From 3dbb633fdad88f288751bed6873cf6bc42312710 Mon Sep 17 00:00:00 2001 From: eball Date: Thu, 28 Aug 2025 00:54:54 +0800 Subject: [PATCH] system-server: refactor service provider based on RBAC (#1736) * system-server: refactor service provider based on RBAC * refactor: add files provider * fix: numeric user name * feat: provider and permission define * refactor: backend service provider and permission * refactor: change system frontend upstream to RBAC proxy * revert: authelia-backend-svc * fix: app-service entrance url api * fix: market backend auth --- .../templates/app-service-provider.yaml | 39 ++ .../templates/backup-provider.yaml | 64 +++ .../system-apps/templates/bfl-permission.yaml | 14 + .../templates/files-permission.yaml | 13 + .../system-apps/templates/files-provider.yaml | 136 +++++ .../templates/infisical-provider.yaml | 64 +++ .../templates/market-provider.yaml | 76 +++ .../templates/middleware-provider.yaml | 64 +++ .../templates/monitoring-provider.yaml | 94 ++++ .../system-apps/templates/olares-app.yaml | 478 +----------------- .../templates/secret-permission.yaml | 28 + .../templates/user-service-provider.yaml | 185 +++++++ .../system-apps/templates/vault-provider.yaml | 88 ++++ .../templates/system-serviceaccount.yaml | 30 ++ .../apiserver/handlers/handler_did.go | 24 +- .../cluster/deploy/appservice_deploy.yaml | 2 +- .../helm-charts/auth/templates/provider.yaml | 48 ++ .../config/launcher/templates/bfl_deploy.yaml | 104 +--- .../config/launcher/templates/permission.yaml | 13 + .../config/launcher/templates/provider.yaml | 36 ++ .../cluster/deploy/chart_repo_deploy.yaml | 2 +- .../headscale/templates/headscale_deploy.yaml | 33 -- .../headscale/templates/provider.yaml | 51 ++ .../cluster/deploy/infisical_deploy.yaml | 2 +- .../infisical/templates/infisical_deploy.yaml | 28 - .../infisical/templates/provider.yaml | 64 +++ .../config/cluster/deploy/market_deploy.yaml | 2 +- .../systemserver/templates/proxy.yaml | 96 ++++ .../templates/systemserver_deploy.yaml | 33 +- .../cluster/deploy/middleware_deploy.yaml | 2 +- 30 files changed, 1254 insertions(+), 659 deletions(-) create mode 100644 apps/.olares/config/user/helm-charts/system-apps/templates/app-service-provider.yaml create mode 100644 apps/.olares/config/user/helm-charts/system-apps/templates/backup-provider.yaml create mode 100644 apps/.olares/config/user/helm-charts/system-apps/templates/bfl-permission.yaml create mode 100644 apps/.olares/config/user/helm-charts/system-apps/templates/files-permission.yaml create mode 100644 apps/.olares/config/user/helm-charts/system-apps/templates/files-provider.yaml create mode 100644 apps/.olares/config/user/helm-charts/system-apps/templates/infisical-provider.yaml create mode 100644 apps/.olares/config/user/helm-charts/system-apps/templates/market-provider.yaml create mode 100644 apps/.olares/config/user/helm-charts/system-apps/templates/middleware-provider.yaml create mode 100644 apps/.olares/config/user/helm-charts/system-apps/templates/monitoring-provider.yaml create mode 100644 apps/.olares/config/user/helm-charts/system-apps/templates/secret-permission.yaml create mode 100644 apps/.olares/config/user/helm-charts/system-apps/templates/user-service-provider.yaml create mode 100644 apps/.olares/config/user/helm-charts/system-apps/templates/vault-provider.yaml create mode 100644 framework/authelia/.olares/config/user/helm-charts/auth/templates/provider.yaml create mode 100644 framework/bfl/.olares/config/launcher/templates/permission.yaml create mode 100644 framework/bfl/.olares/config/launcher/templates/provider.yaml create mode 100644 framework/headscale/.olares/config/user/helm-charts/headscale/templates/provider.yaml create mode 100644 framework/infisical/.olares/config/user/helm-charts/infisical/templates/provider.yaml create mode 100644 framework/system-server/.olares/config/user/helm-charts/systemserver/templates/proxy.yaml diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/app-service-provider.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/app-service-provider.yaml new file mode 100644 index 000000000..bdee54701 --- /dev/null +++ b/apps/.olares/config/user/helm-charts/system-apps/templates/app-service-provider.yaml @@ -0,0 +1,39 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:app-service-frontend-svc + annotations: + provider-registry-ref: user-system-{{ .Values.bfl.username }}/app-service + provider-service-ref: app-service.os-framework:6755 +rules: +- nonResourceURLs: ["*"] + verbs: ["*"] + + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:app-service-provider-svc + annotations: + provider-registry-ref: user-system-{{ .Values.bfl.username }}/app-service + provider-service-ref: app-service.os-framework:6755 +rules: +- nonResourceURLs: + - "/app-service/*" + verbs: ["*"] + + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: user:{{ .Values.bfl.username }}:app-service-frontend-svc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:app-service-frontend-svc +subjects: +- kind: User + name: '{{ .Values.bfl.username }}' + diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/backup-provider.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/backup-provider.yaml new file mode 100644 index 000000000..72fc19dbe --- /dev/null +++ b/apps/.olares/config/user/helm-charts/system-apps/templates/backup-provider.yaml @@ -0,0 +1,64 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:backup-frontend-svc + annotations: + provider-registry-ref: user-space-{{ .Values.bfl.username }}/backup + provider-service-ref: backup-server.os-framework:8082 +rules: +- nonResourceURLs: ["/apis/backup*"] + verbs: ["*"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:backup-frontend-domain + annotations: + provider-registry-ref: {{ .Values.bfl.username }}/settings + provider-service-ref: backup-server.os-framework:8082 +rules: +- nonResourceURLs: ["/apis/backup*"] + verbs: ["*"] + + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: user:{{ .Values.bfl.username }}:backup-frontend-svc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:backup-frontend-svc +subjects: +- kind: User + name: '{{ .Values.bfl.username }}' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: user:{{ .Values.bfl.username }}:backup-frontend-domain +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:backup-frontend-domain +subjects: +- kind: User + name: '{{ .Values.bfl.username }}' + + +--- +apiVersion: v1 +kind: Service +metadata: + name: backup + namespace: user-space-{{ .Values.bfl.username }} +spec: + type: ExternalName + externalName: system-server.user-system-{{ .Values.bfl.username }}.svc.cluster.local + ports: + - protocol: TCP + port: 28080 + targetPort: 28080 diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/bfl-permission.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/bfl-permission.yaml new file mode 100644 index 000000000..1bdeb7c44 --- /dev/null +++ b/apps/.olares/config/user/helm-charts/system-apps/templates/bfl-permission.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: backend:{{ .Values.bfl.username }}:system-frontend:bfl-svc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:bfl-svc +subjects: +- kind: ServiceAccount + name: system-frontend + namespace: {{ .Release.Namespace }} + diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/files-permission.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/files-permission.yaml new file mode 100644 index 000000000..2f4ab62b2 --- /dev/null +++ b/apps/.olares/config/user/helm-charts/system-apps/templates/files-permission.