts/license-frontend/templates/serviceaccount.yaml create mode 100644 frontend/providers/license/deploy/charts/license-frontend/values.yaml delete mode 100644 frontend/providers/license/deploy/install.sh create mode 100755 frontend/providers/license/deploy/license-frontend-entrypoint.sh delete mode 100644 frontend/providers/license/deploy/manifests/appcr.yaml.tmpl delete mode 100644 frontend/providers/license/deploy/manifests/deploy.yaml.tmpl delete mode 100644 frontend/providers/license/deploy/manifests/env.yaml.tmpl delete mode 100644 frontend/providers/license/deploy/manifests/ingress.yaml.tmpl create mode 100644 service/account/deploy/charts/account-service/account-service-values.yaml create mode 100644 service/account/deploy/charts/account-service/templates/rbac.yaml delete mode 100644 service/account/deploy/manifests/config.json delete mode 100644 service/account/deploy/manifests/deploy.yaml.tmpl delete mode 100644 service/account/deploy/manifests/ingress.yaml.tmpl diff --git a/controllers/account/deploy/charts/account-controller/account-controller-values.yaml b/controllers/account/deploy/charts/account-controller/account-controller-values.yaml new file mode 100644 index 000000000000..925af292e069 --- /dev/null +++ b/controllers/account/deploy/charts/account-controller/account-controller-values.yaml @@ -0,0 +1,32 @@ +# Custom values for account controller helm chart. +# This file contains user-customizable configurations. + +replicaCount: 1 + +resources: + limits: + cpu: 1000m + memory: 1024Mi + requests: + cpu: 100m + memory: 64Mi + +accountEnv: + approachingDeletionPeriod: "345600" + imminentDeletionPeriod: "259200" + finalDeletionPeriod: "604800" + debtDetectionCycleSeconds: "1800" + osAdminSecret: "object-storage-user-0" + osInternalEndpoint: "object-storage.objectstorage-system.svc.cluster.local" + osNamespace: "objectstorage-system" + baseBalance: "5000000" + quotaLimitsCpu: "16" + quotaLimitsMemory: "64Gi" + quotaLimitsStorage: "200Gi" + quotaLimitsGpu: "8" + quotaLimitsPods: "20" + quotaLimitsNodePorts: "10" + quotaObjectStorageSize: "20Gi" + quotaObjectStorageBucket: "20" + limitRangeEphemeralStorage: "0" + rewardProcessing: "false" diff --git a/controllers/account/deploy/charts/account-controller/values.yaml b/controllers/account/deploy/charts/account-controller/values.yaml index f48b2b178e20..216b3478b7cc 100644 --- a/controllers/account/deploy/charts/account-controller/values.yaml +++ b/controllers/account/deploy/charts/account-controller/values.yaml @@ -1,7 +1,5 @@ # Default values for account controller helm chart. -replicaCount: 1 - image: ghcr.io/labring/sealos-account-controller:latest imagePullPolicy: Always @@ -31,47 +29,42 @@ service: webhook: port: 443 -resources: - limits: - cpu: 1000m - memory: 1024Mi - requests: - cpu: 100m - memory: 64Mi - env: accountNamespace: sealos-system userNamespace: user-system whitelist: "licenses.License.license.sealos.io/v1,notifications.Notification.notification.sealos.io/v1,payments.Payment.account.sealos.io/v1,billingrecordqueries.BillingRecordQuery.account.sealos.io/v1,billinginfoqueries.BillingInfoQuery.account.sealos.io/v1,pricequeries.PriceQuery.account.sealos.io/v1" +# ============================================================================ +# Auto-configured values (from sealos-system/sealos-config ConfigMap) +# ============================================================================ +# The following accountEnv values are automatically fetched from the +# sealos-system/sealos-config ConfigMap by the entrypoint script and will +# override any values set here. These are provided as reference defaults. +# +# To override these auto-configured values, use HELM_OPTIONS or modify the +# sealos-config ConfigMap directly. +# ============================================================================ + accountEnv: - approachingDeletionPeriod: "345600" - imminentDeletionPeriod: "259200" - finalDeletionPeriod: "604800" - debtDetectionCycleSeconds: "1800" - osAdminSecret: "" - osInternalEndpoint: "" - osNamespace: "objectstorage-system" - mongoURI: "mongodb://mongo:27017/resources" - localCockroachURI: "" - globalCockroachURI: "" - trafficMongoURI: "" - localRegion: "" - cloudDomain: "cloud.sealos.io" - cloudPort: "" - accountApiJwtSecret: "secret" - baseBalance: "5000000" - quotaLimitsCpu: "16" - quotaLimitsMemory: "64Gi" - quotaLimitsStorage: "200Gi" - quotaLimitsGpu: "8" - quotaLimitsPods: "20" - quotaLimitsNodePorts: "10" - quotaObjectStorageSize: "20Gi" - quotaObjectStorageBucket: "20" - limitRangeEphemeralStorage: "0" - rewardProcessing: "false" - whitelistKubernetesHosts: "" + # Basic cloud configuration (auto-configured from sealos-config) + cloudDomain: "cloud.sealos.io" # Auto-fetched from sealos-config.cloudDomain + cloudPort: "" # Auto-fetched from sealos-config.cloudPort + localRegion: "" # Auto-fetched from sealos-config.regionUID + + # Database connections (auto-configured from sealos-config) + mongoURI: "mongodb://mongo:27017/resources" # Auto-fetched from sealos-config.databaseMongodbURI + globalCockroachURI: "" # Auto-fetched from sealos-config.databaseGlobalCockroachdbURI + localCockroachURI: "" # Auto-fetched from sealos-config.databaseLocalCockroachdbURI + trafficMongoURI: "" # Auto-fetched from sealos-config.databaseMongodbURI + + # Authentication secrets (auto-configured from sealos-config) + accountApiJwtSecret: "secret" # Auto-fetched from sealos-config.jwtInternal + + # Kubernetes API whitelist (auto-generated from cloudDomain) + whitelistKubernetesHosts: "" # Auto-generated: https://${cloudDomain}:6443 + +# End of auto-configured values +# ============================================================================ # ConfigMap 合并策略: preserve 保留旧值, overwrite 覆盖旧值 accountEnvMergeStrategy: "overwrite" diff --git a/controllers/job/heartbeat/deploy/charts/heartbeat/heartbeat-values.yaml b/controllers/job/heartbeat/deploy/charts/heartbeat/heartbeat-values.yaml new file mode 100644 index 000000000000..e87c1bb43809 --- /dev/null +++ b/controllers/job/heartbeat/deploy/charts/heartbeat/heartbeat-values.yaml @@ -0,0 +1,10 @@ +# Custom values for heartbeat cronjob helm chart. +# This file contains user-customizable configurations. + +resources: + limits: + cpu: 200m + memory: 128Mi + requests: + cpu: 100m + memory: 64Mi diff --git a/controllers/job/heartbeat/deploy/charts/heartbeat/values.yaml b/controllers/job/heartbeat/deploy/charts/heartbeat/values.yaml index 2cded4fe8c4d..b91471304855 100644 --- a/controllers/job/heartbeat/deploy/charts/heartbeat/values.yaml +++ b/controllers/job/heartbeat/deploy/charts/heartbeat/values.yaml @@ -26,14 +26,6 @@ podSecurityContext: securityContext: allowPrivilegeEscalation: false -resources: - limits: - cpu: 200m - memory: 128Mi - requests: - cpu: 100m - memory: 64Mi - nodeSelector: {} tolerations: [] diff --git a/controllers/job/heartbeat/deploy/heartbeat-cronjob-entrypoint.sh b/controllers/job/heartbeat/deploy/heartbeat-cronjob-entrypoint.sh index 01f3f4338637..3a7823e17d0e 100644 --- a/controllers/job/heartbeat/deploy/heartbeat-cronjob-entrypoint.sh +++ b/controllers/job/heartbeat/deploy/heartbeat-cronjob-entrypoint.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -ex +set -e HELM_OPTS=${HELM_OPTS:-""} RELEASE_NAME=${RELEASE_NAME:-"heartbeat"} @@ -35,4 +35,17 @@ if ! helm status "${RELEASE_NAME}" -n "${RELEASE_NAMESPACE}" >/dev/null 2>&1; th adopt_cluster_resource clusterrolebinding heartbeat-cluster-role-binding fi -helm upgrade -i "${RELEASE_NAME}" -n "${RELEASE_NAMESPACE}" --create-namespace "${CHART_PATH}" ${HELM_OPTS} +# Prepare values files +SERVICE_NAME="heartbeat" +USER_VALUES_PATH="/root/.sealos/cloud/values/core/${SERVICE_NAME}-values.yaml" + +# Copy user values template if not exists +if [ ! -f "${USER_VALUES_PATH}" ]; then + mkdir -p "$(dirname "${USER_VALUES_PATH}")" + cp "./charts/${SERVICE_NAME}/${SERVICE_NAME}-values.yaml" "${USER_VALUES_PATH}" +fi + +helm upgrade -i "${RELEASE_NAME}" -n "${RELEASE_NAMESPACE}" --create-namespace "${CHART_PATH}" \ + -f "./charts/${SERVICE_NAME}/values.yaml" \ + -f "${USER_VALUES_PATH}" \ + ${HELM_OPTS} diff --git a/controllers/job/init/deploy/charts/job-init/job-init-values.yaml b/controllers/job/init/deploy/charts/job-init/job-init-values.yaml new file mode 100644 index 000000000000..e7132ee8b76c --- /dev/null +++ b/controllers/job/init/deploy/charts/job-init/job-init-values.yaml @@ -0,0 +1,10 @@ +# Custom values for job init helm chart. +# This file contains user-customizable configurations. + +resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 50m + memory: 64Mi diff --git a/controllers/job/init/deploy/charts/job-init/values.yaml b/controllers/job/init/deploy/charts/job-init/values.yaml index 43e215bbde33..78e0484bfdc1 100644 --- a/controllers/job/init/deploy/charts/job-init/values.yaml +++ b/controllers/job/init/deploy/charts/job-init/values.yaml @@ -2,7 +2,6 @@ image: ghcr.io/labring/sealos-job-init-controller:latest imagePullPolicy: Always imagePullSecrets: [] -nameOverride: "" fullnameOverride: "init-job" serviceAccount: @@ -27,6 +26,13 @@ ttlSecondsAfterFinished: 86400 backoffLimit: 10 restartPolicy: OnFailure +# Environment variables (auto-configured by entrypoint.sh) +# These values are set dynamically via --set-string flags: +# - PASSWORD_SALT: from env.passwordSalt (or env var PASSWORD_SALT) +# - ADMIN_PASSWORD: from env.adminPassword (from ConfigMap or generated) +# - ADMIN_USER_NAME: from env.adminUserName (or env var ADMIN_USER_NAME) +# - WORKSPACE_PREFIX: from env.workspacePrefix (or env var WORKSPACE_PREFIX) +# - envFromConfigMap: from env.envFromConfigMap (or env var ENV_FROM_CONFIGMAP) env: passwordSalt: "" adminPassword: "sealos2023" @@ -37,19 +43,6 @@ env: localCockroachUri: "" localRegion: "" -resources: - limits: - cpu: 200m - memory: 256Mi - requests: - cpu: 50m - memory: 64Mi - -metrics: - enabled: false - certPath: /tmp/k8s-metrics-server/metrics-certs - secretName: metrics-server-cert - nodeSelector: {} tolerations: [] diff --git a/controllers/job/init/deploy/job-init-entrypoint.sh b/controllers/job/init/deploy/job-init-entrypoint.sh index e5777abe2b85..b4689766840e 100755 --- a/controllers/job/init/deploy/job-init-entrypoint.sh +++ b/controllers/job/init/deploy/job-init-entrypoint.sh @@ -1,6 +1,6 @@ #!/bin/bash # job-init Helm 部署入口,负责安装/升级初始化 Job 资源。 -set -ex +set -e HELM_OPTS=${HELM_OPTS:-""} RELEASE_NAME=${RELEASE_NAME:-"job-init"} @@ -103,4 +103,18 @@ if kubectl -n "${RELEASE_NAMESPACE}" get job "${JOB_NAME}" >/dev/null 2>&1; then kubectl -n "${RELEASE_NAMESPACE}" delete job "${JOB_NAME}" --ignore-not-found --wait=true fi -helm upgrade -i "${RELEASE_NAME}" -n "${RELEASE_NAMESPACE}" --create-namespace "${CHART_PATH}" "${HELM_SET_ARGS[@]}" ${HELM_OPTS} +# Prepare values files +SERVICE_NAME="job-init" +USER_VALUES_PATH="/root/.sealos/cloud/values/core/${SERVICE_NAME}-values.yaml" + +# Copy user values template if not exists +if [ ! -f "${USER_VALUES_PATH}" ]; then + mkdir -p "$(dirname "${USER_VALUES_PATH}")" + cp "./charts/${SERVICE_NAME}/${SERVICE_NAME}-values.yaml" "${USER_VALUES_PATH}" +fi + +helm upgrade -i "${RELEASE_NAME}" -n "${RELEASE_NAMESPACE}" --create-namespace "${CHART_PATH}" \ + -f "./charts/${SERVICE_NAME}/values.yaml" \ + -f "${USER_VALUES_PATH}" \ + "${HELM_SET_ARGS[@]}" \ + ${HELM_OPTS} diff --git a/controllers/license/deploy/charts/license-controller/license-controller-values.yaml b/controllers/license/deploy/charts/license-controller/license-controller-values.yaml new file mode 100644 index 000000000000..79a38a70bf49 --- /dev/null +++ b/controllers/license/deploy/charts/license-controller/license-controller-values.yaml @@ -0,0 +1,23 @@ +# Custom values for license controller helm chart. +# This file contains user-customizable configurations. + +# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ +replicaCount: 1 + +resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi diff --git a/controllers/license/deploy/charts/license-controller/values.yaml b/controllers/license/deploy/charts/license-controller/values.yaml index 1b46fd76343b..1c6a651cb830 100644 --- a/controllers/license/deploy/charts/license-controller/values.yaml +++ b/controllers/license/deploy/charts/license-controller/values.yaml @@ -1,18 +1,10 @@ -# Default values for license. