infisical: move namespace to os-protected (#1878)

* infisical: move namespace to os-protected

* fix: lint error

* fix: add namespace os-protected

* fix: middleware request user

* Update tapr-sidecar image version to 0.1.14

apps/.olares/config/user/helm-charts/system-apps/templates/infisical-provider.yaml

@@ -4,7 +4,7 @@ metadata:
   name: {{ .Values.bfl.username }}:infisical-frontend-svc
   annotations:
     provider-registry-ref: user-space-{{ .Values.bfl.username }}/infisical
-    provider-service-ref: infisical-service.os-framework:8080
+    provider-service-ref: infisical-service.os-protected:8080
 rules:
 - nonResourceURLs: ["/admin/*"]
   verbs: ["*"]
@@ -16,7 +16,7 @@ metadata:
   name: {{ .Values.bfl.username }}:infisical-frontend-domain
   annotations:
     provider-registry-ref: {{ .Values.bfl.username }}/settings
-    provider-service-ref: infisical-service.os-framework:8080
+    provider-service-ref: infisical-service.os-protected:8080
 rules:
 - nonResourceURLs: ["/admin/*"]
   verbs: ["*"]

build/base-package/wizard/config/settings/templates/system_namespace.yaml

@@ -29,4 +29,15 @@ metadata:
     kubesphere.io/workspace: system-workspace
   name: os-framework
 
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    kubesphere.io/creator: '{{ .Values.user.name }}'
+  labels:
+    kubesphere.io/workspace: system-workspace
+  name: os-protected
+
+
 

framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml

@@ -170,7 +170,7 @@ spec:
       priorityClassName: "system-cluster-critical"
       containers:
       - name: app-service
-        image: beclab/app-service:0.4.8
+        image: beclab/app-service:0.4.9
         imagePullPolicy: IfNotPresent
         securityContext:
           runAsUser: 0

framework/infisical/.olares/config/cluster/deploy/infisical_deploy.yaml

@@ -1,6 +1,7 @@
 
-{{- $postgres_secret := (lookup "v1" "Secret" .Release.Namespace "infisical-postgres") -}}
-{{- $backend_secret := (lookup "v1" "Secret" .Release.Namespace "infisical-backend") -}}
+{{- $namespace := "os-protected" -}}
+{{- $postgres_secret := (lookup "v1" "Secret" $namespace "infisical-postgres") -}}
+{{- $backend_secret := (lookup "v1" "Secret" $namespace "infisical-backend") -}}
 {{- $postgres_password := randAlphaNum 16 | b64enc -}}
 {{- $redis_password := randAlphaNum 16 | b64enc -}}
 ---
@@ -16,37 +17,37 @@ rules:
   - get
   - list
 metadata:
-  name: {{ .Release.Namespace }}:vault-role
+  name: {{ $namespace }}:vault-role
 
 ---
 kind: ServiceAccount
 apiVersion: v1
 metadata:
   name: infisical-sa
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $namespace }}
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ .Release.Namespace }}:vault-rb
+  name: {{ $namespace }}:vault-rb
 subjects:
   - kind: ServiceAccount
-    namespace: {{ .Release.Namespace }} 
+    namespace: {{ $namespace }} 
     name: infisical-sa
 roleRef:
   kind: ClusterRole
-  name: {{ .Release.Namespace }}:vault-role
+  name: {{ $namespace }}:vault-role
   apiGroup: rbac.authorization.k8s.io
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ .Release.Namespace }}:vault-ro-user-rb
+  name: {{ $namespace }}:vault-ro-user-rb
 subjects:
   - kind: ServiceAccount
-    namespace: {{ .Release.Namespace }} 
+    namespace: {{ $namespace }} 
     name: infisical-sa
 roleRef:
   kind: ClusterRole
@@ -58,7 +59,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: infisical-postgres
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $namespace }}
 type: Opaque
 
 {{ if $postgres_secret -}}
@@ -76,13 +77,13 @@ apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
 metadata:
   name: infisical-postgres
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $namespace }}
 spec:
   app: infisical
-  appNamespace: {{ .Release.Namespace }}
+  appNamespace: {{ $namespace }}
   middleware: postgres
   postgreSQL:
-    user: infisical_os_framework
+    user: infisical_os_protected
     password: 
       valueFrom:
         secretKeyRef:
@@ -96,10 +97,10 @@ apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
 metadata:
   name: infisical-redis
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $namespace }}
 spec:
   app: infisical
-  appNamespace: {{ .Release.Namespace }}
+  appNamespace: {{ $namespace }}
   middleware: redis
   redis:
     password:
@@ -114,7 +115,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: infisical-deployment
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $namespace }}
   labels:
     app: infisical
     applications.app.bytetrade.io/author: bytetrade.io
@@ -148,14 +149,14 @@ spec:
           - name: PGPORT
             value: "5432"
           - name: PGUSER
-            value: infisical_os_framework
+            value: infisical_os_protected
           - name: PGPASSWORD
             valueFrom:
               secretKeyRef:
                 name: infisical-postgres
                 key: postgres-passwords
           - name: PGDB
-            value: os_framework_infisical
+            value: os_protected_infisical
       - name: "migration-init"
         image: "beclab/infisical:0.1.1"
         imagePullPolicy: IfNotPresent
@@ -171,10 +172,10 @@ spec:
               key: postgres-passwords
         