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: backend:{{ .Values.bfl.username }}:system-frontend:files-provider-svc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:files-provider-svc +subjects: +- kind: ServiceAccount + name: system-frontend + namespace: {{ .Release.Namespace }} diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/files-provider.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/files-provider.yaml new file mode 100644 index 000000000..039a1c6c7 --- /dev/null +++ b/apps/.olares/config/user/helm-charts/system-apps/templates/files-provider.yaml @@ -0,0 +1,136 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:files-frontend-svc + annotations: + provider-registry-ref: user-space-{{ .Values.bfl.username }}/files + provider-service-ref: files-service.os-framework:80 +rules: +- nonResourceURLs: ["*"] + verbs: ["*"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:files-frontend-domain + annotations: + provider-registry-ref: {{ .Values.bfl.username }}/files + provider-service-ref: files-service.os-framework:80 +rules: +- nonResourceURLs: ["*"] + verbs: ["*"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:files-frontend-domain-settings + annotations: + provider-registry-ref: {{ .Values.bfl.username }}/settings + provider-service-ref: files-service.os-framework:80 +rules: +- nonResourceURLs: + - "/api/resources/*" + - "/api/nodes/*" + verbs: ["*"] + +# --- +# apiVersion: sys.bytetrade.io/v1alpha1 +# kind: ProviderRegistry +# metadata: +# name: files-provider +# namespace: user-system-{{ .Values.bfl.username }} +# spec: +# dataType: files +# deployment: files +# description: files provider +# endpoint: files-service.{{ .Release.Namespace }} +# group: service.files +# kind: provider +# namespace: {{ .Release.Namespace }} +# opApis: +# - name: Query +# uri: /provider/query_file +# - name: GetSearchFolderStatus +# uri: /provider/get_search_folder_status +# - name: UpdateSearchFolderPaths +# uri: /provider/update_search_folder_paths +# - name: GetDatasetFolderStatus +# uri: /provider/get_dataset_folder_status +# - name: UpdateDatasetFolderPaths +# uri: /provider/update_dataset_folder_paths +# version: v1 +# status: +# state: active +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:files-provider-svc + annotations: + provider-registry-ref: user-system-{{ .Values.bfl.username }}/files + provider-service-ref: files-service.os-framework:80 +rules: +- nonResourceURLs: + - "/provider/query_file" + - "/provider/get_search_folder_status" + - "/provider/update_search_folder_paths" + - "/provider/get_dataset_folder_status" + - "/provider/update_dataset_folder_paths" + verbs: ["*"] + + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: user:{{ .Values.bfl.username }}:files-frontend-svc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:files-frontend-svc +subjects: +- kind: User + name: '{{ .Values.bfl.username }}' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: user:{{ .Values.bfl.username }}:files-frontend-domain +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:files-frontend-domain +subjects: +- kind: User + name: '{{ .Values.bfl.username }}' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: user:{{ .Values.bfl.username }}:files-frontend-domain-settings +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:files-frontend-domain-settings +subjects: +- kind: User + name: '{{ .Values.bfl.username }}' + + +--- +apiVersion: v1 +kind: Service +metadata: + name: files + namespace: user-space-{{ .Values.bfl.username }} +spec: + type: ExternalName + externalName: system-server.user-system-{{ .Values.bfl.username }}.svc.cluster.local + ports: + - protocol: TCP + port: 28080 + targetPort: 28080 diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/infisical-provider.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/infisical-provider.yaml new file mode 100644 index 000000000..08530fd36 --- /dev/null +++ b/apps/.olares/config/user/helm-charts/system-apps/templates/infisical-provider.yaml @@ -0,0 +1,64 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:infisical-frontend-svc + annotations: + provider-registry-ref: user-space-{{ .Values.bfl.username }}/infisical + provider-service-ref: infisical-service.os-framework:8080 +rules: +- nonResourceURLs: ["/admin/*"] + verbs: ["*"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:infisical-frontend-domain + annotations: + provider-registry-ref: {{ .Values.bfl.username }}/settings + provider-service-ref: infisical-service.os-framework:8080 +rules: +- nonResourceURLs: ["/admin/*"] + verbs: ["*"] + + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: user:{{ .Values.bfl.username }}:infisical-frontend-svc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:infisical-frontend-svc +subjects: +- kind: User + name: '{{ .Values.bfl.username }}' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: user:{{ .Values.bfl.username }}:infisical-frontend-domain +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:infisical-frontend-domain +subjects: +- kind: User + name: '{{ .Values.bfl.username }}' + + +--- +apiVersion: v1 +kind: Service +metadata: + name: infisical + namespace: user-space-{{ .Values.bfl.username }} +spec: + type: ExternalName + externalName: system-server.user-system-{{ .Values.bfl.username }}.svc.cluster.local + ports: + - protocol: TCP + port: 28080 + targetPort: 28080 diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/market-provider.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/market-provider.yaml new file mode 100644 index 000000000..beecff858 --- /dev/null +++ b/apps/.olares/config/user/helm-charts/system-apps/templates/market-provider.yaml @@ -0,0 +1,76 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:market-frontend-svc + annotations: + provider-registry-ref: user-space-{{ .Values.bfl.username }}/market + provider-service-ref: appstore-svc.os-framework:81 +rules: +- nonResourceURLs: ["*"] + verbs: ["*"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:market-frontend-domain + annotations: + provider-registry-ref: {{ .Values.bfl.username }}/market + provider-service-ref: appstore-svc.os-framework:81 +rules: +- nonResourceURLs: ["*"] + verbs: ["*"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:market-provider-svc + annotations: + provider-registry-ref: user-system-{{ .Values.bfl.username }}/market + provider-service-ref: appstore-svc.os-framework:81 +rules: +- nonResourceURLs: ["/app-store/*"] + verbs: ["*"] + + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: user:{{ .Values.bfl.username }}:market-frontend-svc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:market-frontend-svc +subjects: +- kind: User + name: '{{ .Values.bfl.username }}' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: user:{{ .Values.bfl.username }}:market-frontend-domain +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:market-frontend-domain +subjects: +- kind: User + name: '{{ .Values.bfl.username }}' + + +--- +apiVersion: v1 +kind: Service +metadata: + name: market + namespace: user-space-{{ .Values.bfl.username }} +spec: + type: ExternalName + externalName: system-server.user-system-{{ .Values.bfl.username }}.svc.cluster.local + ports: + - protocol: TCP + port: 28080 + targetPort: 28080 diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/middleware-provider.