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ -replicaCount: 1 +# Default values for license controller helm chart. # This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/ image: ghcr.io/labring/sealos-license-controller:latest # This is for the secretes for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ imagePullSecrets: [] -# This is to override the chart name. -nameOverride: "" -fullnameOverride: "" #This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/ serviceAccount: @@ -27,7 +19,7 @@ serviceAccount: name: "" # This is for setting Kubernetes Annotations to a Pod. -# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ podAnnotations: {} # This is for setting Kubernetes Labels to a Pod. # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ @@ -51,24 +43,6 @@ service: # This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports port: 80 -resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - # This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ livenessProbe: httpGet: @@ -82,6 +56,7 @@ readinessProbe: port: 8081 initialDelaySeconds: 5 periodSeconds: 10 + # Additional volumes on the output Deployment definition. volumes: [] # - name: foo @@ -106,4 +81,4 @@ metrics: enabled: false # Path to the metrics certificate certPath: /tmp/k8s-metrics-server/metrics-certs - secretName: metrics-server-cert \ No newline at end of file + secretName: metrics-server-cert diff --git a/controllers/license/deploy/license-controller-entrypoint.sh b/controllers/license/deploy/license-controller-entrypoint.sh index 221557becd6a..8b8a7023214c 100644 --- a/controllers/license/deploy/license-controller-entrypoint.sh +++ b/controllers/license/deploy/license-controller-entrypoint.sh @@ -1,6 +1,13 @@ #!/bin/bash +set -e + HELM_OPTS=${HELM_OPTS:-""} -kubectl delete clusterrole kube-system-namespace-read-cluster-role --ignore-not-found +RELEASE_NAME=${RELEASE_NAME:-"license"} +RELEASE_NAMESPACE=${RELEASE_NAMESPACE:-"license-system"} +CHART_PATH=${CHART_PATH:-"./charts/license-controller"} + +# Clean up old resources (for backward compatibility) +kubectl delete clusterrole kube-system-namespace-read-cluster-role --ignore-not-found kubectl delete clusterrolebinding license-controller-role-binding --ignore-not-found kubectl delete deployment license-controller-manager -n account-system --ignore-not-found kubectl delete service license-controller-manager-metrics-service -n account-system --ignore-not-found @@ -13,5 +20,22 @@ kubectl delete clusterrole license-proxy-role --ignore-not-found kubectl delete clusterrole license-controller-clusterrole --ignore-not-found kubectl delete role license-leader-election-role -n account-system --ignore-not-found kubectl delete serviceaccount license-controller-manager -n account-system --ignore-not-found -helm upgrade -i license -n license-system --create-namespace ./charts/license-controller ${HELM_OPTS} -helm show crds ./charts/license-controller | kubectl apply -f - --server-side --force-conflicts + +# Prepare values files +SERVICE_NAME="license-controller" +USER_VALUES_PATH="/root/.sealos/cloud/values/core/${SERVICE_NAME}-values.yaml" + +# Copy user values template if not exists +if [ ! -f "${USER_VALUES_PATH}" ]; then + mkdir -p "$(dirname "${USER_VALUES_PATH}")" + cp "./charts/${SERVICE_NAME}/${SERVICE_NAME}-values.yaml" "${USER_VALUES_PATH}" +fi + +# Deploy Helm chart +helm upgrade -i "${RELEASE_NAME}" -n "${RELEASE_NAMESPACE}" --create-namespace "${CHART_PATH}" \ + -f "./charts/${SERVICE_NAME}/values.yaml" \ + -f "${USER_VALUES_PATH}" \ + ${HELM_OPTS} + +# Apply CRDs +helm show crds ./charts/license-controller | kubectl apply -f - --server-side --force-conflicts diff --git a/controllers/resources/deploy/charts/resources-controller/resources-controller-values.yaml b/controllers/resources/deploy/charts/resources-controller/resources-controller-values.yaml new file mode 100644 index 000000000000..18ddcd967a9e --- /dev/null +++ b/controllers/resources/deploy/charts/resources-controller/resources-controller-values.yaml @@ -0,0 +1,20 @@ +# Custom values for resources controller helm chart. +# This file contains user-customizable configurations. + +replicaCount: 1 + +resources: + limits: + cpu: 1000m + memory: 1280Mi + requests: + cpu: 10m + memory: 64Mi + +configmap: + # User custom configurations + # Note: These values can be overridden by auto-configured values from sealos-config ConfigMap + enableAutoResourceQuota: "false" + concurrentLimit: "1000" + ephemeralStorageChargeThreshold: "10Gi" + limitQuotaExpansionCycle: "24h" diff --git a/controllers/resources/deploy/charts/resources-controller/templates/configmap.yaml b/controllers/resources/deploy/charts/resources-controller/templates/configmap.yaml index d41fcfa487b0..a474dfbdecef 100644 --- a/controllers/resources/deploy/charts/resources-controller/templates/configmap.yaml +++ b/controllers/resources/deploy/charts/resources-controller/templates/configmap.yaml @@ -7,17 +7,30 @@ metadata: control-plane: controller-manager {{- include "resources.labels" . | nindent 4 }} data: - MONGO_URI: {{ .Values.configmap.mongoURI | quote }} - TRAFFIC_MONGO_URI: {{ .Values.configmap.trafficMongoURI | quote }} - TRAFFICS_SERVICE_CONNECT_ADDRESS: {{ .Values.configmap.trafficsServiceConnectAddress | quote }} - MINIO_ENDPOINT: {{ .Values.configmap.minioEndpoint | quote }} - MINIO_AK: {{ .Values.configmap.minioAK | quote }} - MINIO_SK: {{ .Values.configmap.minioSK | quote }} - MINIO_METRICS_ADDR: {{ .Values.configmap.minioMetricsAddr | quote }} - MINIO_METRICS_SECURE: {{ .Values.configmap.minioMetricsSecure | quote }} - PROM_URL: {{ .Values.configmap.promURL | quote }} - OBJECT_STORAGE_INSTANCE: {{ .Values.configmap.objectStorageInstance | quote }} - ENABLE_AUTO_RESOURCE_QUOTA: {{ .Values.configmap.enableAutoResourceQuota | quote }} - CONCURRENT_LIMIT: {{ .Values.configmap.concurrentLimit | quote }} - EPHEMERAL_STORAGE_CHARGE_THRESHOLD: {{ .Values.configmap.ephemeralStorageChargeThreshold | quote }} - LIMIT_QUOTA_EXPANSION_CYCLE: {{ .Values.configmap.limitQuotaExpansionCycle | quote }} + {{- $data := dict + "MONGO_URI" .Values.configmap.mongoURI + "TRAFFIC_MONGO_URI" .Values.configmap.trafficMongoURI + "TRAFFICS_SERVICE_CONNECT_ADDRESS" .Values.configmap.trafficsServiceConnectAddress + "MINIO_ENDPOINT" .Values.configmap.minioEndpoint + "MINIO_AK" .Values.configmap.minioAK + "MINIO_SK" .Values.configmap.minioSK + "MINIO_METRICS_ADDR" .Values.configmap.minioMetricsAddr + "MINIO_METRICS_SECURE" .Values.configmap.minioMetricsSecure + "PROM_URL" .Values.configmap.promURL + "OBJECT_STORAGE_INSTANCE" .Values.configmap.objectStorageInstance + "ENABLE_AUTO_RESOURCE_QUOTA" .Values.configmap.enableAutoResourceQuota + "CONCURRENT_LIMIT" .Values.configmap.concurrentLimit + "EPHEMERAL_STORAGE_CHARGE_THRESHOLD" .Values.configmap.ephemeralStorageChargeThreshold + "LIMIT_QUOTA_EXPANSION_CYCLE" .Values.configmap.limitQuotaExpansionCycle + -}} + {{- if eq (default "overwrite" .Values.configmapMergeStrategy) "preserve" }} + {{- $existing := (lookup "v1" "ConfigMap" .Release.Namespace .Values.configmap.name) }} + {{- if $existing }} + {{- range $k, $v := $existing.data }} + {{- $_ := set $data $k $v }} + {{- end }} + {{- end }} + {{- end }} + {{- range $k, $v := $data }} + {{ $k }}: {{ $v | quote }} + {{- end }} diff --git a/controllers/resources/deploy/charts/resources-controller/values.yaml b/controllers/resources/deploy/charts/resources-controller/values.yaml index b65c71e4f16f..18d84d125952 100644 --- a/controllers/resources/deploy/charts/resources-controller/values.yaml +++ b/controllers/resources/deploy/charts/resources-controller/values.yaml @@ -37,23 +37,49 @@ resources: cpu: 10m memory: 64Mi +# ============================================================================ +# Auto-configured values (from sealos-system ConfigMaps) +# ============================================================================ +# The following configmap values are automatically fetched from ConfigMaps +# by the entrypoint script and will override any values set here. +# These are provided as reference defaults. +# +# To override these auto-configured values, use HELM_OPTIONS or modify the +# ConfigMaps directly. +# ============================================================================ +# Sources: +# - sealos-system/sealos-config ConfigMap: databaseMongodbURI +# - sealos-system/nm-agent-config ConfigMap: MONGO_URI (for trafficMongoURI) +# - sealos-system/objectstorage-config ConfigMap: MINIO_ROOT_USER, MINIO_ROOT_PASSWORD +# ============================================================================ + configmap: name: "resources-config" - mongoURI: "mongodb://mongo:27017/resources" - trafficMongoURI: "mongodb://mongo:27017/traffic" + # Database URIs (auto-configured from sealos-config) + mongoURI: "mongodb://mongo:27017/resources" # Auto-fetched from sealos-config.databaseMongodbURI + trafficMongoURI: "mongodb://mongo:27017/traffic" # Auto-fetched from nm-agent-config.MONGO_URI or sealos-config trafficsServiceConnectAddress: "" + + # MinIO configuration (auto-configured from objectstorage-config) minioEndpoint: "object-storage.objectstorage-system.svc:80" - minioAK: "" - minioSK: "" + minioAK: "" # Auto-fetched from objectstorage-config.MINIO_ROOT_USER + minioSK: "" # Auto-fetched from objectstorage-config.MINIO_ROOT_PASSWORD minioMetricsAddr: "object-storage.objectstorage-system.svc:80" minioMetricsSecure: "false" + + # Monitoring configuration promURL: "http://vmselect-vm-stack-victoria-metrics-k8s-stack.vm.svc:8481/select/0/prometheus/" objectStorageInstance: "object-storage.objectstorage-system.svc:80" + + # Resource quota configuration enableAutoResourceQuota: "false" concurrentLimit: "1000" ephemeralStorageChargeThreshold: "10Gi" limitQuotaExpansionCycle: "24h" +# End of auto-configured values +# ============================================================================ + extraEnv: [] livenessProbe: diff --git a/controllers/resources/deploy/resources-controller-entrypoint.sh b/controllers/resources/deploy/resources-controller-entrypoint.sh index 03362088d23a..562b1a611384 100644 --- a/controllers/resources/deploy/resources-controller-entrypoint.sh +++ b/controllers/resources/deploy/resources-controller-entrypoint.sh @@ -1,33 +1,13 @@ #!/bin/bash -set -ex +set -e HELM_OPTS=${HELM_OPTS:-""} -RELEASE_NAME=${RELEASE_NAME:-"resources"} +RELEASE_NAME=${RELEASE_NAME:-"resources-controller"} RELEASE_NAMESPACE=${RELEASE_NAMESPACE:-"resources-system"} CHART_PATH=${CHART_PATH:-"./charts/resources-controller"} -RESOURCES_ENV_AUTO_CONFIG_ENABLED=${RESOURCES_ENV_AUTO_CONFIG_ENABLED:-"true"} +RESOURCES_ENV_MERGE_STRATEGY=${RESOURCES_ENV_MERGE_STRATEGY:-"overwrite"} RESOURCES_BACKUP_ENABLED=${RESOURCES_BACKUP_ENABLED:-"true"} RESOURCES_BACKUP_DIR=${RESOURCES_BACKUP_DIR:-"/tmp/sealos-backup/resources-controller"} -DEPLOYMENT_NAME=${DEPLOYMENT_NAME:-"${RELEASE_NAME}-controller-manager"} - -timestamp() { - date +"%Y-%m-%d %T" -} - -print() { - flag=$(timestamp) - echo -e "\033[1;32m\033[1m INFO [$flag] >> $* \033[0m" -} - -warn() { - flag=$(timestamp) - echo -e "\033[33m WARN [$flag] >> $* \033[0m" -} - -info() { - flag=$(timestamp) - echo -e "\033[36m INFO [$flag] >> $* \033[0m" -} adopt_namespaced_resource() { local kind="$1" @@ -54,12 +34,6 @@ get_cm_value() { kubectl get configmap "${name}" -n "${namespace}" -o "jsonpath={.data.${key}}" 2>/dev/null || true } -add_set_string() { - local key="$1" - local value="$2" - HELM_SET_ARGS+=(--set-string "${key}=${value}") -} - backup_ns_resource() { local kind="$1" local name="$2" @@ -69,18 +43,6 @@ backup_ns_resource() { fi } -get_sealos_config() { - local key="$1" - kubectl get configmap sealos-config -n sealos-system -o "jsonpath={.data.${key}}" 2>/dev/null || true -} - -get_config_value() { - local namespace="$1" - local name="$2" - local key="$3" - kubectl get configmap "${name}" -n "${namespace}" -o "jsonpath={.data.