         - name: POSTGRES_USER
-          value: infisical_os_framework
+          value: infisical_os_protected
 
         - name: POSTGRES_DB
-          value: os_framework_infisical
+          value: os_protected_infisical
 
         - name: DB_CONNECTION_URI
           value: "postgres://$(POSTGRES_USER):$(POSTGRES_PASSWORD)@citus-0.citus-headless.os-platform/$(POSTGRES_DB)?sslmode=disable"
@@ -201,12 +202,11 @@ spec:
               key: postgres-passwords
         
         - name: POSTGRES_USER
-          value: infisical_os_framework
+          value: infisical_os_protected
 
         - name: POSTGRES_DB
-          value: os_framework_infisical
+          value: os_protected_infisical
 
-        
         - name: DB_CONNECTION_URI
           value: "postgres://$(POSTGRES_USER):$(POSTGRES_PASSWORD)@citus-0.citus-headless.os-platform/$(POSTGRES_DB)?sslmode=disable"
 
@@ -231,7 +231,7 @@ spec:
           subPath: nginx.conf
 
       - name: tapr-sidecar
-        image: beclab/secret-vault:0.1.13
+        image: beclab/secret-vault:0.1.14
         imagePullPolicy: IfNotPresent
         ports:
         - name: proxy
@@ -240,9 +240,9 @@ spec:
         - name: INFISICAL_URL
           value: http://localhost:4000
         - name: PG_USER
-          value: infisical_os_framework
+          value: infisical_os_protected
         - name: PG_DB
-          value: os_framework_infisical
+          value: os_protected_infisical
         - name: PG_ADDR
           value: citus-0.citus-headless.os-platform
         - name: PASSWORD
@@ -265,7 +265,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: infisical-service
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $namespace }}
 spec:
   selector:
     app: infisical
@@ -288,7 +288,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: infisical-backend
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $namespace }}
 type: Opaque
 {{ if $backend_secret -}}
 data:
@@ -334,7 +334,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: infisical-frontend
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $namespace }}
 type: Opaque
 stringData:
   SITE_URL: "infisical.local"
@@ -344,7 +344,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: infisical-nginx-conf
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $namespace }}
 data:
   nginx.conf: |
     worker_processes 2;
@@ -393,19 +393,19 @@ apiVersion: apr.bytetrade.io/v1alpha1
 kind: SysEventRegistry
 metadata:
   name: infisical-user-create-cb
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $namespace }}
 spec:
   type: subscriber
   event: user.create
-  callback: http://infisical-service.{{ .Release.Namespace }}:8080/user/create
+  callback: http://infisical-service.{{ $namespace }}:8080/user/create
 
 ---
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: SysEventRegistry
 metadata:
   name: infisical-user-delete-cb
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $namespace }}
 spec:
   type: subscriber
   event: user.delete
-  callback: http://infisical-service.{{ .Release.Namespace }}:8080/user/delete
+  callback: http://infisical-service.{{ $namespace }}:8080/user/delete

framework/infisical/.olares/config/user/helm-charts/infisical/templates/provider.yaml

@@ -35,7 +35,7 @@ metadata:
   name: {{ .Values.bfl.username }}:secret-settings-provider-svc
   annotations:
     provider-registry-ref: user-system-{{ .Values.bfl.username }}/secret
-    provider-service-ref: infisical-service.os-framework:8080
+    provider-service-ref: infisical-service.os-protected:8080
 rules:
 - nonResourceURLs: 
   - /RetrieveSecret?workspace=settings
@@ -53,7 +53,7 @@ metadata:
   name: {{ .Values.bfl.username }}:secret-dashboard-provider-svc
   annotations:
     provider-registry-ref: user-system-{{ .Values.bfl.username }}/secret
-    provider-service-ref: infisical-service.os-framework:8080
+    provider-service-ref: infisical-service.os-protected:8080
 rules:
 - nonResourceURLs: 
   - /RetrieveSecret?workspace=dashboard

framework/system-server/.olares/config/user/helm-charts/systemserver/templates/systemserver_deploy.yaml

@@ -369,7 +369,7 @@ data:
                   - endpoint:
                       address:
                         socket_address:
-                          address: infisical-service.os-framework.svc.cluster.local
+                          address: infisical-service.os-protected.svc.cluster.local
                           port_value: 8080
         - name: cluster_vault_proxy
           connect_timeout: 30s