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/middleware-provider.yaml new file mode 100644 index 000000000..61390d187 --- /dev/null +++ b/apps/.olares/config/user/helm-charts/system-apps/templates/middleware-provider.yaml @@ -0,0 +1,64 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:middleware-frontend-svc + annotations: + provider-registry-ref: user-space-{{ .Values.bfl.username }}/middleware + provider-service-ref: middleware-service.os-platform:80 +rules: +- nonResourceURLs: ["*"] + verbs: ["*"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:middleware-frontend-domain-controlhub + annotations: + provider-registry-ref: {{ .Values.bfl.username }}/control-hub + provider-service-ref: middleware-service.os-platform:80 +rules: +- nonResourceURLs: ["/middleware/*"] + verbs: ["*"] + + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: user:{{ .Values.bfl.username }}:middleware-frontend-svc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:middleware-frontend-svc +subjects: +- kind: User + name: '{{ .Values.bfl.username }}' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: user:{{ .Values.bfl.username }}:middleware-frontend-domain-controlhub +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:middleware-frontend-domain-controlhub +subjects: +- kind: User + name: '{{ .Values.bfl.username }}' + + +--- +apiVersion: v1 +kind: Service +metadata: + name: middleware + namespace: user-space-{{ .Values.bfl.username }} +spec: + type: ExternalName + externalName: system-server.user-system-{{ .Values.bfl.username }}.svc.cluster.local + ports: + - protocol: TCP + port: 28080 + targetPort: 28080 diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/monitoring-provider.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/monitoring-provider.yaml new file mode 100644 index 000000000..53592f697 --- /dev/null +++ b/apps/.olares/config/user/helm-charts/system-apps/templates/monitoring-provider.yaml @@ -0,0 +1,94 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:monitoring-frontend-svc + annotations: + provider-registry-ref: user-space-{{ .Values.bfl.username }}/monitoring + provider-service-ref: monitoring-server.os-framework:80 +rules: +- nonResourceURLs: ["*"] + verbs: ["*"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:monitoring-frontend-domain-controlhub + annotations: + provider-registry-ref: {{ .Values.bfl.username }}/control-hub + provider-service-ref: monitoring-server.os-framework:80 +rules: +- nonResourceURLs: + - "/kapis/*" + - "/api/*" + - "/capi/*" + - "/apis/apps/*" + verbs: ["*"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:monitoring-frontend-domain-dashboard + annotations: + provider-registry-ref: {{ .Values.bfl.username }}/dashboard + provider-service-ref: monitoring-server.os-framework:80 +rules: +- nonResourceURLs: ["*"] + verbs: ["*"] + + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: user:{{ .Values.bfl.username }}:monitoring-frontend-svc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:monitoring-frontend-svc +subjects: +- kind: User + name: '{{ .Values.bfl.username }}' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: user:{{ .Values.bfl.username }}:monitoring-frontend-domain-controlhub +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:monitoring-frontend-domain-controlhub +subjects: +- kind: User + name: '{{ .Values.bfl.username }}' + + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: user:{{ .Values.bfl.username }}:monitoring-frontend-domain-dashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:monitoring-frontend-domain-dashboard +subjects: +- kind: User + name: '{{ .Values.bfl.username }}' + + +--- +apiVersion: v1 +kind: Service +metadata: + name: monitoring + namespace: user-space-{{ .Values.bfl.username }} +spec: + type: ExternalName + externalName: system-server.user-system-{{ .Values.bfl.username }}.svc.cluster.local + ports: + - protocol: TCP + port: 28080 + targetPort: 28080 diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/olares-app.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/olares-app.yaml index 90500ed96..efb8f3dcb 100644 --- a/apps/.olares/config/user/helm-charts/system-apps/templates/olares-app.yaml +++ b/apps/.olares/config/user/helm-charts/system-apps/templates/olares-app.yaml @@ -153,19 +153,6 @@ spec: --- apiVersion: v1 kind: Service -metadata: - name: vault-admin-server - namespace: {{ .Release.Namespace }} -spec: - type: ExternalName - externalName: vault-server.os-framework.svc.cluster.local - ports: - - protocol: TCP - port: 3010 - targetPort: 3010 ---- -apiVersion: v1 -kind: Service metadata: name: files-fe-service namespace: user-space-{{ .Values.bfl.username }} @@ -258,6 +245,7 @@ spec: {{ end }} spec: priorityClassName: "system-cluster-critical" + serviceAccountName: system-frontend initContainers: - args: - -it @@ -333,7 +321,7 @@ spec: - name: PGDB value: user_space_{{ .Values.bfl.username }}_cloud_drive_integration - name: olares-app-init - image: beclab/system-frontend:v1.4.13 + image: beclab/system-frontend:v1.4.15 imagePullPolicy: IfNotPresent command: - /bin/sh @@ -455,7 +443,7 @@ spec: - name: NATS_SUBJECT_VAULT value: os.vault.{{ .Values.bfl.username}} - name: user-service - image: beclab/user-service:v0.0.45 + image: beclab/user-service:v0.0.46 imagePullPolicy: IfNotPresent ports: - containerPort: 3000 @@ -466,12 +454,8 @@ spec: {{- end }} - name: DEV_MODE value: '' - - name: OS_SYSTEM_SERVER - value: system-server.user-system-{{ .Values.bfl.username }} - - name: OS_APP_SECRET - value: '{{ .Values.os.settings.appSecret }}' - - name: OS_APP_KEY - value: {{ .Values.os.settings.appKey }} + - name: MY_NAME + value: '{{ .Values.bfl.username }}' - name: NODE_IP valueFrom: fieldRef: @@ -682,34 +666,7 @@ data: appData: "{{ .Values.userspace.appData }}" appCache: "{{ .Values.userspace.appCache }}" username: "{{ .Values.bfl.username }}" ---- -apiVersion: sys.bytetrade.io/v1alpha1 -kind: ProviderRegistry -metadata: - name: files-provider - namespace: user-system-{{ .Values.bfl.username }} -spec: - dataType: files - deployment: files - description: files provider - endpoint: files-service.{{ .Release.Namespace }} - group: service.files - kind: provider - namespace: {{ .Release.Namespace }} - opApis: - - name: Query - uri: /provider/query_file - - name: GetSearchFolderStatus - uri: /provider/get_search_folder_status - - name: UpdateSearchFolderPaths - uri: /provider/update_search_folder_paths - - name: GetDatasetFolderStatus - uri: /provider/get_dataset_folder_status - - name: UpdateDatasetFolderPaths - uri: /provider/update_dataset_folder_paths - version: v1 -status: - state: active + --- apiVersion: v1 kind: Secret @@ -847,6 +804,7 @@ data: - exact: x-bfl-user - exact: x-real-ip - exact: terminus-nonce + - exact: x-provider-proxy headers_to_add: - key: X-Forwarded-Method value: '%REQ(:METHOD)%' @@ -965,256 +923,7 @@ kind: ConfigMap metadata: name: sidecar-upload-configs namespace: {{ .Release.Namespace }} ---- -apiVersion: sys.bytetrade.io/v1alpha1 -kind: ApplicationPermission -metadata: - name: dashboard-vault - namespace: user-system-{{ .Values.bfl.username }} -spec: - app: dashboard - appid: dashboard - key: {{ .Values.os.dashboard.appKey }} - secret: {{ .Values.os.dashboard.appSecret }} - permissions: - - dataType: secret - group: secret.infisical - ops: - - RetrieveSecret?workspace=dashboard - - CreateSecret?workspace=dashboard - - DeleteSecret?workspace=dashboard - - UpdateSecret?workspace=dashboard - - ListSecret?workspace=dashboard - version: v1 -status: - state: active ---- -apiVersion: sys.bytetrade.io/v1alpha1 -kind: ApplicationPermission -metadata: - name: profile - namespace: user-system-{{ .Values.bfl.username }} -spec: - app: profile - appid: profile - key: {{ .Values.os.profile.appKey }} - secret: {{ .Values.os.profile.appSecret }} - permissions: - - dataType: datastore - group: service.bfl - ops: - - GetKey - - GetKeyPrefix - - SetKey - - DeleteKey - version: v1 - - dataType: nft - group: service.settings - ops: - - getNFTAddress - version: v1 -status: - state: active ---- -apiVersion: sys.bytetrade.io/v1alpha1 -kind: ApplicationPermission -metadata: - name: settings - namespace: user-system-{{ .Values.bfl.username }} -spec: - app: settings - appid: settings - key: {{ .Values.os.settings.appKey }} - secret: {{ .Values.os.settings.appSecret }} - permissions: - - dataType: config - group: service.desktop - ops: - - Update - version: v1 - - dataType: secret - group: secret.infisical - ops: - - RetrieveSecret?workspace=settings - - CreateSecret?workspace=settings - - DeleteSecret?workspace=settings - - UpdateSecret?workspace=settings - - ListSecret?workspace=settings - version: v1 - - dataType: headscale - group: service.headscale - ops: - - GetMachine - - RenameMachine - - DeleteMachine - - GetRoute - - EnableRoute - - DisableRoute - - SetTags - version: v1 - - dataType: files - group: service.files - ops: - - Query - - GetSearchFolderStatus - - UpdateSearchFolderPaths - - GetDatasetFolderStatus - - UpdateDatasetFolderPaths - version: v1 - - dataType: datastore - group: service.bfl - ops: - - GetKey - - GetKeyPrefix - - SetKey - - DeleteKey - version: v1 - - dataType: app - group: service.bfl - ops: - - UserApps - version: v1 -status: - state: active - ---- -apiVersion: sys.bytetrade.io/v1alpha1 -kind: ProviderRegistry -metadata: - name: settings-nft - namespace: user-system-{{ .Values.bfl.username }} -spec: - dataType: nft - deployment: settings - description: Get Cloud Bind NFT List - endpoint: settings-service.{{ .Release.Namespace }} - group: service.settings - kind: provider - namespace: {{ .Release.Namespace }} - opApis: - - name: getNFTAddress - uri: /api/cloud/getNFTAddress - version: v1 -status: - state: active - ---- -apiVersion: sys.bytetrade.io/v1alpha1 -kind: ProviderRegistry -metadata: - name: settings-account - namespace: user-system-{{ .Values.bfl.username }} -spec: - dataType: account - deployment: settings - description: Get Acccount saved in Settings - endpoint: settings-service.{{ .Release.Namespace }} - group: service.settings - kind: provider - namespace: {{ .Release.Namespace }} - opApis: - - name: getAccount - uri: /api/account - version: v1 -status: - state: active - ---- -apiVersion: sys.bytetrade.io/v1alpha1 -kind: ProviderRegistry -metadata: - name: settings-backup-password - namespace: user-system-{{ .Values.bfl.username }} -spec: - dataType: backupPassword - deployment: settings - description: Get Backup Plan's Password - endpoint: settings-service.{{ .Release.Namespace }} - group: service.settings - kind: provider - namespace: {{ .Release.Namespace }} - opApis: - - name: getAccount - uri: /api/backup/password - version: v1 -status: - state: active - ---- -apiVersion: sys.bytetrade.io/v1alpha1 -kind: ProviderRegistry -metadata: - name: settings-event-watcher - namespace: user-system-{{ .Values.bfl.username }} -spec: - callbacks: - - filters: - type: - - backup-state-event - op: Create - uri: /api/event/backup_state_event - - filters: - type: - - restore-state-event - op: Create - uri: /api/event/restore_state_event - - filters: - type: - - app-installation-event - op: Create - uri: /api/event/app_installation_event - - filters: - type: - - settings-event - op: Create - uri: /api/event/app_installation_event - - filters: - type: - - entrance-state-event - op: Create - uri: /api/event/entrance_state_event - - filters: - type: - - system-upgrade-event - op: Create - uri: /api/event/system_upgrade_event - dataType: event - deployment: settings - description: desktop event watcher - endpoint: settings-service.{{ .Release.Namespace }} - group: message-disptahcer.system-server - kind: watcher - namespace: {{ .Release.Namespace }} - version: v1 -status: - state: active - ---- -apiVersion: sys.bytetrade.io/v1alpha1 -kind: ProviderRegistry -metadata: - name: settings-account-retrieve - namespace: user-system-{{ .Values.bfl.username }} -spec: - dataType: legacy_api - deployment: settings - description: settings account retrieve legacy api - endpoint: settings-service.{{ .Release.Namespace }} - group: service.settings - kind: provider - namespace: {{ .Release.Namespace }} - version: v1 - opApis: - - name: POST - uri: /api/account/retrieve - - name: GET - uri: /api/account/all - - name: POST - uri: /api/cookie/retrieve - - name: POST - uri: /api/cookie -status: - state: active + --- apiVersion: v1 kind: Secret @@ -1284,166 +993,6 @@ spec: - protocol: TCP port: 3000 targetPort: 3000 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - namespace: {{ .Release.Namespace }} - name: internal-kubectl - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ .Release.Namespace }}:edge-desktop-rb -subjects: - - kind: ServiceAccount - namespace: {{ .Release.Namespace }} - name: internal-kubectl -roleRef: - # kind: Role - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: sys.bytetrade.io/v1alpha1 -kind: ProviderRegistry -metadata: - name: app-event-watcher - namespace: user-system-{{ .Values.bfl.username }} -spec: - callbacks: - - filters: - type: - - app-installation-event - op: Create - uri: /server/app_installation_event - - filters: - type: - - entrance-state-event - op: Create - uri: /server/entrance_state_event - - filters: - type: - - settings-event - op: Create - uri: /server/app_installation_event - - filters: - type: - - system-upgrade-event - op: Create - uri: /server/system_upgrade_event - dataType: event - deployment: edge-desktop - description: desktop event watcher - endpoint: edge-desktop.{{ .Release.Namespace }} - group: message-disptahcer.system-server - kind: watcher - namespace: {{ .Release.Namespace }} - version: v1 -status: - state: active - ---- -apiVersion: sys.bytetrade.io/v1alpha1 -kind: ProviderRegistry -metadata: - name: intent-api - namespace: user-system-{{ .Values.bfl.username }} -spec: - dataType: legacy_api - deployment: edge-desktop - description: edge-desktop legacy api - endpoint: edge-desktop.{{ .Release.Namespace }} - group: api.intent - kind: provider - namespace: {{ .Release.Namespace }} - version: v1 - opApis: - - name: POST - uri: /server/intent/send -status: - state: active - ---- -apiVersion: sys.bytetrade.io/v1alpha1 -kind: ProviderRegistry -metadata: - name: intent-api-v2 - namespace: user-system-{{ .Values.bfl.username }} -spec: - dataType: legacy_api - deployment: edge-desktop - description: edge-desktop legacy api - endpoint: edge-desktop.{{ .Release.Namespace }} - group: api.intent - kind: provider - namespace: {{ .Release.Namespace }} - version: v2 - opApis: - - name: POST - uri: /server/intent/send -status: - state: active - ---- -apiVersion: sys.bytetrade.io/v1alpha1 -kind: ProviderRegistry -metadata: - name: destktop-ai-provider - namespace: user-system-{{ .Values.bfl.username }} -spec: - dataType: ai_message - deployment: edge-desktop - description: search ai callback - endpoint: edge-desktop.{{ .Release.Namespace }} - group: service.desktop - kind: provider - namespace: {{ .Release.Namespace }} - opApis: - - name: AIMessage - uri: /server/ai_message - version: v1 -status: - state: active - ---- -apiVersion: sys.bytetrade.io/v1alpha1 -kind: ApplicationPermission -metadata: - name: desktop - namespace: user-system-{{ .Values.bfl.username }} -spec: - app: desktop - appid: desktop - key: {{ .Values.os.desktop.appKey }} - secret: {{ .Values.os.desktop.appSecret }} - permissions: - - dataType: files - group: service.files - ops: - - Query - version: v1 - - dataType: datastore - group: service.bfl - ops: - - GetKey - - GetKeyPrefix - - SetKey - - DeleteKey - version: v1 - - dataType: app - group: service.bfl - ops: - - UserApps - version: v1 - - dataType: app - group: service.appstore - ops: - - UninstallDevApp - version: v1 -status: - state: active --- apiVersion: v1 @@ -1512,6 +1061,7 @@ data: - exact: x-bfl-user - exact: x-real-ip - exact: terminus-nonce + - exact: x-provider-proxy headers_to_add: - key: X-Forwarded-Method value: '%REQ(:METHOD)%' @@ -1687,6 +1237,7 @@ data: - exact: x-bfl-user - exact: x-real-ip - exact: terminus-nonce + - exact: x-provider-proxy headers_to_add: - key: X-Forwarded-Method value: '%REQ(:METHOD)%' @@ -1876,6 +1427,7 @@ data: - exact: x-bfl-user - exact: x-real-ip - exact: terminus-nonce + - exact: x-provider-proxy headers_to_add: - key: X-Forwarded-Method value: '%REQ(:METHOD)%' @@ -2154,3 +1706,11 @@ spec: pub: allow user: user-service-{{ .Values.bfl.username }} + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ .Release.Namespace }} + name: system-frontend + diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/secret-permission.