${key}}" 2>/dev/null || true -} - backup_cluster_resource() { local kind="$1" local name="$2" @@ -90,65 +52,7 @@ backup_cluster_resource() { fi } -setup_configmap_params() { - info "start collecting resource configuration parameters..." - - varDatabaseMongodbURI=$(get_sealos_config "databaseMongodbURI") - varDatabaseGlobalCockroachdbURI=$(get_sealos_config "databaseGlobalCockroachdbURI") - varDatabaseLocalCockroachdbURI=$(get_sealos_config "databaseLocalCockroachdbURI") - - if [ -z "${RESOURCES_MONGO_URI}" ] && [ -n "${MONGO_URI}" ]; then - RESOURCES_MONGO_URI="${MONGO_URI}" - fi - RESOURCES_MONGO_URI=${RESOURCES_MONGO_URI:-"${varDatabaseMongodbURI}"} - - trafficMONGO=$(get_config_value sealos-system nm-agent-config MONGO_URI) - if [ -z "${trafficMONGO}" ]; then - trafficMONGO="${varDatabaseMongodbURI}" - fi - - if [ -z "${RESOURCES_TRAFFIC_MONGO_URI}" ] && [ -n "${TRAFFIC_MONGO_URI}" ]; then - RESOURCES_TRAFFIC_MONGO_URI="${TRAFFIC_MONGO_URI}" - fi - RESOURCES_TRAFFIC_MONGO_URI=${RESOURCES_TRAFFIC_MONGO_URI:-"${trafficMONGO}"} - - minioUser=$(get_config_value sealos-system objectstorage-config MINIO_ROOT_USER) - minioPassword=$(get_config_value sealos-system objectstorage-config MINIO_ROOT_PASSWORD) - RESOURCES_MINIO_ENDPOINT=${RESOURCES_MINIO_ENDPOINT:-"object-storage.objectstorage-system.svc:80"} - RESOURCES_MINIO_METRICS_ADDR=${RESOURCES_MINIO_METRICS_ADDR:-"object-storage.objectstorage-system.svc:80"} - RESOURCES_MINIO_METRICS_SECURE=${RESOURCES_MINIO_METRICS_SECURE:-"false"} - - RESOURCES_PROM_URL=${RESOURCES_PROM_URL:-"http://vmselect-vm-stack-victoria-metrics-k8s-stack.vm.svc:8481/select/0/prometheus/"} - - RESOURCES_OBJECT_STORAGE_INSTANCE=${RESOURCES_OBJECT_STORAGE_INSTANCE:-"object-storage.objectstorage-system.svc:80"} - - RESOURCES_ENABLE_AUTO_RESOURCE_QUOTA=${RESOURCES_ENABLE_AUTO_RESOURCE_QUOTA:-"false"} - RESOURCES_CONCURRENT_LIMIT=${RESOURCES_CONCURRENT_LIMIT:-"1000"} - RESOURCES_EPHEMERAL_STORAGE_CHARGE_THRESHOLD=${RESOURCES_EPHEMERAL_STORAGE_CHARGE_THRESHOLD:-"10Gi"} - RESOURCES_LIMIT_QUOTA_EXPANSION_CYCLE=${RESOURCES_LIMIT_QUOTA_EXPANSION_CYCLE:-"24h"} - - add_set_string "configmap.mongoURI" "${RESOURCES_MONGO_URI}" - add_set_string "configmap.trafficMongoURI" "${RESOURCES_TRAFFIC_MONGO_URI}" - add_set_string "configmap.minioEndpoint" "${RESOURCES_MINIO_ENDPOINT}" - add_set_string "configmap.minioAK" "${minioUser}" - add_set_string "configmap.minioSK" "${minioPassword}" - add_set_string "configmap.minioMetricsAddr" "${RESOURCES_MINIO_METRICS_ADDR}" - add_set_string "configmap.minioMetricsSecure" "${RESOURCES_MINIO_METRICS_SECURE}" - add_set_string "configmap.promURL" "${RESOURCES_PROM_URL}" - add_set_string "configmap.objectStorageInstance" "${RESOURCES_OBJECT_STORAGE_INSTANCE}" - add_set_string "configmap.enableAutoResourceQuota" "${RESOURCES_ENABLE_AUTO_RESOURCE_QUOTA}" - add_set_string "configmap.concurrentLimit" "${RESOURCES_CONCURRENT_LIMIT}" - add_set_string "configmap.ephemeralStorageChargeThreshold" "${RESOURCES_EPHEMERAL_STORAGE_CHARGE_THRESHOLD}" - add_set_string "configmap.limitQuotaExpansionCycle" "${RESOURCES_LIMIT_QUOTA_EXPANSION_CYCLE}" - - if [ -n "${RESOURCES_TRAFFICS_SERVICE_CONNECT_ADDRESS}" ]; then - add_set_string "configmap.trafficsServiceConnectAddress" "${RESOURCES_TRAFFICS_SERVICE_CONNECT_ADDRESS}" - fi - - info "The collection of resource configuration parameters has been completed" -} - -backup_resources() { +backup_resources_resources() { if [ "${RESOURCES_BACKUP_ENABLED}" != "true" ]; then return fi @@ -170,7 +74,6 @@ backup_resources() { fi backup_ns_resource configmap resources-manager-config backup_ns_resource configmap resources-config - backup_ns_resource secret mongo-secret backup_ns_resource service resources-controller-manager-metrics-service backup_ns_resource deployment resources-controller-manager backup_ns_resource serviceaccount resources-controller-manager @@ -180,26 +83,27 @@ backup_resources() { backup_ns_resource certificate metrics-certs } -backup_resources +# 执行备份 +backup_resources_resources -cleanup_deployment_env() { - local candidate - for candidate in "${DEPLOYMENT_NAME}" "${RELEASE_NAME}-resources-controller-manager" "resources-controller-manager"; do - if kubectl -n "${RELEASE_NAMESPACE}" get deployment "${candidate}" >/dev/null 2>&1; then - kubectl -n "${RELEASE_NAMESPACE}" set env deployment/"${candidate}" MONGO_URI- TRAFFIC_MONGO_URI- --containers=manager >/dev/null 2>&1 || true - return - fi - done -} +HELM_SET_ARGS=() -cleanup_deployment_env +AUTO_CONFIG_HELM_OPTS="" -HELM_SET_ARGS=() +MONGODB_URI=$(get_cm_value sealos-system sealos-config databaseMongodbURI) +MINIO_USER=$(get_cm_value sealos-system objectstorage-config MINIO_ROOT_USER) +MINIO_PASSWORD=$(get_cm_value sealos-system objectstorage-config MINIO_ROOT_PASSWORD) -if [ "${RESOURCES_ENV_AUTO_CONFIG_ENABLED}" = "true" ]; then - setup_configmap_params +TRAFFIC_MONGO=$(get_cm_value sealos-system nm-agent-config MONGO_URI) +if [ -z "${TRAFFIC_MONGO}" ] && [ -n "${MONGODB_URI}" ]; then + TRAFFIC_MONGO="${MONGODB_URI}" fi +[ -n "${MONGODB_URI}" ] && AUTO_CONFIG_HELM_OPTS="${AUTO_CONFIG_HELM_OPTS} --set-string configmap.mongoURI=${MONGODB_URI}" +[ -n "${TRAFFIC_MONGO}" ] && AUTO_CONFIG_HELM_OPTS="${AUTO_CONFIG_HELM_OPTS} --set-string configmap.trafficMongoURI=${TRAFFIC_MONGO}" +[ -n "${MINIO_USER}" ] && AUTO_CONFIG_HELM_OPTS="${AUTO_CONFIG_HELM_OPTS} --set-string configmap.minioAK=${MINIO_USER}" +[ -n "${MINIO_PASSWORD}" ] && AUTO_CONFIG_HELM_OPTS="${AUTO_CONFIG_HELM_OPTS} --set-string configmap.minioSK=${MINIO_PASSWORD}" + if ! helm status "${RELEASE_NAME}" -n "${RELEASE_NAMESPACE}" >/dev/null 2>&1; then if kubectl get namespace "${RELEASE_NAMESPACE}" >/dev/null 2>&1; then kubectl label namespace "${RELEASE_NAMESPACE}" app.kubernetes.io/managed-by=Helm --overwrite >/dev/null 2>&1 || true @@ -208,7 +112,6 @@ if ! helm status "${RELEASE_NAME}" -n "${RELEASE_NAMESPACE}" >/dev/null 2>&1; th adopt_namespaced_resource configmap resources-manager-config adopt_namespaced_resource configmap resources-config - adopt_namespaced_resource secret mongo-secret adopt_namespaced_resource service resources-controller-manager-metrics-service adopt_namespaced_resource deployment resources-controller-manager adopt_namespaced_resource serviceaccount resources-controller-manager @@ -224,4 +127,27 @@ if ! helm status "${RELEASE_NAME}" -n "${RELEASE_NAMESPACE}" >/dev/null 2>&1; th adopt_cluster_resource clusterrolebinding resources-proxy-rolebinding fi -helm upgrade -i "${RELEASE_NAME}" -n "${RELEASE_NAMESPACE}" --create-namespace "${CHART_PATH}" "${HELM_SET_ARGS[@]}" ${HELM_OPTS} +if [ -n "${RESOURCES_ENV_MERGE_STRATEGY}" ]; then + HELM_SET_ARGS+=(--set-string "configmapMergeStrategy=${RESOURCES_ENV_MERGE_STRATEGY}") +fi + +# Prepare values files +SERVICE_NAME="resources-controller" +USER_VALUES_PATH="/root/.sealos/cloud/values/core/${SERVICE_NAME}-values.yaml" + +# Copy user values template if not exists +if [ ! -f "${USER_VALUES_PATH}" ]; then + mkdir -p "$(dirname "${USER_VALUES_PATH}")" + cp "./charts/${SERVICE_NAME}/${SERVICE_NAME}-values.yaml" "${USER_VALUES_PATH}" +fi + +# merge all helm_opts +# 1. AUTO_CONFIG_HELM_OPTS (Configuration automatically obtained from ConfigMap) +# 2. HELM_SET_ARGS (parameters set internally in the script) +# 3. HELM_OPTS (the parameter passed by the user via --env, with the highest priority, can override the previous configuration) +helm upgrade -i "${RELEASE_NAME}" -n "${RELEASE_NAMESPACE}" --create-namespace "${CHART_PATH}" \ + -f "./charts/${SERVICE_NAME}/values.yaml" \ + -f "${USER_VALUES_PATH}" \ + ${AUTO_CONFIG_HELM_OPTS} \ + "${HELM_SET_ARGS[@]}" \ + ${HELM_OPTS} diff --git a/controllers/user/deploy/Kubefile b/controllers/user/deploy/Kubefile index 370536c61379..e4e4c2d632f3 100644 --- a/controllers/user/deploy/Kubefile +++ b/controllers/user/deploy/Kubefile @@ -5,5 +5,5 @@ USER 65532:65532 COPY registry registry COPY charts charts COPY drop drop -COPY entrypoint.sh entrypoint.sh -CMD ["bash entrypoint.sh"] +COPY user-controller-entrypoint.sh user-controller-entrypoint.sh +CMD ["bash user-controller-entrypoint.sh"] diff --git a/controllers/user/deploy/README.md b/controllers/user/deploy/README.md index 11648e014fd8..7463e52ee984 100644 --- a/controllers/user/deploy/README.md +++ b/controllers/user/deploy/README.md @@ -1,7 +1,7 @@ ### How to build image ```shell -sealos build -t docker.io/labring/sealos-user-controller:latest -f Dockerfile . +sealos build -t docker.io/labring/sealos-user-controller:latest -f Kubefile . ``` ### How to run diff --git a/controllers/user/deploy/charts/user/.helmignore b/controllers/user/deploy/charts/user-controller/.helmignore similarity index 100% rename from controllers/user/deploy/charts/user/.helmignore rename to controllers/user/deploy/charts/user-controller/.helmignore diff --git a/controllers/user/deploy/charts/user/Chart.yaml b/controllers/user/deploy/charts/user-controller/Chart.yaml similarity index 100% rename from controllers/user/deploy/charts/user/Chart.yaml rename to controllers/user/deploy/charts/user-controller/Chart.yaml diff --git a/controllers/user/deploy/charts/user/crds/user.sealos.io_deleterequests.yaml b/controllers/user/deploy/charts/user-controller/crds/user.sealos.io_deleterequests.yaml similarity index 100% rename from controllers/user/deploy/charts/user/crds/user.sealos.io_deleterequests.yaml rename to controllers/user/deploy/charts/user-controller/crds/user.sealos.io_deleterequests.yaml diff --git a/controllers/user/deploy/charts/user/crds/user.sealos.io_operationrequests.yaml b/controllers/user/deploy/charts/user-controller/crds/user.sealos.io_operationrequests.yaml similarity index 100% rename from controllers/user/deploy/charts/user/crds/user.sealos.io_operationrequests.yaml rename to controllers/user/deploy/charts/user-controller/crds/user.sealos.io_operationrequests.yaml diff --git a/controllers/user/deploy/charts/user/crds/user.sealos.io_users.yaml b/controllers/user/deploy/charts/user-controller/crds/user.sealos.io_users.yaml similarity index 100% rename from controllers/user/deploy/charts/user/crds/user.sealos.io_users.yaml rename to controllers/user/deploy/charts/user-controller/crds/user.sealos.io_users.yaml diff --git a/controllers/user/deploy/charts/user/templates/_helpers.tpl b/controllers/user/deploy/charts/user-controller/templates/_helpers.tpl similarity index 100% rename from controllers/user/deploy/charts/user/templates/_helpers.tpl rename to controllers/user/deploy/charts/user-controller/templates/_helpers.tpl diff --git a/controllers/user/deploy/charts/user/templates/cert.yaml b/controllers/user/deploy/charts/user-controller/templates/cert.yaml similarity index 100% rename from controllers/user/deploy/charts/user/templates/cert.yaml rename to controllers/user/deploy/charts/user-controller/templates/cert.yaml diff --git a/controllers/user/deploy/charts/user/templates/deployment.yaml b/controllers/user/deploy/charts/user-controller/templates/deployment.yaml similarity index 100% rename from controllers/user/deploy/charts/user/templates/deployment.yaml rename to controllers/user/deploy/charts/user-controller/templates/deployment.yaml diff --git a/controllers/user/deploy/charts/user/templates/rbac.yaml b/controllers/user/deploy/charts/user-controller/templates/rbac.yaml similarity index 100% rename from controllers/user/deploy/charts/user/templates/rbac.yaml rename to controllers/user/deploy/charts/user-controller/templates/rbac.yaml diff --git a/controllers/user/deploy/charts/user/templates/service.yaml b/controllers/user/deploy/charts/user-controller/templates/service.yaml similarity index 100% rename from controllers/user/deploy/charts/user/templates/service.yaml rename to controllers/user/deploy/charts/user-controller/templates/service.yaml diff --git a/controllers/user/deploy/charts/user/templates/serviceaccount.yaml b/controllers/user/deploy/charts/user-controller/templates/serviceaccount.yaml similarity index 100% rename from controllers/user/deploy/charts/user/templates/serviceaccount.yaml rename to controllers/user/deploy/charts/user-controller/templates/serviceaccount.yaml diff --git a/controllers/user/deploy/charts/user/templates/webhook.yaml b/controllers/user/deploy/charts/user-controller/templates/webhook.yaml similarity index 100% rename from controllers/user/deploy/charts/user/templates/webhook.yaml rename to controllers/user/deploy/charts/user-controller/templates/webhook.yaml diff --git a/controllers/user/deploy/charts/user-controller/user-controller-values.yaml b/controllers/user/deploy/charts/user-controller/user-controller-values.yaml new file mode 100644 index 000000000000..7377840f2b08 --- /dev/null +++ b/controllers/user/deploy/charts/user-controller/user-controller-values.yaml @@ -0,0 +1,12 @@ +# Custom values for user controller helm chart. +# This file contains user-customizable configurations. + +replicaCount: 1 + +resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 10m + memory: 64Mi diff --git a/controllers/user/deploy/charts/user/values.yaml b/controllers/user/deploy/charts/user-controller/values.yaml similarity index 89% rename from controllers/user/deploy/charts/user/values.yaml rename to controllers/user/deploy/charts/user-controller/values.yaml index 4dddebdaee1e..b1575d9bc086 100644 --- a/controllers/user/deploy/charts/user/values.yaml +++ b/controllers/user/deploy/charts/user-controller/values.yaml @@ -1,11 +1,8 @@ # Default values for user controller helm chart. -replicaCount: 1 - image: ghcr.io/labring/sealos-user-controller:latest imagePullSecrets: [] -nameOverride: "" fullnameOverride: "user" serviceAccount: @@ -33,17 +30,6 @@ service: webhook: port: 443 -resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 10m - memory: 64Mi - -cloudAPIServerDomain: 127.0.0.1.nip.io -cloudAPIServerPort: "6443" - livenessProbe: httpGet: path: /healthz @@ -58,6 +44,11 @@ readinessProbe: initialDelaySeconds: 5 periodSeconds: 10 +# Cloud API server configuration +# cloudAPIServerDomain is auto-configured by entrypoint.sh from sealos-config ConfigMap +cloudAPIServerDomain: 127.0.0.1.nip.io +cloudAPIServerPort: "6443" + metrics: # Enable metrics endpoint enabled: false diff --git a/controllers/user/deploy/entrypoint.sh b/controllers/user/deploy/entrypoint.sh deleted file mode 100644 index cd44cad8c989..000000000000 --- a/controllers/user/deploy/entrypoint.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -set -euo pipefail - -HELM_OPTS=${HELM_OPTS:-""} - -kubectl delete -f ./drop/ --ignore-not-found -SEALOS_CLOUD_DOMAIN=$(kubectl get configmap sealos-config -n sealos-system -o jsonpath='{.data.cloudDomain}') - -helm upgrade -i user -n user-system --create-namespace ./charts/user --set cloudAPIServerDomain=${SEALOS_CLOUD_DOMAIN} ${HELM_OPTS} -helm show crds ./charts/user | kubectl apply -f - --server-side --force-conflicts diff --git a/controllers/user/deploy/user-controller-entrypoint.sh b/controllers/user/deploy/user-controller-entrypoint.sh new file mode 100644 index 000000000000..5f54e211de05 --- /dev/null +++ b/controllers/user/deploy/user-controller-entrypoint.sh @@ -0,0 +1,33 @@ +#!/bin/bash +set -euo pipefail + +HELM_OPTS=${HELM_OPTS:-""} +RELEASE_NAME=${RELEASE_NAME:-"user-controller"} +RELEASE_NAMESPACE=${RELEASE_NAMESPACE:-"user-system"} +CHART_PATH=${CHART_PATH:-"./charts/user-controller"} + +# Clean up old resources +kubectl delete -f ./drop/ --ignore-not-found + +# Get cloud domain from configmap +SEALOS_CLOUD_DOMAIN=$(kubectl get configmap sealos-config -n sealos-system -o jsonpath='{.data.cloudDomain}') + +# Prepare values files +SERVICE_NAME="user-controller" +USER_VALUES_PATH="/root/.sealos/cloud/values/core/${SERVICE_NAME}-values.yaml" + +# Copy user values template if not exists +if [ ! -f "${USER_VALUES_PATH}" ]; then + mkdir -p "$(dirname "${USER_VALUES_PATH}")" + cp "./charts/${SERVICE_NAME}/${SERVICE_NAME}-values.yaml" "${USER_VALUES_PATH}" +fi + +# Deploy Helm chart +helm upgrade -i "${RELEASE_NAME}" -n "${RELEASE_NAMESPACE}" --create-namespace "${CHART_PATH}" \ + -f "./charts/${SERVICE_NAME}/values.yaml" \ + -f "${USER_VALUES_PATH}" \ + --set cloudAPIServerDomain=${SEALOS_CLOUD_DOMAIN} \ + ${HELM_OPTS} + +# Apply CRDs +helm show crds ./charts/${SERVICE_NAME} | kubectl apply -f - --server-side --force-conflicts diff --git a/frontend/providers/costcenter/deploy/Kubefile b/frontend/providers/costcenter/deploy/Kubefile index 139414db66a3..be67ba1a1909 100644 --- a/frontend/providers/costcenter/deploy/Kubefile +++ b/frontend/providers/costcenter/deploy/Kubefile @@ -3,13 +3,6 @@ FROM scratch USER 65532:65532 COPY registry registry -COPY manifests manifests +COPY charts charts -ENV certSecretName="wildcard-cert" -ENV cloudDomain="127.0.0.1.nip.io" -ENV cloudPort="" -ENV transferEnabled="true" -ENV rechargeEnabled="true" -ENV jwtInternal="" - -CMD ["kubectl apply -f manifests"] +CMD ["./costcenter-frontend-entrypoint.sh"] diff --git a/frontend/providers/costcenter/deploy/charts/costcenter-frontend/Chart.yaml b/frontend/providers/costcenter/deploy/charts/costcenter-frontend/Chart.yaml new file mode 100644 index 000000000000..fcb4d019f458 --- /dev/null +++ b/frontend/providers/costcenter/deploy/charts/costcenter-frontend/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: costcenter-frontend +description: Sealos Costcenter Frontend Helm Chart +type: application +version: 1.0.0 +appVersion: "latest" diff --git a/frontend/providers/costcenter/deploy/charts/costcenter-frontend/costcenter-frontend-values.yaml b/frontend/providers/costcenter/deploy/charts/costcenter-frontend/costcenter-frontend-values.yaml new file mode 100644 index 000000000000..fb4e98c1d336 --- /dev/null +++ b/frontend/providers/costcenter/deploy/charts/costcenter-frontend/costcenter-frontend-values.yaml @@ -0,0 +1,49 @@ +# Custom values for costcenter frontend helm chart. +# This file contains user-customizable configurations. + +replicaCount: 1 + +resources: + limits: + cpu: 1000m + memory: 2048Mi + requests: + cpu: 10m + memory: 128Mi + +# Costcenter business configuration +# Customize these settings based on your requirements +costcenterConfig: + transferEnabled: true + currencyType: "shellCoin" + + # Invoice configuration + invoice: + enabled: false + feiShuBotURL: "" + aliSms: + endpoint: "" + accessKeyID: "" + accessKeySecret: "" + templateCode: "" + signName: "" + invoiceCompletedTemplateCode: "" + mongo: + uri: "" + + # Recharge configuration + recharge: + enabled: false + payMethods: + wechat: + enabled: false + alipay: + enabled: false + stripe: + enabled: false + publicKey: "" + + # Component URLs + components: + accountService: + url: "http://account-service.account-system.svc:2333" diff --git a/frontend/providers/costcenter/deploy/charts/costcenter-frontend/templates/_helpers.tpl b/frontend/providers/costcenter/deploy/charts/costcenter-frontend/templates/_helpers.tpl new file mode 100644 index 000000000000..71da924dc6d9 --- /dev/null +++ b/frontend/providers/costcenter/deploy/charts/costcenter-frontend/templates/_helpers.tpl @@ -0,0 +1,49 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "costcenter-frontend.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +*/}} +{{- define "costcenter-frontend.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "costcenter-frontend.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "costcenter-frontend.labels" -}} +helm.sh/chart: {{ include "costcenter-frontend.chart" . }} +{{ include "costcenter-frontend.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "costcenter-frontend.selectorLabels" -}} +app.kubernetes.io/name: {{ include "costcenter-frontend.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/frontend/providers/costcenter/deploy/charts/costcenter-frontend/templates/configmap.yaml b/frontend/providers/costcenter/deploy/charts/costcenter-frontend/templates/configmap.yaml new file mode 100644 index 000000000000..2fcbeb45523e --- /dev/null +++ b/frontend/providers/costcenter/deploy/charts/costcenter-frontend/templates/configmap.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "costcenter-frontend.fullname" . }}-config + namespace: {{ .Release.Namespace }} +data: + config.yaml: |- + costCenter: + transferEnabled: {{ .Values.costcenterConfig.transferEnabled }} + currencyType: {{ .Values.costcenterConfig.currencyType | quote }} + auth: + jwt: + internal: {{ .Values.costcenterConfig.jwtInternal | quote }} + billing: {{ .Values.costcenterConfig.jwtInternal | quote }} + invoice: + enabled: {{ .Values.costcenterConfig.invoice.enabled }} + feiShuBotURL: {{ .Values.costcenterConfig.invoice.feiShuBotURL | quote }} + aliSms: + endpoint: {{ .Values.costcenterConfig.invoice.aliSms.endpoint | quote }} + accessKeyID: {{ .Values.costcenterConfig.invoice.aliSms.accessKeyID | quote }} + accessKeySecret: {{ .Values.costcenterConfig.invoice.aliSms.accessKeySecret | quote }} + templateCode: {{ .Values.costcenterConfig.invoice.aliSms.templateCode | quote }} + signName: {{ .Values.costcenterConfig.invoice.aliSms.signName | quote }} + invoiceCompletedTemplateCode: {{ .Values.costcenterConfig.invoice.aliSms.invoiceCompletedTemplateCode | quote }} + mongo: + uri: {{ .Values.costcenterConfig.invoice.mongo.uri | quote }} + recharge: + enabled: {{ .Values.costcenterConfig.recharge.enabled }} + payMethods: + wechat: + enabled: {{ .Values.costcenterConfig.recharge.payMethods.wechat.enabled }} + alipay: + enabled: {{ .Values.costcenterConfig.recharge.payMethods.alipay.enabled }} + stripe: + enabled: {{ .Values.costcenterConfig.recharge.payMethods.stripe.enabled }} + publicKey: {{ .Values.costcenterConfig.recharge.payMethods.stripe.publicKey | quote }} + components: + accountService: + url: {{ .Values.costcenterConfig.components.accountService.url | quote }} diff --git a/frontend/providers/costcenter/deploy/charts/costcenter-frontend/templates/deployment.yaml b/frontend/providers/costcenter/deploy/charts/costcenter-frontend/templates/deployment.yaml new file mode 100644 index 000000000000..df151fa11ea2 --- /dev/null +++ b/frontend/providers/costcenter/deploy/charts/costcenter-frontend/templates/deployment.yaml @@ -0,0 +1,56 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "costcenter-frontend.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "costcenter-frontend.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "costcenter-frontend.selectorLabels" . | nindent 6 }} + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 25% + maxSurge: 25% + template: + metadata: + labels: + {{- include "costcenter-frontend.selectorLabels" . | nindent 8 }} + spec: + containers: + - name: {{ .Chart.Name }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + securityContext: + runAsNonRoot: true + runAsUser: 1001 + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + image: "{{ .Values.image }}" + imagePullPolicy: {{ .Values.imagePullPolicy }} + volumeMounts: + - name: costcenter-frontend-volume + mountPath: /app/data/config.yaml + subPath: config.yaml + readinessProbe: + httpGet: + path: /api/platform/getAppConfig + port: {{ .Values.service.port }} + initialDelaySeconds: 5 + periodSeconds: 3 + timeoutSeconds: 2 + successThreshold: 3 + failureThreshold: 3 + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: costcenter-frontend-volume + configMap: + name: {{ include "costcenter-frontend.fullname" . }}-config diff --git a/frontend/providers/costcenter/deploy/charts/costcenter-frontend/templates/service.yaml b/frontend/providers/costcenter/deploy/charts/costcenter-frontend/templates/service.yaml new file mode 100644 index 000000000000..83e4535e71d6 --- /dev/null +++ b/frontend/providers/costcenter/deploy/charts/costcenter-frontend/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + {{- include "costcenter-frontend.labels" . | nindent 4 }} + name: {{ include "costcenter-frontend.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: http + port: {{ .Values.service.port }} + protocol: TCP + targetPort: {{ .Values.service.port }} + selector: + {{- include "costcenter-frontend.selectorLabels" . | nindent 4 }} diff --git a/frontend/providers/costcenter/deploy/charts/costcenter-frontend/values.yaml b/frontend/providers/costcenter/deploy/charts/costcenter-frontend/values.yaml new file mode 100644 index 000000000000..70cffa406028 --- /dev/null +++ b/frontend/providers/costcenter/deploy/charts/costcenter-frontend/values.yaml @@ -0,0 +1,44 @@ +# Default values for costcenter frontend helm chart. + +image: ghcr.io/labring/sealos-costcenter-frontend:latest +imagePullPolicy: Always + +imagePullSecrets: [] +fullnameOverride: "costcenter-frontend" + +podAnnotations: {} +podLabels: {} + +podSecurityContext: + runAsNonRoot: true + runAsUser: 1001 + +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - 'ALL' + +service: + type: ClusterIP + port: 3000 + +# Costcenter frontend configuration +# Note: jwtInternal is auto-configured by entrypoint.sh from sealos-config ConfigMap +# For business configurations (transfer, invoice, recharge, etc.), see costcenter-frontend-values.yaml +costcenterConfig: + jwtInternal: "" # Auto-injected by entrypoint script + +# Affinity for pod anti-affinity +affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app" + operator: In + values: + - costcenter-frontend + topologyKey: "kubernetes.io/hostname" diff --git a/frontend/providers/costcenter/deploy/costcenter-frontend-entrypoint.sh b/frontend/providers/costcenter/deploy/costcenter-frontend-entrypoint.sh new file mode 100755 index 000000000000..785f58386c5c --- /dev/null +++ b/frontend/providers/costcenter/deploy/costcenter-frontend-entrypoint.sh @@ -0,0 +1,119 @@ +#!/bin/bash +set -e + +# Default values +RELEASE_NAME=${RELEASE_NAME:-"costcenter-frontend"} +RELEASE_NAMESPACE=${RELEASE_NAMESPACE:-"costcenter-frontend"} +CHART_PATH=${CHART_PATH:-"./charts/costcenter-frontend"} + +# HELM_OPTS support +HELM_OPTS=${HELM_OPTS:-""} + +# Get ConfigMap value +get_cm_value() { + local namespace="$1" + local name="$2" + local key="$3" + kubectl get configmap "${name}" -n "${namespace}" -o "jsonpath={.data.${key}}" 2>/dev/null || true +} + +# Auto configuration from sealos-system ConfigMap +AUTO_CONFIG_HELM_OPTS="" + +JWT_INTERNAL=$(get_cm_value sealos-system sealos-config jwtInternal) + +[ -n "$JWT_INTERNAL" ] && AUTO_CONFIG_HELM_OPTS="$AUTO_CONFIG_HELM_OPTS --set-string costcenterConfig.jwtInternal=$JWT_INTERNAL" + +# Check if Deployment selector matches expected Helm labels +check_deployment_selector() { + local deployment_name="$1" + local expected_selector="$2" + + local current_selector + current_selector=$(kubectl -n "${RELEASE_NAMESPACE}" get deployment "${deployment_name}" -o jsonpath='{.spec.selector.matchLabels}' 2>/dev/null || echo "{}") + + # Simple check: if expected selector contains key-value pairs that differ + if echo "$current_selector" | grep -q "app.kubernetes.io/name"; then + return 0 # Selector already has Helm labels, assume compatible + fi + + return 1 # Selector incompatible +} + +# Backup and recreate Deployment if selector incompatible +recreate_deployment_if_needed() { + local deployment_name="$1" + local expected_selector="$2" + + if ! kubectl -n "${RELEASE_NAMESPACE}" get deployment "${deployment_name}" >/dev/null 2>&1; then + return 0 # Deployment doesn't exist, nothing to do + fi + + if check_deployment_selector "${deployment_name}" "${expected_selector}"; then + echo "Deployment ${deployment_name} selector is compatible, skipping recreation..." + return 0 + fi + + echo "Deployment ${deployment_name} selector incompatible, recreating..." + local backup_file="/tmp/${deployment_name}-backup-$(date +%s).yaml" + + # Backup current deployment + kubectl -n "${RELEASE_NAMESPACE}" get deployment "${deployment_name}" -o yaml > "${backup_file}" + + # Delete deployment (Helm will recreate it) + kubectl -n "${RELEASE_NAMESPACE}" delete deployment "${deployment_name}" --ignore-not-found=true + + echo "Deployment ${deployment_name} recreated (backup saved to ${backup_file})" +} + +# Adopt existing resources for Helm +adopt_namespaced_resource() { + local