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/secret-permission.yaml new file mode 100644 index 000000000..9626c5bcf --- /dev/null +++ b/apps/.olares/config/user/helm-charts/system-apps/templates/secret-permission.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: backend:{{ .Values.bfl.username }}:secret-settings-provider-svc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:secret-settings-provider-svc +subjects: +- kind: ServiceAccount + name: system-frontend + namespace: {{ .Release.Namespace }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: backend:{{ .Values.bfl.username }}:system-frontend:secret-dashboard-provider-svc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:secret-dashboard-provider-svc +subjects: +- kind: ServiceAccount + name: system-frontend + namespace: {{ .Release.Namespace }} + diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/user-service-provider.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/user-service-provider.yaml new file mode 100644 index 000000000..aef32a652 --- /dev/null +++ b/apps/.olares/config/user/helm-charts/system-apps/templates/user-service-provider.yaml @@ -0,0 +1,185 @@ +# --- +# apiVersion: sys.bytetrade.io/v1alpha1 +# kind: ProviderRegistry +# metadata: +# name: settings-nft +# namespace: user-system-{{ .Values.bfl.username }} +# spec: +# dataType: nft +# deployment: settings +# description: Get Cloud Bind NFT List +# endpoint: settings-service.{{ .Release.Namespace }} +# group: service.settings +# kind: provider +# namespace: {{ .Release.Namespace }} +# opApis: +# - name: getNFTAddress +# uri: /api/cloud/getNFTAddress +# version: v1 +# status: +# state: active + +# --- +# apiVersion: sys.bytetrade.io/v1alpha1 +# kind: ProviderRegistry +# metadata: +# name: settings-account +# namespace: user-system-{{ .Values.bfl.username }} +# spec: +# dataType: account +# deployment: settings +# description: Get Acccount saved in Settings +# endpoint: settings-service.{{ .Release.Namespace }} +# group: service.settings +# kind: provider +# namespace: {{ .Release.Namespace }} +# opApis: +# - name: getAccount +# uri: /api/account +# version: v1 +# status: +# state: active + +# --- +# apiVersion: sys.bytetrade.io/v1alpha1 +# kind: ProviderRegistry +# metadata: +# name: settings-backup-password +# namespace: user-system-{{ .Values.bfl.username }} +# spec: +# dataType: backupPassword +# deployment: settings +# description: Get Backup Plan's Password +# endpoint: settings-service.{{ .Release.Namespace }} +# group: service.settings +# kind: provider +# namespace: {{ .Release.Namespace }} +# opApis: +# - name: getAccount +# uri: /api/backup/password +# version: v1 +# status: +# state: active + +# --- +# apiVersion: sys.bytetrade.io/v1alpha1 +# kind: ProviderRegistry +# metadata: +# name: settings-account-retrieve +# namespace: user-system-{{ .Values.bfl.username }} +# spec: +# dataType: legacy_api +# deployment: settings +# description: settings account retrieve legacy api +# endpoint: settings-service.{{ .Release.Namespace }} +# group: service.settings +# kind: provider +# namespace: {{ .Release.Namespace }} +# version: v1 +# opApis: +# - name: POST +# uri: /api/account/retrieve +# - name: GET +# uri: /api/account/all +# - name: POST +# uri: /api/cookie/retrieve +# - name: POST +# uri: /api/cookie +# status: +# state: active + +# --- +# apiVersion: sys.bytetrade.io/v1alpha1 +# kind: ProviderRegistry +# metadata: +# name: intent-api +# namespace: user-system-{{ .Values.bfl.username }} +# spec: +# dataType: legacy_api +# deployment: edge-desktop +# description: edge-desktop legacy api +# endpoint: edge-desktop.{{ .Release.Namespace }} +# group: api.intent +# kind: provider +# namespace: {{ .Release.Namespace }} +# version: v1 +# opApis: +# - name: POST +# uri: /server/intent/send +# status: +# state: active + +# --- +# apiVersion: sys.bytetrade.io/v1alpha1 +# kind: ProviderRegistry +# metadata: +# name: intent-api-v2 +# namespace: user-system-{{ .Values.bfl.username }} +# spec: +# dataType: legacy_api +# deployment: edge-desktop +# description: edge-desktop legacy api +# endpoint: edge-desktop.{{ .Release.Namespace }} +# group: api.intent +# kind: provider +# namespace: {{ .Release.Namespace }} +# version: v2 +# opApis: +# - name: POST +# uri: /server/intent/send +# status: +# state: active + +# --- +# apiVersion: sys.bytetrade.io/v1alpha1 +# kind: ProviderRegistry +# metadata: +# name: destktop-ai-provider +# namespace: user-system-{{ .Values.bfl.username }} +# spec: +# dataType: ai_message +# deployment: edge-desktop +# description: search ai callback +# endpoint: edge-desktop.{{ .Release.Namespace }} +# group: service.desktop +# kind: provider +# namespace: {{ .Release.Namespace }} +# opApis: +# - name: AIMessage +# uri: /server/ai_message +# version: v1 +# status: +# state: active + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:settings-provider-svc + annotations: + provider-registry-ref: user-system-{{ .Values.bfl.username }}/settings + provider-service-ref: settings-service.{{ .Release.Namespace }} +rules: +- nonResourceURLs: + - "/api/cloud/getNFTAddress" + - "/api/account/" + - "/api/backup/password" + - "/api/account/retrieve" + - "/api/account/all" + - "/api/cookie/retrieve" + - "/api/cookie/" + verbs: ["*"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:edge-desktop-provider-svc + annotations: + provider-registry-ref: user-system-{{ .Values.bfl.username }}/edge-desktop + provider-service-ref: edge-desktop.{{ .Release.Namespace }} +rules: +- nonResourceURLs: + - "/server/intent/send" + - "/server/ai_message" + verbs: ["*"] \ No newline at end of file diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/vault-provider.