kind="$1" + local name="$2" + if kubectl -n "${RELEASE_NAMESPACE}" get "${kind}" "${name}" >/dev/null 2>&1; then + echo "Adopting ${kind} ${name}..." + kubectl -n "${RELEASE_NAMESPACE}" label "${kind}" "${name}" app.kubernetes.io/managed-by=Helm --overwrite >/dev/null 2>&1 || true + kubectl -n "${RELEASE_NAMESPACE}" annotate "${kind}" "${name}" meta.helm.sh/release-name="${RELEASE_NAME}" meta.helm.sh/release-namespace="${RELEASE_NAMESPACE}" --overwrite >/dev/null 2>&1 || true + fi +} + +# Pre-check and adopt existing resources before Helm upgrade (both fresh and upgrade) +echo "Checking and adopting existing resources..." +if kubectl get namespace "${RELEASE_NAMESPACE}" >/dev/null 2>&1; then + # Adopt namespace + kubectl label namespace "${RELEASE_NAMESPACE}" app.kubernetes.io/managed-by=Helm --overwrite >/dev/null 2>&1 || true + kubectl annotate namespace "${RELEASE_NAMESPACE}" meta.helm.sh/release-name="${RELEASE_NAME}" meta.helm.sh/release-namespace="${RELEASE_NAMESPACE}" --overwrite >/dev/null 2>&1 || true + + # Adopt namespaced resources + adopt_namespaced_resource configmap costcenter-frontend-config + adopt_namespaced_resource service costcenter-frontend +fi + +# Handle Deployment selector compatibility before Helm upgrade (both fresh and upgrade) +echo "Checking Deployment selector compatibility..." +recreate_deployment_if_needed "costcenter-frontend" "app.kubernetes.io/name=costcenter-frontend" + +# Adopt deployment after potential recreation (if it exists) +if kubectl -n "${RELEASE_NAMESPACE}" get deployment costcenter-frontend >/dev/null 2>&1; then + adopt_namespaced_resource deployment costcenter-frontend +fi + +# Prepare values files +SERVICE_NAME="costcenter-frontend" +USER_VALUES_PATH="/root/.sealos/cloud/values/core/${SERVICE_NAME}-values.yaml" + +# Copy user values template if not exists +if [ ! -f "${USER_VALUES_PATH}" ]; then + mkdir -p "$(dirname "${USER_VALUES_PATH}")" + cp "./charts/${SERVICE_NAME}/${SERVICE_NAME}-values.yaml" "${USER_VALUES_PATH}" +fi + +kubectl delete service costcenter-frontend --ignore-not-found=true -n "${RELEASE_NAMESPACE}" + +# Deploy Helm chart +echo "Deploying Helm chart..." +helm upgrade -i "${RELEASE_NAME}" -n "${RELEASE_NAMESPACE}" --create-namespace "${CHART_PATH}" \ + -f "./charts/${SERVICE_NAME}/values.yaml" \ + -f "${USER_VALUES_PATH}" \ + ${AUTO_CONFIG_HELM_OPTS} \ + ${HELM_OPTS} diff --git a/frontend/providers/costcenter/deploy/manifests/appcr.yaml.tmpl b/frontend/providers/costcenter/deploy/manifests/appcr.yaml.tmpl deleted file mode 100644 index baa1af2aa642..000000000000 --- a/frontend/providers/costcenter/deploy/manifests/appcr.yaml.tmpl +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: app.sealos.io/v1 -kind: App -metadata: - name: costcenter - namespace: app-system -spec: - data: - desc: sealos CLoud costcenter - url: "https://costcenter.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}" - icon: "https://costcenter.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}/logo.svg" - i18n: - zh: - name: 费用中心 - zh-Hans: - name: 费用中心 - menuData: - name: Cost Center - type: iframe - displayType: normal \ No newline at end of file diff --git a/frontend/providers/costcenter/deploy/manifests/configmap.yaml.tmpl b/frontend/providers/costcenter/deploy/manifests/configmap.yaml.tmpl deleted file mode 100644 index a4d45317adba..000000000000 --- a/frontend/providers/costcenter/deploy/manifests/configmap.yaml.tmpl +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - app: costcenter-frontend - name: costcenter-frontend ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: costcenter-frontend-config - namespace: costcenter-frontend -data: - config.yaml: |- - costCenter: - transferEnabled: true - currencyType: "shellCoin" - auth: - jwt: - internal: "{{ .jwtInternal }}" - billing: "{{ .jwtInternal }}" - invoice: - enabled: false - feiShuBotURL: "" - aliSms: - endpoint: "" - accessKeyID: "" - accessKeySecret: "" - templateCode: "" - signName: "" - invoiceCompletedTemplateCode: "" - mongo: - uri: "" - recharge: - enabled: false - payMethods: - wechat: - enabled: false - alipay: - enabled: false - stripe: - enabled: false - publicKey: "" - components: - accountService: - url: "http://account-service.account-system.svc:2333" diff --git a/frontend/providers/costcenter/deploy/manifests/deploy.yaml.tmpl b/frontend/providers/costcenter/deploy/manifests/deploy.yaml.tmpl deleted file mode 100644 index 2c9a3142c06a..000000000000 --- a/frontend/providers/costcenter/deploy/manifests/deploy.yaml.tmpl +++ /dev/null @@ -1,83 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: costcenter-frontend - namespace: costcenter-frontend -spec: - selector: - matchLabels: - app: costcenter-frontend - strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 25% - maxSurge: 25% - template: - metadata: - labels: - app: costcenter-frontend - spec: - containers: - - name: costcenter-frontend - resources: - limits: - cpu: 1000m - memory: 2048Mi - requests: - cpu: 10m - memory: 128Mi - securityContext: - runAsNonRoot: true - runAsUser: 1001 - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - # do not modify this image, it is used for CI/CD - image: ghcr.io/labring/sealos-costcenter-frontend:latest - imagePullPolicy: Always - volumeMounts: - - name: costcenter-frontend-volume - mountPath: /app/data/config.yaml - subPath: config.yaml - readinessProbe: - httpGet: - path: /api/platform/getAppConfig - port: 3000 - initialDelaySeconds: 5 - periodSeconds: 3 - timeoutSeconds: 2 - successThreshold: 3 - failureThreshold: 3 - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: "app" - operator: In - values: - - costcenter-frontend - topologyKey: "kubernetes.io/hostname" - volumes: - - name: costcenter-frontend-volume - configMap: - name: costcenter-frontend-config ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: costcenter-frontend - name: costcenter-frontend - namespace: costcenter-frontend -spec: - ports: - - name: http - port: 3000 - protocol: TCP - targetPort: 3000 - selector: - app: costcenter-frontend diff --git a/frontend/providers/costcenter/deploy/manifests/ingress.yaml.tmpl b/frontend/providers/costcenter/deploy/manifests/ingress.yaml.tmpl deleted file mode 100644 index 79424043ec60..000000000000 --- a/frontend/providers/costcenter/deploy/manifests/ingress.yaml.tmpl +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2023 sealos. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/enable-cors: "true" - nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, DELETE, PATCH, OPTIONS" - nginx.ingress.kubernetes.io/cors-allow-origin: "https://{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}, https://*.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}" - nginx.ingress.kubernetes.io/cors-allow-credentials: "true" - nginx.ingress.kubernetes.io/cors-max-age: "600" - nginx.ingress.kubernetes.io/backend-protocol: "HTTP" - nginx.ingress.kubernetes.io/configuration-snippet: | - more_clear_headers "X-Frame-Options:"; - more_set_headers "Content-Security-Policy: default-src * blob: data: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}; img-src * data: blob: resource: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}; connect-src * wss: blob: resource:; style-src 'self' 'unsafe-inline' blob: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} resource:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} resource: *.baidu.com *.bdstatic.com https://js.stripe.com; frame-src 'self' *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} mailto: tel: weixin: mtt: *.baidu.com https://js.stripe.com; frame-ancestors 'self' https://{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} https://*.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}"; - more_set_headers "X-Xss-Protection: 1; mode=block"; - higress.io/response-header-control-remove: X-Frame-Options - higress.io/response-header-control-update: | - Content-Security-Policy "default-src * blob: data: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}; img-src * data: blob: resource: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}; connect-src * wss: blob: resource:; style-src 'self' 'unsafe-inline' blob: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} resource:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} resource: *.baidu.com *.bdstatic.com https://js.stripe.com; frame-src 'self' *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} mailto: tel: weixin: mtt: *.baidu.com https://js.stripe.com; frame-ancestors 'self' https://{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} https://*.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}" - X-Xss-Protection "1; mode=block" - name: sealos-costcenter - namespace: costcenter-frontend -spec: - rules: - - host: costcenter.{{ .cloudDomain }} - http: - paths: - - pathType: Prefix - path: / - backend: - service: - name: costcenter-frontend - port: - number: 3000 - tls: - - hosts: - - costcenter.{{ .cloudDomain }} - secretName: {{ .certSecretName }} diff --git a/frontend/providers/license/deploy/charts/license-frontend/Chart.yaml b/frontend/providers/license/deploy/charts/license-frontend/Chart.yaml new file mode 100644 index 000000000000..22a23f3960e7 --- /dev/null +++ b/frontend/providers/license/deploy/charts/license-frontend/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: license-frontend +description: Sealos License Frontend Helm Chart +type: application +version: 1.0.0 +appVersion: "latest" diff --git a/frontend/providers/license/deploy/charts/license-frontend/license-frontend-values.yaml b/frontend/providers/license/deploy/charts/license-frontend/license-frontend-values.yaml new file mode 100644 index 000000000000..63f0bff71e3c --- /dev/null +++ b/frontend/providers/license/deploy/charts/license-frontend/license-frontend-values.yaml @@ -0,0 +1,17 @@ +# Custom values for license frontend helm chart. +# This file contains user-customizable configurations. + +replicaCount: 1 + +resources: + limits: + cpu: 1000m + memory: 1024Mi + requests: + cpu: 10m + memory: 128Mi + +# License business configuration +# Customize these settings based on your requirements +licenseConfig: + licensePurchaseDomain: "license.sealos.io" diff --git a/frontend/providers/license/deploy/charts/license-frontend/templates/_helpers.tpl b/frontend/providers/license/deploy/charts/license-frontend/templates/_helpers.tpl new file mode 100644 index 000000000000..097d8b36d10e --- /dev/null +++ b/frontend/providers/license/deploy/charts/license-frontend/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "license-frontend.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +*/}} +{{- define "license-frontend.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "license-frontend.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "license-frontend.labels" -}} +helm.sh/chart: {{ include "license-frontend.chart" . }} +{{ include "license-frontend.selectorLabels" . }} +{{ include "license-frontend.recommendedLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "license-frontend.selectorLabels" -}} +app: {{ include "license-frontend.fullname" . }} +{{- end }} + +{{/* +Recommended Kubernetes labels +*/}} +{{- define "license-frontend.recommendedLabels" -}} +app.kubernetes.io/name: {{ include "license-frontend.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "license-frontend.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "license-frontend.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/frontend/providers/license/deploy/charts/license-frontend/templates/configmap.yaml b/frontend/providers/license/deploy/charts/license-frontend/templates/configmap.yaml new file mode 100644 index 000000000000..a5263a33bcb9 --- /dev/null +++ b/frontend/providers/license/deploy/charts/license-frontend/templates/configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "license-frontend.fullname" . }}-config + namespace: {{ .Release.Namespace }} +data: + config.yaml: |- + addr: :3000 diff --git a/frontend/providers/license/deploy/charts/license-frontend/templates/deployment.yaml b/frontend/providers/license/deploy/charts/license-frontend/templates/deployment.yaml new file mode 100644 index 000000000000..ffb2fba5a69c --- /dev/null +++ b/frontend/providers/license/deploy/charts/license-frontend/templates/deployment.yaml @@ -0,0 +1,67 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "license-frontend.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "license-frontend.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "license-frontend.selectorLabels" . | nindent 6 }} + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 25% + maxSurge: 25% + template: + metadata: + labels: + {{- include "license-frontend.labels" . | nindent 8 }} + spec: + serviceAccountName: {{ include "license-frontend.serviceAccountName" . }} + containers: + - name: {{ .Chart.Name }} + env: + - name: SEALOS_DOMAIN + value: {{ .Values.licenseConfig.cloudDomain | quote }} + - name: LICENSE_DOMAIN + value: {{ .Values.licenseConfig.licensePurchaseDomain | quote }} + - name: MONGODB_URI + valueFrom: + secretKeyRef: + name: {{ include "license-frontend.fullname" . }}-secret + key: mongodb_uri + securityContext: + runAsNonRoot: true + runAsUser: 1001 + allowPrivilegeEscalation: false + capabilities: + drop: + - 'ALL' + resources: + {{- toYaml .Values.resources | nindent 12 }} + image: "{{ .Values.image }}" + imagePullPolicy: {{ .Values.imagePullPolicy }} + readinessProbe: + httpGet: + path: /api/cronjob/init + port: {{ .Values.service.port }} + initialDelaySeconds: 5 + periodSeconds: 3 + timeoutSeconds: 3 + successThreshold: 1 + failureThreshold: 3 + volumeMounts: + - name: license-frontend-volume + mountPath: /config.yaml + subPath: config.yaml + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: license-frontend-volume + configMap: + name: {{ include "license-frontend.fullname" . }}-config diff --git a/frontend/providers/license/deploy/charts/license-frontend/templates/ingress.yaml b/frontend/providers/license/deploy/charts/license-frontend/templates/ingress.yaml new file mode 100644 index 000000000000..a96e60767de6 --- /dev/null +++ b/frontend/providers/license/deploy/charts/license-frontend/templates/ingress.yaml @@ -0,0 +1,41 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "license-frontend.fullname" . }} + namespace: {{ .Release.Namespace }} + annotations: + kubernetes.io/ingress.class: {{ .Values.ingress.className | quote }} + nginx.ingress.kubernetes.io/enable-cors: "true" + nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, DELETE, PATCH, OPTIONS" + nginx.ingress.kubernetes.io/cors-allow-origin: "https://{{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }}, https://*.{{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }}" + nginx.ingress.kubernetes.io/cors-allow-credentials: "true" + nginx.ingress.kubernetes.io/cors-max-age: "600" + nginx.ingress.kubernetes.io/backend-protocol: "HTTP" + nginx.ingress.kubernetes.io/configuration-snippet: | + more_clear_headers "X-Frame-Options:"; + more_set_headers "Content-Security-Policy: default-src * blob: data: *.{{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }} {{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }}; img-src * data: blob: resource: *.{{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }} {{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }}; connect-src * wss: blob: resource:; style-src 'self' 'unsafe-inline' blob: *.{{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }} {{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }} resource:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: *.{{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }} {{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }} resource: *.baidu.com *.bdstatic.com https://js.stripe.com; frame-src 'self' *.{{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }} {{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }} mailto: tel: weixin: mtt: *.baidu.com https://js.stripe.com; frame-ancestors 'self' https://{{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }} https://*.{{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }}"; + more_set_headers "X-Xss-Protection: 1; mode=block"; + higress.io/response-header-control-remove: X-Frame-Options + higress.io/response-header-control-update: | + Content-Security-Policy "default-src * blob: data: *.{{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }} {{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }}; img-src * data: blob: resource: *.{{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }} {{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }}; connect-src * wss: blob: resource:; style-src 'self' 'unsafe-inline' blob: *.{{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }} {{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }} resource:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: *.{{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }} {{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }} resource: *.baidu.com *.bdstatic.com https://js.stripe.com; frame-src 'self' *.{{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }} {{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }} mailto: tel: weixin: mtt: *.baidu.com https://js.stripe.com; frame-ancestors 'self' https://{{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }} https://*.{{ .Values.licenseConfig.cloudDomain }}{{- if and .Values.ingress.cloudPort (ne (toString .Values.ingress.cloudPort) "") (ne (toString .Values.ingress.cloudPort) "443") -}}:{{ .Values.ingress.cloudPort }}{{- end }}" + X-Xss-Protection "1; mode=block" + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ingressClassName: {{ .Values.ingress.className | quote }} + rules: + - host: {{ .Values.ingress.host | default (printf "license.%s" .Values.licenseConfig.cloudDomain) | quote }} + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: {{ include "license-frontend.fullname" . }} + port: + number: {{ .Values.service.port }} + tls: + - hosts: + - {{ .Values.ingress.host | default (printf "license.%s" .Values.licenseConfig.cloudDomain) | quote }} + secretName: {{ .Values.ingress.certSecretName | quote }} diff --git a/frontend/providers/license/deploy/charts/license-frontend/templates/rbac.yaml b/frontend/providers/license/deploy/charts/license-frontend/templates/rbac.yaml new file mode 100644 index 000000000000..2bd2fd98ea13 --- /dev/null +++ b/frontend/providers/license/deploy/charts/license-frontend/templates/rbac.yaml @@ -0,0 +1,83 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "license-frontend.fullname" . }}-role +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - apiGroups: + - user.sealos.io + resources: + - users + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "license-frontend.fullname" . }}-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "license-frontend.fullname" . }}-role +subjects: + - kind: ServiceAccount + name: {{ include "license-frontend.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "license-frontend.fullname" . }}-notification-manager +rules: + - apiGroups: + - notification.sealos.io + resources: + - notifications + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "license-frontend.fullname" . }}-notification-manager-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "license-frontend.fullname" . }}-notification-manager +subjects: + - kind: ServiceAccount + name: {{ include "license-frontend.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "license-frontend.fullname" . }}-node-reader-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: license-manager-role +subjects: + - kind: ServiceAccount + name: {{ include "license-frontend.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/frontend/providers/license/deploy/charts/license-frontend/templates/secret.yaml b/frontend/providers/license/deploy/charts/license-frontend/templates/secret.yaml new file mode 100644 index 000000000000..f8f762b3cbb3 --- /dev/null +++ b/frontend/providers/license/deploy/charts/license-frontend/templates/secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "license-frontend.fullname" . }}-secret + namespace: {{ .Release.Namespace }} +stringData: + mongodb_uri: {{ .Values.licenseConfig.mongodbURI | quote }} diff --git a/frontend/providers/license/deploy/charts/license-frontend/templates/service.yaml b/frontend/providers/license/deploy/charts/license-frontend/templates/service.yaml new file mode 100644 index 000000000000..814604cf2d39 --- /dev/null +++ b/frontend/providers/license/deploy/charts/license-frontend/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + {{- include "license-frontend.labels" . | nindent 4 }} + name: {{ include "license-frontend.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: http + port: {{ .Values.service.port }} + protocol: TCP + targetPort: {{ .Values.service.port }} + selector: + {{- include "license-frontend.selectorLabels" . | nindent 4 }} diff --git a/frontend/providers/license/deploy/charts/license-frontend/templates/serviceaccount.yaml b/frontend/providers/license/deploy/charts/license-frontend/templates/serviceaccount.yaml new file mode 100644 index 000000000000..c0853efcc066 --- /dev/null +++ b/frontend/providers/license/deploy/charts/license-frontend/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "license-frontend.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "license-frontend.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} diff --git a/frontend/providers/license/deploy/charts/license-frontend/values.yaml b/frontend/providers/license/deploy/charts/license-frontend/values.yaml new file mode 100644 index 000000000000..14291e22496d --- /dev/null +++ b/frontend/providers/license/deploy/charts/license-frontend/values.yaml @@ -0,0 +1,61 @@ +# Default values for license frontend helm chart. + +image: ghcr.io/labring/sealos-license-frontend:latest +imagePullPolicy: Always + +imagePullSecrets: [] +fullnameOverride: "license-frontend" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "license-frontend" + +podAnnotations: {} +podLabels: {} + +podSecurityContext: + runAsNonRoot: true + runAsUser: 1001 + +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - 'ALL' + +service: + type: ClusterIP + port: 3000 + +ingress: + className: nginx + host: "" + cloudPort: 443 + certSecretName: wildcard-cert + annotations: {} + +# License frontend configuration +# Note: cloudDomain and mongodbURI are auto-configured by entrypoint.sh from sealos-config ConfigMap +# For business configuration (licensePurchaseDomain), see license-frontend-values.yaml +licenseConfig: + cloudDomain: "" # Auto-injected by entrypoint script + mongodbURI: "" # Auto-injected by entrypoint script + +# Affinity for pod anti-affinity +affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app" + operator: In + values: + - license-frontend + topologyKey: "kubernetes.io/hostname" diff --git a/frontend/providers/license/deploy/install.sh b/frontend/providers/license/deploy/install.sh deleted file mode 100644 index 330297d023fe..000000000000 --- a/frontend/providers/license/deploy/install.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash - -kubectl delete clusterrolebinding license-frontend-role-binding --ignore-not-found -kubectl apply -f manifests \ No newline at end of file diff --git a/frontend/providers/license/deploy/license-frontend-entrypoint.sh b/frontend/providers/license/deploy/license-frontend-entrypoint.sh new file mode 100755 index 000000000000..44028b943b3b --- /dev/null +++ b/frontend/providers/license/deploy/license-frontend-entrypoint.sh @@ -0,0 +1,91 @@ +#!/bin/bash +set -e + +# Default values +RELEASE_NAME=${RELEASE_NAME:-"license-frontend"} +RELEASE_NAMESPACE=${RELEASE_NAMESPACE:-"license-frontend"} +CHART_PATH=${CHART_PATH:-"./charts/license-frontend"} + +# HELM_OPTS support +HELM_OPTS=${HELM_OPTS:-""} + +# Get ConfigMap value +get_cm_value() { + local namespace="$1" + local name="$2" + local key="$3" + kubectl get configmap "${name}" -n "${namespace}" -o "jsonpath={.data.${key}}" 2>/dev/null || true +} + +# Auto configuration from sealos-system ConfigMap +AUTO_CONFIG_HELM_OPTS="" + +MONGODB_URI=$(get_cm_value sealos-system sealos-config databaseMongodbURI) +CLOUD_DOMAIN=$(get_cm_value sealos-system sealos-config cloudDomain) + +[ -n "$MONGODB_URI" ] && AUTO_CONFIG_HELM_OPTS="$AUTO_CONFIG_HELM_OPTS --set-string licenseConfig.mongodbURI=$MONGODB_URI" +[ -n "$CLOUD_DOMAIN" ] && AUTO_CONFIG_HELM_OPTS="$AUTO_CONFIG_HELM_OPTS --set-string licenseConfig.cloudDomain=$CLOUD_DOMAIN" + +# Adopt existing resources for Helm +adopt_namespaced_resource() { + local kind="$1" + local name="$2" + if kubectl -n "${RELEASE_NAMESPACE}" get "${kind}" "${name}" >/dev/null 2>&1; then + echo "Adopting ${kind} ${name}..." + kubectl -n "${RELEASE_NAMESPACE}" label "${kind}" "${name}" app.kubernetes.io/managed-by=Helm --overwrite >/dev/null 2>&1 || true + kubectl -n "${RELEASE_NAMESPACE}" annotate "${kind}" "${name}" meta.helm.sh/release-name="${RELEASE_NAME}" meta.helm.sh/release-namespace="${RELEASE_NAMESPACE}" --overwrite >/dev/null 2>&1 || true + fi +} + +adopt_cluster_resource() { + local kind="$1" + local name="$2" + if kubectl get "${kind}" "${name}" >/dev/null 2>&1; then + kubectl label "${kind}" "${name}" app.kubernetes.io/managed-by=Helm --overwrite >/dev/null 2>&1 || true + kubectl annotate "${kind}" "${name}" meta.helm.sh/release-name="${RELEASE_NAME}" meta.helm.sh/release-namespace="${RELEASE_NAMESPACE}" --overwrite >/dev/null 2>&1 || true + fi +} + +# Pre-check and adopt existing resources before Helm upgrade (both fresh and upgrade) +echo "Checking and adopting existing resources..." +if kubectl get namespace "${RELEASE_NAMESPACE}" >/dev/null 2>&1; then + # Adopt namespace + kubectl label namespace "${RELEASE_NAMESPACE}" app.kubernetes.io/managed-by=Helm --overwrite >/dev/null 2>&1 || true + kubectl annotate namespace "${RELEASE_NAMESPACE}" meta.helm.sh/release-name="${RELEASE_NAME}" meta.helm.sh/release-namespace="${RELEASE_NAMESPACE}" --overwrite >/dev/null 2>&1 || true + + # Adopt namespaced resources + adopt_namespaced_resource