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/vault-provider.yaml new file mode 100644 index 000000000..8903fca4a --- /dev/null +++ b/apps/.olares/config/user/helm-charts/system-apps/templates/vault-provider.yaml @@ -0,0 +1,88 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:vault-frontend-svc + annotations: + provider-registry-ref: user-space-{{ .Values.bfl.username }}/vault + provider-service-ref: vault-server.os-framework:3010 +rules: +- nonResourceURLs: ["/vault*"] + verbs: ["*"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:vault-frontend-domain-settings + annotations: + provider-registry-ref: {{ .Values.bfl.username }}/settings + provider-service-ref: vault-server.os-framework:3010 +rules: +- nonResourceURLs: ["/vault*"] + verbs: ["*"] + + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:vault-frontend-domain + annotations: + provider-registry-ref: {{ .Values.bfl.username }}/vault + provider-service-ref: vault-server.os-framework:3010 +rules: +- nonResourceURLs: ["/server*"] + verbs: ["*"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: user:{{ .Values.bfl.username }}:vault-frontend-svc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:vault-frontend-svc +subjects: +- kind: User + name: '{{ .Values.bfl.username }}' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: user:{{ .Values.bfl.username }}:vault-frontend-domain-settings +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:vault-frontend-domain-settings +subjects: +- kind: User + name: '{{ .Values.bfl.username }}' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: user:{{ .Values.bfl.username }}:vault-frontend-domain +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:vault-frontend-domain +subjects: +- kind: User + name: '{{ .Values.bfl.username }}' + +--- +apiVersion: v1 +kind: Service +metadata: + name: vault + namespace: user-space-{{ .Values.bfl.username }} +spec: + type: ExternalName + externalName: system-server.user-system-{{ .Values.bfl.username }}.svc.cluster.local + ports: + - protocol: TCP + port: 28080 + targetPort: 28080 diff --git a/build/base-package/wizard/config/settings/templates/system-serviceaccount.yaml b/build/base-package/wizard/config/settings/templates/system-serviceaccount.yaml index baba8ad87..94dab1e93 100644 --- a/build/base-package/wizard/config/settings/templates/system-serviceaccount.yaml +++ b/build/base-package/wizard/config/settings/templates/system-serviceaccount.yaml @@ -100,6 +100,19 @@ rules: - patch - update - watch +- apiGroups: + - '*' + resources: + - 'clusterroles' + - 'clusterrolebindings' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - '*' resources: @@ -107,11 +120,28 @@ rules: - users - configmaps - secrets + - nodes + - namespaces verbs: - get - list - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: rbac-proxy +rules: +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: ["create"] +- apiGroups: ["authorization.k8s.io"] + resources: + - subjectaccessreviews + verbs: ["create"] + --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 diff --git a/daemon/internel/apiserver/handlers/handler_did.go b/daemon/internel/apiserver/handlers/handler_did.go index e03bc750b..4c3c6aa1e 100644 --- a/daemon/internel/apiserver/handlers/handler_did.go +++ b/daemon/internel/apiserver/handlers/handler_did.go @@ -10,19 +10,15 @@ func (h *Handlers) ResolveOlaresName(c *fiber.Ctx) error { olaresName := c.Params("olaresName") if olaresName == "" { klog.Error("olaresName parameter is missing") - return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{ - "error": "olaresName parameter is required", - }) + return h.ErrJSON(c, fiber.StatusBadRequest, "olaresName parameter is required") } klog.Infof("Received olaresName: %s", olaresName) result, err := jws.ResolveOlaresName(olaresName) if err != nil { klog.Errorf("Failed to resolve DID for %s: %v", olaresName, err) - return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{ - "error": "Failed to resolve DID", - }) + return h.ErrJSON(c, fiber.StatusInternalServerError, "Failed to resolve DID") } - return c.Status(fiber.StatusOK).JSON(result) + return h.OkJSON(c, "success", result) } func (h *Handlers) CheckJWS(c *fiber.Ctx) error { @@ -35,16 +31,12 @@ func (h *Handlers) CheckJWS(c *fiber.Ctx) error { if err := c.BodyParser(&body); err != nil { klog.Errorf("Failed to parse request body: %v", err) - return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{ - "error": "Invalid request body format", - }) + return h.ErrJSON(c, fiber.StatusBadRequest, "Invalid request body format") } if body.JWS == "" { klog.Error("JWS is missing in request body") - return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{ - "error": "JWS is required in request body", - }) + return h.ErrJSON(c, fiber.StatusBadRequest, "JWS is required in request body") } if body.Duration == 0 { @@ -54,10 +46,8 @@ func (h *Handlers) CheckJWS(c *fiber.Ctx) error { result, err := jws.CheckJWS(body.JWS, body.Duration) if err != nil { klog.Errorf("Failed to check JWS: %v", err) - return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{ - "error": "Invalid JWS", - }) + return h.ErrJSON(c, fiber.StatusBadRequest, "Invalid JWS") } - return c.Status(fiber.StatusOK).JSON(result) + return h.OkJSON(c, "success", result) } diff --git a/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml b/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml index 59f7f252f..bc4627814 100644 --- a/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml +++ b/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml @@ -170,7 +170,7 @@ spec: priorityClassName: "system-cluster-critical" containers: - name: app-service - image: beclab/app-service:0.3.79 + image: beclab/app-service:0.3.82 imagePullPolicy: IfNotPresent securityContext: runAsUser: 0 diff --git a/framework/authelia/.olares/config/user/helm-charts/auth/templates/provider.yaml b/framework/authelia/.olares/config/user/helm-charts/auth/templates/provider.yaml new file mode 100644 index 000000000..4be406cf9 --- /dev/null +++ b/framework/authelia/.olares/config/user/helm-charts/auth/templates/provider.yaml @@ -0,0 +1,48 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:authelia-frontend-svc + annotations: + provider-registry-ref: user-system-{{ .Values.bfl.username }}/authelia-backend-provider + provider-service-ref: authelia-backend.os-framework:9091 +rules: +- nonResourceURLs: ["*"] + verbs: ["*"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:authelia-frontend-domain + annotations: + provider-registry-ref: {{ .Values.bfl.username }}/auth + provider-service-ref: authelia-backend.os-framework:9091 +rules: +- nonResourceURLs: ["*"] + verbs: ["*"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: user:{{ .Values.bfl.username }}:authelia-frontend-svc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:authelia-frontend-svc +subjects: +- kind: User + name: '{{ .Values.bfl.username }}' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: user:{{ .Values.bfl.username }}:authelia-frontend-domain +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:authelia-frontend-domain +subjects: +- kind: User + name: '{{ .Values.bfl.username }}' \ No newline at end of file diff --git a/framework/bfl/.olares/config/launcher/templates/bfl_deploy.yaml b/framework/bfl/.olares/config/launcher/templates/bfl_deploy.yaml index b86d0e0fc..352310219 100644 --- a/framework/bfl/.olares/config/launcher/templates/bfl_deploy.yaml +++ b/framework/bfl/.olares/config/launcher/templates/bfl_deploy.yaml @@ -266,7 +266,7 @@ spec: containers: - name: api - image: beclab/bfl:v0.4.23 + image: beclab/bfl:v0.4.24 imagePullPolicy: IfNotPresent securityContext: runAsUser: 1000 @@ -290,9 +290,9 @@ spec: port: 8080 env: - name: APP_SERVICE_SERVICE_HOST - value: app-service.os-framework + value: app-service.user-system-{{ .Values.bfl.username }} - name: APP_SERVICE_SERVICE_PORT - value: '6755' + value: '28080' - name: USER_DEFAULT_MEMORY_LIMIT value: '3G' - name: USER_DEFAULT_CPU_LIMIT @@ -301,12 +301,6 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - - name: OS_SYSTEM_SERVER - value: system-server.user-system-{{ .Values.bfl.username }} - - name: OS_APP_SECRET - value: {{ .Values.bfl.appSecret }} - - name: OS_APP_KEY - value: {{ .Values.bfl.appKey }} - name: BACKUP_SERVER value: backup-server.os-framework:8082 - name: L4_PROXY_IMAGE_VERSION @@ -327,7 +321,7 @@ spec: apiVersion: v1 fieldPath: spec.nodeName - name: ingress - image: beclab/bfl-ingress:v0.3.16 + image: beclab/bfl-ingress:v0.3.17 imagePullPolicy: IfNotPresent volumeMounts: - name: ngxlog @@ -395,94 +389,4 @@ spec: selector: tier: bfl ---- -apiVersion: sys.bytetrade.io/v1alpha1 -kind: ApplicationPermission -metadata: - name: bfl - namespace: user-system-{{ .Values.bfl.username }} -spec: - app: bfl - appid: bfl - key: {{ .Values.bfl.appKey }} - secret: {{ .Values.bfl.appSecret }} - permissions: - - dataType: event - group: message-disptahcer.system-server - ops: - - Create - version: v1 -status: - state: active ---- -apiVersion: sys.bytetrade.io/v1alpha1 -kind: ProviderRegistry -metadata: - name: bfl-app-provider - namespace: user-system-{{ .Values.bfl.username }} -spec: - dataType: app - deployment: bfl - description: app store provider - endpoint: bfl.