serviceaccount license-frontend + adopt_namespaced_resource configmap license-frontend-config + adopt_namespaced_resource secret license-frontend-secret + adopt_namespaced_resource service license-frontend + adopt_namespaced_resource deployment license-frontend + + # Adopt cluster resources + adopt_cluster_resource clusterrole license-frontend-role + adopt_cluster_resource clusterrole license-frontend-notification-manager + adopt_cluster_resource clusterrolebinding license-frontend-role-binding + adopt_cluster_resource clusterrolebinding license-frontend-notification-manager-role-binding + adopt_cluster_resource clusterrolebinding license-frontend-node-reader-rolebinding +fi + +# Prepare values files +SERVICE_NAME="license-frontend" +USER_VALUES_PATH="/root/.sealos/cloud/values/core/${SERVICE_NAME}-values.yaml" + +# Copy user values template if not exists +if [ ! -f "${USER_VALUES_PATH}" ]; then + mkdir -p "$(dirname "${USER_VALUES_PATH}")" + cp "./charts/${SERVICE_NAME}/${SERVICE_NAME}-values.yaml" "${USER_VALUES_PATH}" +fi + +## Clean up old cluster resources that are no longer used +kubectl delete clusterrolebinding license-frontend-role-binding --ignore-not-found +kubectl delete clusterrolebinding license-frontend-notification-manager-role-binding --ignore-not-found + +# Deploy Helm chart +echo "Deploying Helm chart..." +helm upgrade -i "${RELEASE_NAME}" -n "${RELEASE_NAMESPACE}" --create-namespace "${CHART_PATH}" \ + -f "./charts/${SERVICE_NAME}/values.yaml" \ + -f "${USER_VALUES_PATH}" \ + ${AUTO_CONFIG_HELM_OPTS} \ + ${HELM_OPTS} diff --git a/frontend/providers/license/deploy/manifests/appcr.yaml.tmpl b/frontend/providers/license/deploy/manifests/appcr.yaml.tmpl deleted file mode 100644 index c26f1a99c986..000000000000 --- a/frontend/providers/license/deploy/manifests/appcr.yaml.tmpl +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: app.sealos.io/v1 -kind: App -metadata: - name: license - namespace: ns-admin -spec: - data: - desc: license - url: "https://license.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}" - icon: "https://license.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}/logo.svg" - menuData: - i18n: - zh: - name: 许可证 - name: License - type: iframe - displayType: normal diff --git a/frontend/providers/license/deploy/manifests/deploy.yaml.tmpl b/frontend/providers/license/deploy/manifests/deploy.yaml.tmpl deleted file mode 100644 index 31af37f83995..000000000000 --- a/frontend/providers/license/deploy/manifests/deploy.yaml.tmpl +++ /dev/null @@ -1,201 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - app: license-frontend - name: license-frontend ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: license-frontend - namespace: license-frontend ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: license-frontend-role -rules: - - apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - apiGroups: - - user.sealos.io - resources: - - users - verbs: - - get - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: license-frontend-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: license-frontend-role -subjects: - - kind: ServiceAccount - name: license-frontend - namespace: license-frontend ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: notification-manager -rules: -- apiGroups: - - notification.sealos.io - resources: - - notifications - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: license-frontend-notification-manager-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: notification-manager -subjects: - - kind: ServiceAccount - name: license-frontend - namespace: license-frontend ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: license-frontend-node-reader-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: license-manager-role -subjects: - - kind: ServiceAccount - name: license-frontend - namespace: license-frontend ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: license-frontend-config - namespace: license-frontend -data: - config.yaml: |- - addr: :3000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: license-frontend - namespace: license-frontend -spec: - replicas: 1 - selector: - matchLabels: - app: license-frontend - strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 25% - maxSurge: 25% - template: - metadata: - labels: - app: license-frontend - spec: - serviceAccountName: license-frontend - containers: - - name: license-frontend - env: - - name: SEALOS_DOMAIN - value: {{ .cloudDomain }} - - name: LICENSE_DOMAIN - value: {{ .licensePurchaseDomain }} - - name: MONGODB_URI - valueFrom: - secretKeyRef: - name: license-frontend-secret - key: mongodb_uri - securityContext: - runAsNonRoot: true - runAsUser: 1001 - allowPrivilegeEscalation: false - capabilities: - drop: - - 'ALL' - resources: - limits: - cpu: 1000m - memory: 1024Mi - requests: - cpu: 10m - memory: 128Mi - # do not modify this image, it is used for CI/CD - image: ghcr.io/labring/sealos-license-frontend:latest - imagePullPolicy: Always - readinessProbe: - httpGet: - path: /api/cronjob/init - port: 3000 - initialDelaySeconds: 5 - periodSeconds: 3 - timeoutSeconds: 3 - successThreshold: 1 - failureThreshold: 3 - volumeMounts: - - name: license-frontend-volume - mountPath: /config.yaml - subPath: config.yaml - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: "app" - operator: In - values: - - license-frontend - topologyKey: "kubernetes.io/hostname" - volumes: - - name: license-frontend-volume - configMap: - name: license-frontend-config ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: license-frontend - name: license-frontend - namespace: license-frontend -spec: - ports: - - name: http - port: 3000 - protocol: TCP - targetPort: 3000 - selector: - app: license-frontend \ No newline at end of file diff --git a/frontend/providers/license/deploy/manifests/env.yaml.tmpl b/frontend/providers/license/deploy/manifests/env.yaml.tmpl deleted file mode 100644 index 52f2d439b939..000000000000 --- a/frontend/providers/license/deploy/manifests/env.yaml.tmpl +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: license-frontend-secret - namespace: license-frontend -stringData: - mongodb_uri: {{ .MONGODB_URI }} \ No newline at end of file diff --git a/frontend/providers/license/deploy/manifests/ingress.yaml.tmpl b/frontend/providers/license/deploy/manifests/ingress.yaml.tmpl deleted file mode 100644 index 92a04fdfd5ff..000000000000 --- a/frontend/providers/license/deploy/manifests/ingress.yaml.tmpl +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2023 sealos. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/enable-cors: "true" - nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, DELETE, PATCH, OPTIONS" - nginx.ingress.kubernetes.io/cors-allow-origin: "https://{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}, https://*.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}" - nginx.ingress.kubernetes.io/cors-allow-credentials: "true" - nginx.ingress.kubernetes.io/cors-max-age: "600" - nginx.ingress.kubernetes.io/backend-protocol: "HTTP" - nginx.ingress.kubernetes.io/configuration-snippet: | - more_clear_headers "X-Frame-Options:"; - more_set_headers "Content-Security-Policy: default-src * blob: data: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}; img-src * data: blob: resource: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}; connect-src * wss: blob: resource:; style-src 'self' 'unsafe-inline' blob: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} resource:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} resource: *.baidu.com *.bdstatic.com https://js.stripe.com; frame-src 'self' *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} mailto: tel: weixin: mtt: *.baidu.com https://js.stripe.com; frame-ancestors 'self' https://{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} https://*.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}"; - more_set_headers "X-Xss-Protection: 1; mode=block"; - higress.io/response-header-control-remove: X-Frame-Options - higress.io/response-header-control-update: | - Content-Security-Policy "default-src * blob: data: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}; img-src * data: blob: resource: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}; connect-src * wss: blob: resource:; style-src 'self' 'unsafe-inline' blob: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} resource:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} resource: *.baidu.com *.bdstatic.com https://js.stripe.com; frame-src 'self' *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} mailto: tel: weixin: mtt: *.baidu.com https://js.stripe.com; frame-ancestors 'self' https://{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} https://*.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}" - X-Xss-Protection "1; mode=block" - name: license-frontend - namespace: license-frontend -spec: - rules: - - host: license.{{ .cloudDomain }} - http: - paths: - - pathType: Prefix - path: / - backend: - service: - name: license-frontend - port: - number: 3000 - tls: - - hosts: - - license.{{ .cloudDomain }} - secretName: {{ .certSecretName }} diff --git a/service/account/deploy/charts/account-service/account-service-values.yaml b/service/account/deploy/charts/account-service/account-service-values.yaml new file mode 100644 index 000000000000..f38ef4e74bde --- /dev/null +++ b/service/account/deploy/charts/account-service/account-service-values.yaml @@ -0,0 +1,33 @@ +# Custom values for account service helm chart. +# This file contains user-customizable configurations. + +replicaCount: 1 + +resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 50m + memory: 25Mi + +# Service configuration +service: + type: ClusterIP + port: 2333 + +# Health check configuration +livenessProbe: + httpGet: + path: /health + port: 2333 + initialDelaySeconds: 3 + periodSeconds: 10 + +readinessProbe: + httpGet: + path: /health + port: 2333 + initialDelaySeconds: 3 + periodSeconds: 5 + failureThreshold: 6 diff --git a/service/account/deploy/charts/account-service/templates/rbac.yaml b/service/account/deploy/charts/account-service/templates/rbac.yaml new file mode 100644 index 000000000000..e74ff67a51c2 --- /dev/null +++ b/service/account/deploy/charts/account-service/templates/rbac.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "account-service.fullname" . }}-node-viewer + labels: + {{- include "account-service.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "account-service.fullname" . }}-node-viewer-binding + labels: + {{- include "account-service.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccountName }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "account-service.fullname" . }}-node-viewer + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/service/account/deploy/manifests/config.json b/service/account/deploy/manifests/config.json deleted file mode 100644 index 9e26dfeeb6e6..000000000000 --- a/service/account/deploy/manifests/config.json +++ /dev/null @@ -1 +0,0 @@ -{} \ No newline at end of file diff --git a/service/account/deploy/manifests/deploy.yaml.tmpl b/service/account/deploy/manifests/deploy.yaml.tmpl deleted file mode 100644 index e45c0d7b44ce..000000000000 --- a/service/account/deploy/manifests/deploy.yaml.tmpl +++ /dev/null @@ -1,114 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: account-service - namespace: account-system - labels: - cloud.sealos.io/app-deploy-manager: account-service -spec: - ports: - - port: 2333 - targetPort: 2333 - selector: - app: account-service ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: account-service - namespace: account-system - annotations: - originImageName: ghcr.io/labring/sealos-account-service:latest - deploy.cloud.sealos.io/minReplicas: '1' - deploy.cloud.sealos.io/maxReplicas: '1' - labels: - cloud.sealos.io/app-deploy-manager: account-service - app: account-service -spec: - replicas: 1 - revisionHistoryLimit: 1 - selector: - matchLabels: - app: account-service - strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 0 - maxSurge: 1 - template: - metadata: - labels: - app: account-service - spec: - containers: - - name: account-service - image: ghcr.io/labring/sealos-account-service:latest - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - envFrom: - - configMapRef: - name: account-manager-env - - secretRef: - name: payment-secret - optional: true - resources: - requests: - cpu: 50m - memory: 25Mi - limits: - cpu: 500m - memory: 256Mi - ports: - - containerPort: 2333 - readinessProbe: - httpGet: - path: /health - port: 2333 - initialDelaySeconds: 3 - periodSeconds: 5 - failureThreshold: 6 - imagePullPolicy: Always - volumeMounts: - - mountPath: /config/config.json - name: region-info - subPath: ./config/config.json - volumes: - - configMap: - defaultMode: 420 - items: - - key: config.json - path: ./config/config.json - name: region-info - name: region-info - serviceAccountName: account-controller-manager ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: account-node-viewer -rules: -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: account-node-viewer-binding -subjects: -- kind: ServiceAccount - name: account-controller-manager - namespace: account-system -roleRef: - kind: ClusterRole - name: account-node-viewer - apiGroup: rbac.authorization.k8s.io diff --git a/service/account/deploy/manifests/ingress.yaml.tmpl b/service/account/deploy/manifests/ingress.yaml.tmpl deleted file mode 100644 index 10b221edef5b..000000000000 --- a/service/account/deploy/manifests/ingress.yaml.tmpl +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/enable-cors: "true" - nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, DELETE, PATCH, OPTIONS" - nginx.ingress.kubernetes.io/cors-allow-origin: "https://{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}, https://*.