{{ .Release.Namespace }} - group: service.bfl - kind: provider - namespace: {{ .Release.Namespace }} - opApis: - - name: InstallDevApp - uri: /bfl/app_store/v1alpha1/applications/installdev - - name: UserApps - uri: /bfl/backend/v1/myapps - version: v1 -status: - state: active - ---- -apiVersion: sys.bytetrade.io/v1alpha1 -kind: ProviderRegistry -metadata: - name: bfl-datastore-provider - namespace: user-system-{{ .Values.bfl.username }} -spec: - dataType: datastore - deployment: bfl - description: data store provider - endpoint: bfl.{{ .Release.Namespace }} - group: service.bfl - kind: provider - namespace: {{ .Release.Namespace }} - opApis: - - name: GetKey - uri: /bfl/datastore/v1alpha1/get - - name: GetKeyPrefix - uri: /bfl/datastore/v1alpha1/get/prefix - - name: SetKey - uri: /bfl/datastore/v1alpha1/put - - name: DeleteKey - uri: /bfl/datastore/v1alpha1/delete - version: v1 -status: - state: active - ---- -apiVersion: apr.bytetrade.io/v1alpha1 -kind: SysEventRegistry -metadata: - name: bfl-backup-new-cb - namespace: {{ .Release.Namespace }} -spec: - type: subscriber - event: backup.new - callback: http://bfl.{{ .Release.Namespace }}/bfl/callback/v1alpha1/backup/new - ---- -apiVersion: apr.bytetrade.io/v1alpha1 -kind: SysEventRegistry -metadata: - name: bfl-backup-finish-cb - namespace: {{ .Release.Namespace }} -spec: - type: subscriber - event: backup.finish - callback: http://bfl.{{ .Release.Namespace }}/bfl/callback/v1alpha1/backup/finish diff --git a/framework/bfl/.olares/config/launcher/templates/permission.yaml b/framework/bfl/.olares/config/launcher/templates/permission.yaml new file mode 100644 index 000000000..4670c62bb --- /dev/null +++ b/framework/bfl/.olares/config/launcher/templates/permission.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: backend:{{ .Values.bfl.username }}:bytetrade-controller:app-service-svc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:app-service-provider-svc +subjects: +- kind: ServiceAccount + name: bytetrade-controller + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/framework/bfl/.olares/config/launcher/templates/provider.yaml b/framework/bfl/.olares/config/launcher/templates/provider.yaml new file mode 100644 index 000000000..e5449fbd0 --- /dev/null +++ b/framework/bfl/.olares/config/launcher/templates/provider.yaml @@ -0,0 +1,36 @@ +# --- +# apiVersion: sys.bytetrade.io/v1alpha1 +# kind: ProviderRegistry +# metadata: +# name: bfl-app-provider +# namespace: user-system-{{ .Values.bfl.username }} +# spec: +# dataType: app +# deployment: bfl +# description: app store provider +# endpoint: bfl.{{ .Release.Namespace }} +# group: service.bfl +# kind: provider +# namespace: {{ .Release.Namespace }} +# opApis: +# - name: InstallDevApp +# uri: /bfl/app_store/v1alpha1/applications/installdev +# - name: UserApps +# uri: /bfl/backend/v1/myapps +# version: v1 +# status: +# state: active + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:bfl-svc + annotations: + provider-registry-ref: user-system-{{ .Values.bfl.username }}/bfl + provider-service-ref: bfl.{{ .Release.Namespace }} +rules: +- nonResourceURLs: + - "/bfl/app_store/v1alpha1/applications/installdev" + - "/bfl/backend/v1/myapps" + verbs: ["*"] \ No newline at end of file diff --git a/framework/chart-repo/.olares/config/cluster/deploy/chart_repo_deploy.yaml b/framework/chart-repo/.olares/config/cluster/deploy/chart_repo_deploy.yaml index c24842880..bde8b3e59 100644 --- a/framework/chart-repo/.olares/config/cluster/deploy/chart_repo_deploy.yaml +++ b/framework/chart-repo/.olares/config/cluster/deploy/chart_repo_deploy.yaml @@ -119,7 +119,7 @@ spec: name: check-appservice containers: - name: chartrepo - image: beclab/dynamic-chart-repository:v0.1.9 + image: beclab/dynamic-chart-repository:v0.1.10 imagePullPolicy: IfNotPresent ports: - containerPort: 81 diff --git a/framework/headscale/.olares/config/user/helm-charts/headscale/templates/headscale_deploy.yaml b/framework/headscale/.olares/config/user/helm-charts/headscale/templates/headscale_deploy.yaml index 8be3f66f3..71928747f 100644 --- a/framework/headscale/.olares/config/user/helm-charts/headscale/templates/headscale_deploy.yaml +++ b/framework/headscale/.olares/config/user/helm-charts/headscale/templates/headscale_deploy.yaml @@ -370,39 +370,6 @@ spec: port: 9000 targetPort: 9000 ---- - -apiVersion: sys.bytetrade.io/v1alpha1 -kind: ProviderRegistry -metadata: - name: headscale-provider - namespace: user-system-{{ .Values.bfl.username }} -spec: - dataType: headscale - deployment: headscale - description: headscale provider - endpoint: headscale-server-svc.{{ .Release.Namespace }}:8000 - group: service.headscale - kind: provider - namespace: {{ .Release.Namespace }} - opApis: - - name: GetMachine - uri: /headscale/machine - - name: RenameMachine - uri: /headscale/machine/rename - - name: DeleteMachine - uri: /headscale/machine - - name: GetRoute - uri: /headscale/machine/routes - - name: EnableRoute - uri: /headscale/routes/enable - - name: DisableRoute - uri: /headscale/routes/disable - - name: SetTags - uri: /headscale/machine/tags - version: v1 -status: - state: active --- diff --git a/framework/headscale/.olares/config/user/helm-charts/headscale/templates/provider.yaml b/framework/headscale/.olares/config/user/helm-charts/headscale/templates/provider.yaml new file mode 100644 index 000000000..88d4a160a --- /dev/null +++ b/framework/headscale/.olares/config/user/helm-charts/headscale/templates/provider.yaml @@ -0,0 +1,51 @@ +# --- +# apiVersion: sys.bytetrade.io/v1alpha1 +# kind: ProviderRegistry +# metadata: +# name: headscale-provider +# namespace: user-system-{{ .Values.bfl.username }} +# spec: +# dataType: headscale +# deployment: headscale +# description: headscale provider +# endpoint: headscale-server-svc.{{ .Release.Namespace }}:8000 +# group: service.headscale +# kind: provider +# namespace: {{ .Release.Namespace }} +# opApis: +# - name: GetMachine +# uri: /headscale/machine +# - name: RenameMachine +# uri: /headscale/machine/rename +# - name: DeleteMachine +# uri: /headscale/machine +# - name: GetRoute +# uri: /headscale/machine/routes +# - name: EnableRoute +# uri: /headscale/routes/enable +# - name: DisableRoute +# uri: /headscale/routes/disable +# - name: SetTags +# uri: /headscale/machine/tags +# version: v1 +# status: +# state: active + + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:headscale-svc + annotations: + provider-registry-ref: user-system-{{ .Values.bfl.username }}/headscale + provider-service-ref: headscale-server-svc.{{ .Release.Namespace }}:8000 +rules: +- nonResourceURLs: + - "/headscale/machine" + - "/headscale/machine/rename" + - "/headscale/machine/routes" + - "/headscale/routes/enable" + - "/headscale/routes/disable" + - "/headscale/machine/tags" + verbs: ["*"] \ No newline at end of file diff --git a/framework/infisical/.olares/config/cluster/deploy/infisical_deploy.yaml b/framework/infisical/.olares/config/cluster/deploy/infisical_deploy.yaml index 15c8d2b32..a77600def 100644 --- a/framework/infisical/.olares/config/cluster/deploy/infisical_deploy.yaml +++ b/framework/infisical/.olares/config/cluster/deploy/infisical_deploy.yaml @@ -231,7 +231,7 @@ spec: subPath: nginx.conf - name: tapr-sidecar - image: beclab/secret-vault:0.1.12 + image: beclab/secret-vault:0.1.13 imagePullPolicy: IfNotPresent ports: - name: proxy diff --git a/framework/infisical/.olares/config/user/helm-charts/infisical/templates/infisical_deploy.yaml b/framework/infisical/.olares/config/user/helm-charts/infisical/templates/infisical_deploy.yaml index 3a9ffc1d6..84f897807 100644 --- a/framework/infisical/.olares/config/user/helm-charts/infisical/templates/infisical_deploy.yaml +++ b/framework/infisical/.olares/config/user/helm-charts/infisical/templates/infisical_deploy.yaml @@ -13,31 +13,3 @@ spec: protocol: TCP targetPort: 8080 ---- -apiVersion: sys.bytetrade.io/v1alpha1 -kind: ProviderRegistry -metadata: - name: secret-provider - namespace: user-system-{{ .Values.bfl.username }} -spec: - dataType: secret - deployment: infisical - description: infisical secret provider - endpoint: infisical-service.{{ .Release.Namespace }}:8080 - group: secret.infisical - kind: provider - namespace: {{ .Release.Namespace }} - opApis: - - name: CreateSecret - uri: /secret/create - - name: RetrieveSecret - uri: /secret/retrieve - - name: ListSecret - uri: /secret/list - - name: DeleteSecret - uri: /secret/delete - - name: UpdateSecret - uri: /secret/update - version: v1 -status: - state: active \ No newline at end of file diff --git a/framework/infisical/.olares/config/user/helm-charts/infisical/templates/provider.yaml b/framework/infisical/.olares/config/user/helm-charts/infisical/templates/provider.yaml new file mode 100644 index 000000000..88f28275c --- /dev/null +++ b/framework/infisical/.olares/config/user/helm-charts/infisical/templates/provider.yaml @@ -0,0 +1,64 @@ +# --- +# apiVersion: sys.bytetrade.io/v1alpha1 +# kind: ProviderRegistry +# metadata: +# name: secret-provider +# namespace: user-system-{{ .Values.bfl.username }} +# spec: +# dataType: secret +# deployment: infisical +# description: infisical secret provider +# endpoint: infisical-service.{{ .Release.Namespace }}:8080 +# group: secret.infisical +# kind: provider +# namespace: {{ .Release.Namespace }} +# opApis: +# - name: CreateSecret +# uri: /secret/create +# - name: RetrieveSecret +# uri: /secret/retrieve +# - name: ListSecret +# uri: /secret/list +# - name: DeleteSecret +# uri: /secret/delete +# - name: UpdateSecret +# uri: /secret/update +# version: v1 +# status: +# state: active + + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:secret-settings-provider-svc + annotations: + provider-registry-ref: user-system-{{ .Values.bfl.username }}/secret + provider-service-ref: infisical-service.{{ .Release.Namespace }}:8080 +rules: +- nonResourceURLs: + - /RetrieveSecret?workspace=settings + - /CreateSecret?workspace=settings + - /DeleteSecret?workspace=settings + - /UpdateSecret?workspace=settings + - /ListSecret?workspace=settings + verbs: ["*"] + + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:secret-dashboard-provider-svc + annotations: + provider-registry-ref: user-system-{{ .Values.bfl.username }}/secret + provider-service-ref: infisical-service.{{ .Release.Namespace }}:8080 +rules: +- nonResourceURLs: + - /RetrieveSecret?workspace=dashboard + - /CreateSecret?workspace=dashboard + - /DeleteSecret?workspace=dashboard + - /UpdateSecret?workspace=dashboard + - /ListSecret?workspace=dashboard + verbs: ["*"] diff --git a/framework/market/.olares/config/cluster/deploy/market_deploy.yaml b/framework/market/.olares/config/cluster/deploy/market_deploy.yaml index 624a0094d..8e4aaa6fc 100644 --- a/framework/market/.olares/config/cluster/deploy/market_deploy.yaml +++ b/framework/market/.olares/config/cluster/deploy/market_deploy.yaml @@ -99,7 +99,7 @@ spec: name: check-chart-repo containers: - name: appstore-backend - image: beclab/market-backend:v0.4.21 + image: beclab/market-backend:v0.4.23 imagePullPolicy: IfNotPresent ports: - containerPort: 81 diff --git a/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/proxy.yaml b/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/proxy.yaml new file mode 100644 index 000000000..10ed8725d --- /dev/null +++ b/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/proxy.yaml @@ -0,0 +1,96 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: system-server + namespace: user-system-{{ .Values.bfl.username }} +spec: + type: ClusterIP + selector: + app: systemserver + ports: + - protocol: TCP + port: 80 + targetPort: 80 + name: api + - protocol: TCP + port: 28080 + targetPort: 28080 + name: proxy + +--- +apiVersion: v1 +kind: Service +metadata: + name: secret + namespace: user-system-{{ .Values.bfl.username }} +spec: + type: ClusterIP + selector: + app: systemserver + ports: + - protocol: TCP + port: 28080 + targetPort: 28080 + +--- +apiVersion: v1 +kind: Service +metadata: + name: bfl + namespace: user-system-{{ .Values.bfl.username }} +spec: + type: ClusterIP + selector: + app: systemserver + ports: + - protocol: TCP + port: 28080 + targetPort: 28080 + +--- +apiVersion: v1 +kind: Service +metadata: + name: app-service + namespace: user-system-{{ .Values.bfl.username }} +spec: + type: ClusterIP + selector: + app: systemserver + ports: + - protocol: TCP + port: 28080 + targetPort: 28080 + +--- +apiVersion: v1 +kind: Service +metadata: + name: authelia-backend-provider + namespace: user-system-{{ .Values.bfl.username }} +spec: + type: ClusterIP + selector: + app: systemserver + ports: + - protocol: TCP + port: 28080 + targetPort: 28080 + + +--- +apiVersion: v1 +kind: Service +metadata: + name: headscale + namespace: user-system-{{ .Values.bfl.username }} +spec: + type: ClusterIP + selector: + app: systemserver + ports: + - protocol: TCP + port: 28080 + targetPort: 28080 + diff --git a/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/systemserver_deploy.yaml b/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/systemserver_deploy.yaml index e527e08f3..88ec70325 100644 --- a/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/systemserver_deploy.yaml +++ b/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/systemserver_deploy.yaml @@ -21,6 +21,20 @@ subjects: namespace: user-system-{{ .Values.bfl.username }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: user-system-{{ .Values.bfl.username }}:bytetrade-sys-ops:rbac +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: rbac-proxy +subjects: +- kind: ServiceAccount + name: bytetrade-sys-ops + namespace: user-system-{{ .Values.bfl.username }} + --- apiVersion: apps/v1 kind: Deployment @@ -53,14 +67,14 @@ spec: priorityClassName: "system-cluster-critical" containers: - name: system-server - image: beclab/system-server:0.1.25 + image: beclab/system-server:0.1.26 imagePullPolicy: IfNotPresent ports: - containerPort: 80 command: - /system-server - -v - - "4" + - "6" env: - name: MY_NAMESPACE valueFrom: @@ -123,21 +137,6 @@ spec: - key: envoy.yaml path: envoy.yaml ---- -apiVersion: v1 -kind: Service -metadata: - name: system-server - namespace: user-system-{{ .Values.bfl.username }} -spec: - type: ClusterIP - selector: - app: systemserver - ports: - - protocol: TCP - port: 80 - targetPort: 80 - --- apiVersion: v1 data: diff --git a/platform/tapr/.olares/config/cluster/deploy/middleware_deploy.yaml b/platform/tapr/.olares/config/cluster/deploy/middleware_deploy.yaml index 6f38a0486..fc36e98d6 100644 --- a/platform/tapr/.olares/config/cluster/deploy/middleware_deploy.yaml +++ b/platform/tapr/.olares/config/cluster/deploy/middleware_deploy.yaml @@ -99,7 +99,7 @@ spec: - name: DISABLE_TELEMETRY value: "false" - name: operator-api - image: beclab/middleware-operator:0.2.13 + image: beclab/middleware-operator:0.2.14 imagePullPolicy: IfNotPresent ports: - containerPort: 9080