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}" - nginx.ingress.kubernetes.io/cors-allow-credentials: "true" - nginx.ingress.kubernetes.io/cors-max-age: "600" - nginx.ingress.kubernetes.io/backend-protocol: "HTTP" - nginx.ingress.kubernetes.io/configuration-snippet: | - more_clear_headers "X-Frame-Options:"; - more_set_headers "Content-Security-Policy: default-src * blob: data: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}; img-src * data: blob: resource: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}; connect-src * wss: blob: resource:; style-src 'self' 'unsafe-inline' blob: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} resource:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} resource: *.baidu.com *.bdstatic.com https://js.stripe.com; frame-src 'self' *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} mailto: tel: weixin: mtt: *.baidu.com https://js.stripe.com; frame-ancestors 'self' https://{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} https://*.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}"; - more_set_headers "X-Xss-Protection: 1; mode=block"; - higress.io/response-header-control-remove: X-Frame-Options - higress.io/response-header-control-update: | - Content-Security-Policy "default-src * blob: data: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}; img-src * data: blob: resource: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}; connect-src * wss: blob: resource:; style-src 'self' 'unsafe-inline' blob: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} resource:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} resource: *.baidu.com *.bdstatic.com https://js.stripe.com; frame-src 'self' *.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} {{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} mailto: tel: weixin: mtt: *.baidu.com https://js.stripe.com; frame-ancestors 'self' https://{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }} https://*.{{ .cloudDomain }}{{ if .cloudPort }}:{{ .cloudPort }}{{ end }}" - X-Xss-Protection "1; mode=block" - name: account-service - namespace: account-system -spec: - rules: - - host: account-api.{{ .cloudDomain }} - http: - paths: - - pathType: Prefix - path: / - backend: - service: - name: account-service - port: - number: 2333 - tls: - - hosts: - - 'account-api.{{ .cloudDomain }}' - secretName: {{ .certSecretName }} \ No newline at end of file From 887055d38f4a64f043bb3cef094ee74036b23d34 Mon Sep 17 00:00:00 2001 From: jiahui Date: Thu, 2 Apr 2026 11:35:14 +0800 Subject: [PATCH 2/2] rebase --- .../deploy/account-controller-entrypoint.sh | 5 +- frontend/providers/license/deploy/Kubefile | 12 +-- .../deploy/account-service-entrypoint.sh | 102 +++++++++++++++--- .../deploy/charts/account-service/values.yaml | 17 ++- 4 files changed, 105 insertions(+), 31 deletions(-) diff --git a/controllers/account/deploy/account-controller-entrypoint.sh b/controllers/account/deploy/account-controller-entrypoint.sh index cf26c81a7972..8521449424d8 100644 --- a/controllers/account/deploy/account-controller-entrypoint.sh +++ b/controllers/account/deploy/account-controller-entrypoint.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -ex +set -e HELM_OPTS=${HELM_OPTS:-""} RELEASE_NAME=${RELEASE_NAME:-"account-controller"} @@ -156,7 +156,7 @@ USER_VALUES_PATH="/root/.sealos/cloud/values/core/${SERVICE_NAME}-values.yaml" # Copy user values template if not exists if [ ! -f "${USER_VALUES_PATH}" ]; then mkdir -p "$(dirname "${USER_VALUES_PATH}")" - cp "./charts/${SERVICE_NAME}/values.yaml" "${USER_VALUES_PATH}" + cp "./charts/${SERVICE_NAME}/${SERVICE_NAME}-values.yaml" "${USER_VALUES_PATH}" fi # merge all helm_opts @@ -164,6 +164,7 @@ fi # 2. HELM_SET_ARGS (parameters set internally in the script) # 3. HELM_OPTS (the parameter passed by the user via --env, with the highest priority, can override the previous configuration) helm upgrade -i "${RELEASE_NAME}" -n "${RELEASE_NAMESPACE}" --create-namespace "${CHART_PATH}" \ + -f "./charts/${SERVICE_NAME}/values.yaml" \ -f "${USER_VALUES_PATH}" \ ${AUTO_CONFIG_HELM_OPTS} \ "${HELM_SET_ARGS[@]}" \ diff --git a/frontend/providers/license/deploy/Kubefile b/frontend/providers/license/deploy/Kubefile index 7d760159d28a..0860f8ee7c65 100644 --- a/frontend/providers/license/deploy/Kubefile +++ b/frontend/providers/license/deploy/Kubefile @@ -3,14 +3,6 @@ FROM scratch USER 65532:65532 COPY registry registry -COPY manifests manifests +COPY charts charts -COPY install.sh install.sh - -ENV certSecretName="wildcard-cert" -ENV cloudDomain="127.0.0.1.nip.io" -ENV cloudPort="" -ENV MONGODB_URI="" -ENV licensePurchaseDomain="license.sealos.io" - -CMD ["bash install.sh"] \ No newline at end of file +CMD ["./license-frontend-entrypoint.sh"] diff --git a/service/account/deploy/account-service-entrypoint.sh b/service/account/deploy/account-service-entrypoint.sh index 66b76aba0c3a..0e0a3798896b 100644 --- a/service/account/deploy/account-service-entrypoint.sh +++ b/service/account/deploy/account-service-entrypoint.sh @@ -1,10 +1,12 @@ #!/bin/bash -set -ex +set -e HELM_OPTS=${HELM_OPTS:-""} RELEASE_NAME=${RELEASE_NAME:-"account-service"} RELEASE_NAMESPACE=${RELEASE_NAMESPACE:-"account-system"} CHART_PATH=${CHART_PATH:-"./charts/account-service"} +ACCOUNT_SERVICE_BACKUP_ENABLED=${ACCOUNT_SERVICE_BACKUP_ENABLED:-"true"} +ACCOUNT_SERVICE_BACKUP_DIR=${ACCOUNT_SERVICE_BACKUP_DIR:-"/tmp/sealos-backup/account-service"} adopt_namespaced_resource() { local kind="$1" @@ -15,6 +17,15 @@ adopt_namespaced_resource() { fi } +adopt_cluster_resource() { + local kind="$1" + local name="$2" + if kubectl get "${kind}" "${name}" >/dev/null 2>&1; then + kubectl label "${kind}" "${name}" app.kubernetes.io/managed-by=Helm --overwrite >/dev/null 2>&1 || true + kubectl annotate "${kind}" "${name}" meta.helm.sh/release-name="${RELEASE_NAME}" meta.helm.sh/release-namespace="${RELEASE_NAMESPACE}" --overwrite >/dev/null 2>&1 || true + fi +} + get_cm_value() { local namespace="$1" local name="$2" @@ -22,6 +33,63 @@ get_cm_value() { kubectl get configmap "${name}" -n "${namespace}" -o "jsonpath={.data.${key}}" 2>/dev/null || true } +backup_ns_resource() { + local kind="$1" + local name="$2" + if kubectl -n "${RELEASE_NAMESPACE}" get "${kind}" "${name}" >/dev/null 2>&1; then + kubectl -n "${RELEASE_NAMESPACE}" get "${kind}" "${name}" -o yaml >> "${ACCOUNT_SERVICE_BACKUP_FILE}" + printf "\n---\n" >> "${ACCOUNT_SERVICE_BACKUP_FILE}" + fi +} + +backup_cluster_resource() { + local kind="$1" + local name="$2" + if kubectl get "${kind}" "${name}" >/dev/null 2>&1; then + kubectl get "${kind}" "${name}" -o yaml >> "${ACCOUNT_SERVICE_BACKUP_FILE}" + printf "\n---\n" >> "${ACCOUNT_SERVICE_BACKUP_FILE}" + fi +} + +backup_account_service_resources() { + if [ "${ACCOUNT_SERVICE_BACKUP_ENABLED}" != "true" ]; then + return + fi + local ts + ts=$(date +%Y%m%d%H%M%S) + mkdir -p "${ACCOUNT_SERVICE_BACKUP_DIR}" + ACCOUNT_SERVICE_BACKUP_FILE="${ACCOUNT_SERVICE_BACKUP_DIR}/update-${ts}.yaml" + : > "${ACCOUNT_SERVICE_BACKUP_FILE}" + + backup_cluster_resource clusterrole account-node-viewer + backup_cluster_resource clusterrolebinding account-node-viewer-binding + + if kubectl get namespace "${RELEASE_NAMESPACE}" >/dev/null 2>&1; then + kubectl get namespace "${RELEASE_NAMESPACE}" -o yaml >> "${ACCOUNT_SERVICE_BACKUP_FILE}" + printf "\n---\n" >> "${ACCOUNT_SERVICE_BACKUP_FILE}" + fi + backup_ns_resource configmap account-manager-env + backup_ns_resource configmap region-info + backup_ns_resource service account-service + backup_ns_resource deployment account-service + backup_ns_resource ingress account-service +} + +# 执行备份 +backup_account_service_resources + +HELM_SET_ARGS=() + +AUTO_CONFIG_HELM_OPTS="" + +# Auto-fetch ingress configuration from sealos-config ConfigMap +CLOUD_DOMAIN=$(get_cm_value sealos-system sealos-config cloudDomain) +CLOUD_PORT=$(get_cm_value sealos-system sealos-config cloudPort) + +[ -n "${CLOUD_DOMAIN}" ] && AUTO_CONFIG_HELM_OPTS="${AUTO_CONFIG_HELM_OPTS} --set ingress.enabled=true" +[ -n "${CLOUD_DOMAIN}" ] && AUTO_CONFIG_HELM_OPTS="${AUTO_CONFIG_HELM_OPTS} --set-string ingress.cloudDomain=${CLOUD_DOMAIN}" +[ -n "${CLOUD_PORT}" ] && AUTO_CONFIG_HELM_OPTS="${AUTO_CONFIG_HELM_OPTS} --set-string ingress.cloudPort=${CLOUD_PORT}" + # Adopt existing resources if this is a fresh helm install if ! helm status "${RELEASE_NAME}" -n "${RELEASE_NAMESPACE}" >/dev/null 2>&1; then if kubectl get namespace "${RELEASE_NAMESPACE}" >/dev/null 2>&1; then @@ -29,6 +97,9 @@ if ! helm status "${RELEASE_NAME}" -n "${RELEASE_NAMESPACE}" >/dev/null 2>&1; th kubectl annotate namespace "${RELEASE_NAMESPACE}" meta.helm.sh/release-name="${RELEASE_NAME}" meta.helm.sh/release-namespace="${RELEASE_NAMESPACE}" --overwrite >/dev/null 2>&1 || true fi + adopt_cluster_resource clusterrole account-node-viewer + adopt_cluster_resource clusterrolebinding account-node-viewer-binding + adopt_namespaced_resource configmap account-manager-env adopt_namespaced_resource configmap region-info adopt_namespaced_resource service account-service @@ -36,24 +107,23 @@ if ! helm status "${RELEASE_NAME}" -n "${RELEASE_NAMESPACE}" >/dev/null 2>&1; th adopt_namespaced_resource ingress account-service fi -# Build helm set args from ConfigMap -HELM_SET_ARGS=() -AUTO_CONFIG_HELM_OPTS="" - -# Get cloud configuration from sealos-config ConfigMap -CLOUD_DOMAIN=$(get_cm_value sealos-system sealos-config cloudDomain) -CLOUD_PORT=$(get_cm_value sealos-system sealos-config cloudPort) +# Prepare values files +SERVICE_NAME="account-service" +USER_VALUES_PATH="/root/.sealos/cloud/values/core/${SERVICE_NAME}-values.yaml" -# Enable ingress if cloudDomain is configured -if [ -n "${CLOUD_DOMAIN}" ]; then - AUTO_CONFIG_HELM_OPTS="${AUTO_CONFIG_HELM_OPTS} --set ingress.enabled=true" - AUTO_CONFIG_HELM_OPTS="${AUTO_CONFIG_HELM_OPTS} --set-string cloudDomain=${CLOUD_DOMAIN}" - - if [ -n "${CLOUD_PORT}" ]; then - AUTO_CONFIG_HELM_OPTS="${AUTO_CONFIG_HELM_OPTS} --set-string cloudPort=${CLOUD_PORT}" - fi +# Copy user values template if not exists +if [ ! -f "${USER_VALUES_PATH}" ]; then + mkdir -p "$(dirname "${USER_VALUES_PATH}")" + cp "./charts/${SERVICE_NAME}/${SERVICE_NAME}-values.yaml" "${USER_VALUES_PATH}" fi +# merge all helm_opts +# 1. AUTO_CONFIG_HELM_OPTS (Configuration automatically obtained from ConfigMap) +# 2. HELM_SET_ARGS (parameters set internally in the script) +# 3. HELM_OPTS (the parameter passed by the user via --env, with the highest priority, can override the previous configuration) helm upgrade -i "${RELEASE_NAME}" -n "${RELEASE_NAMESPACE}" --create-namespace "${CHART_PATH}" \ + -f "./charts/${SERVICE_NAME}/values.yaml" \ + -f "${USER_VALUES_PATH}" \ ${AUTO_CONFIG_HELM_OPTS} \ + "${HELM_SET_ARGS[@]}" \ ${HELM_OPTS} diff --git a/service/account/deploy/charts/account-service/values.yaml b/service/account/deploy/charts/account-service/values.yaml index 20dea5384e62..e5469a227280 100644 --- a/service/account/deploy/charts/account-service/values.yaml +++ b/service/account/deploy/charts/account-service/values.yaml @@ -19,14 +19,14 @@ podLabels: {} podSecurityContext: {} # runAsNonRoot: true - # runAsUser: 1000 +# runAsUser: 1000 securityContext: {} # allowPrivilegeEscalation: false # capabilities: # drop: # - ALL - # readOnlyRootFilesystem: true +# readOnlyRootFilesystem: true service: type: ClusterIP @@ -79,6 +79,17 @@ paymentSecretName: payment-secret # ConfigMap for region info regionInfoConfigMapName: region-info +# ============================================================================ +# Auto-configured Ingress values (from sealos-system/sealos-config ConfigMap) +# ============================================================================ +# The following ingress values are automatically fetched from the +# sealos-system/sealos-config ConfigMap by the entrypoint script and will +# override any values set here. These are provided as reference defaults. +# +# To override these auto-configured values, use HELM_OPTIONS or modify the +# sealos-config ConfigMap directly. +# ============================================================================ + # Ingress configuration ingress: enabled: true @@ -87,4 +98,4 @@ ingress: # Cloud configuration cloudDomain: "cloud.sealos.io" -cloudPort: "" +cloudPort: "" \ No newline at end of file