From 5c668d622e38d2d1138f125e8609628965699651 Mon Sep 17 00:00:00 2001 From: eball Date: Sat, 27 Sep 2025 01:04:11 +0800 Subject: [PATCH] infisical: move namespace to os-protected (#1878) * infisical: move namespace to os-protected * fix: lint error * fix: add namespace os-protected * fix: middleware request user * Update tapr-sidecar image version to 0.1.14 --- .../templates/infisical-provider.yaml | 4 +- .../settings/templates/system_namespace.yaml | 11 +++ .../cluster/deploy/appservice_deploy.yaml | 2 +- .../cluster/deploy/infisical_deploy.yaml | 68 +++++++++---------- .../infisical/templates/provider.yaml | 4 +- .../templates/systemserver_deploy.yaml | 2 +- 6 files changed, 51 insertions(+), 40 deletions(-) diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/infisical-provider.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/infisical-provider.yaml index 08530fd36..3ebb20bd6 100644 --- a/apps/.olares/config/user/helm-charts/system-apps/templates/infisical-provider.yaml +++ b/apps/.olares/config/user/helm-charts/system-apps/templates/infisical-provider.yaml @@ -4,7 +4,7 @@ metadata: name: {{ .Values.bfl.username }}:infisical-frontend-svc annotations: provider-registry-ref: user-space-{{ .Values.bfl.username }}/infisical - provider-service-ref: infisical-service.os-framework:8080 + provider-service-ref: infisical-service.os-protected:8080 rules: - nonResourceURLs: ["/admin/*"] verbs: ["*"] @@ -16,7 +16,7 @@ metadata: name: {{ .Values.bfl.username }}:infisical-frontend-domain annotations: provider-registry-ref: {{ .Values.bfl.username }}/settings - provider-service-ref: infisical-service.os-framework:8080 + provider-service-ref: infisical-service.os-protected:8080 rules: - nonResourceURLs: ["/admin/*"] verbs: ["*"] diff --git a/build/base-package/wizard/config/settings/templates/system_namespace.yaml b/build/base-package/wizard/config/settings/templates/system_namespace.yaml index 3b64dbd88..43d0f996a 100644 --- a/build/base-package/wizard/config/settings/templates/system_namespace.yaml +++ b/build/base-package/wizard/config/settings/templates/system_namespace.yaml @@ -29,4 +29,15 @@ metadata: kubesphere.io/workspace: system-workspace name: os-framework +--- +apiVersion: v1 +kind: Namespace +metadata: + annotations: + kubesphere.io/creator: '{{ .Values.user.name }}' + labels: + kubesphere.io/workspace: system-workspace + name: os-protected + + diff --git a/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml b/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml index 9e3826206..e512dc647 100644 --- a/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml +++ b/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml @@ -170,7 +170,7 @@ spec: priorityClassName: "system-cluster-critical" containers: - name: app-service - image: beclab/app-service:0.4.8 + image: beclab/app-service:0.4.9 imagePullPolicy: IfNotPresent securityContext: runAsUser: 0 diff --git a/framework/infisical/.olares/config/cluster/deploy/infisical_deploy.yaml b/framework/infisical/.olares/config/cluster/deploy/infisical_deploy.yaml index a77600def..992a4353e 100644 --- a/framework/infisical/.olares/config/cluster/deploy/infisical_deploy.yaml +++ b/framework/infisical/.olares/config/cluster/deploy/infisical_deploy.yaml @@ -1,6 +1,7 @@ -{{- $postgres_secret := (lookup "v1" "Secret" .Release.Namespace "infisical-postgres") -}} -{{- $backend_secret := (lookup "v1" "Secret" .Release.Namespace "infisical-backend") -}} +{{- $namespace := "os-protected" -}} +{{- $postgres_secret := (lookup "v1" "Secret" $namespace "infisical-postgres") -}} +{{- $backend_secret := (lookup "v1" "Secret" $namespace "infisical-backend") -}} {{- $postgres_password := randAlphaNum 16 | b64enc -}} {{- $redis_password := randAlphaNum 16 | b64enc -}} --- @@ -16,37 +17,37 @@ rules: - get - list metadata: - name: {{ .Release.Namespace }}:vault-role + name: {{ $namespace }}:vault-role --- kind: ServiceAccount apiVersion: v1 metadata: name: infisical-sa - namespace: {{ .Release.Namespace }} + namespace: {{ $namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ .Release.Namespace }}:vault-rb + name: {{ $namespace }}:vault-rb subjects: - kind: ServiceAccount - namespace: {{ .Release.Namespace }} + namespace: {{ $namespace }} name: infisical-sa roleRef: kind: ClusterRole - name: {{ .Release.Namespace }}:vault-role + name: {{ $namespace }}:vault-role apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ .Release.Namespace }}:vault-ro-user-rb + name: {{ $namespace }}:vault-ro-user-rb subjects: - kind: ServiceAccount - namespace: {{ .Release.Namespace }} + namespace: {{ $namespace }} name: infisical-sa roleRef: kind: ClusterRole @@ -58,7 +59,7 @@ apiVersion: v1 kind: Secret metadata: name: infisical-postgres - namespace: {{ .Release.Namespace }} + namespace: {{ $namespace }} type: Opaque {{ if $postgres_secret -}} @@ -76,13 +77,13 @@ apiVersion: apr.bytetrade.io/v1alpha1 kind: MiddlewareRequest metadata: name: infisical-postgres - namespace: {{ .Release.Namespace }} + namespace: {{ $namespace }} spec: app: infisical - appNamespace: {{ .Release.Namespace }} + appNamespace: {{ $namespace }} middleware: postgres postgreSQL: - user: infisical_os_framework + user: infisical_os_protected password: valueFrom: secretKeyRef: @@ -96,10 +97,10 @@ apiVersion: apr.bytetrade.io/v1alpha1 kind: MiddlewareRequest metadata: name: infisical-redis - namespace: {{ .Release.Namespace }} + namespace: {{ $namespace }} spec: app: infisical - appNamespace: {{ .Release.Namespace }} + appNamespace: {{ $namespace }} middleware: redis redis: password: @@ -114,7 +115,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: infisical-deployment - namespace: {{ .Release.Namespace }} + namespace: {{ $namespace }} labels: app: infisical applications.app.bytetrade.io/author: bytetrade.io @@ -148,14 +149,14 @@ spec: - name: PGPORT value: "5432" - name: PGUSER - value: infisical_os_framework + value: infisical_os_protected - name: PGPASSWORD valueFrom: secretKeyRef: name: infisical-postgres key: postgres-passwords - name: PGDB - value: os_framework_infisical + value: os_protected_infisical - name: "migration-init" image: "beclab/infisical:0.1.1" imagePullPolicy: IfNotPresent @@ -171,10 +172,10 @@ spec: key: postgres-passwords - name: POSTGRES_USER - value: infisical_os_framework + value: infisical_os_protected - name: POSTGRES_DB - value: os_framework_infisical + value: os_protected_infisical - name: DB_CONNECTION_URI value: "postgres://$(POSTGRES_USER):$(POSTGRES_PASSWORD)@citus-0.citus-headless.os-platform/$(POSTGRES_DB)?sslmode=disable" @@ -201,12 +202,11 @@ spec: key: postgres-passwords - name: POSTGRES_USER - value: infisical_os_framework + value: infisical_os_protected - name: POSTGRES_DB - value: os_framework_infisical + value: os_protected_infisical - - name: DB_CONNECTION_URI value: "postgres://$(POSTGRES_USER):$(POSTGRES_PASSWORD)@citus-0.citus-headless.os-platform/$(POSTGRES_DB)?sslmode=disable" @@ -231,7 +231,7 @@ spec: subPath: nginx.conf - name: tapr-sidecar - image: beclab/secret-vault:0.1.13 + image: beclab/secret-vault:0.1.14 imagePullPolicy: IfNotPresent ports: - name: proxy @@ -240,9 +240,9 @@ spec: - name: INFISICAL_URL value: http://localhost:4000 - name: PG_USER - value: infisical_os_framework + value: infisical_os_protected - name: PG_DB - value: os_framework_infisical + value: os_protected_infisical - name: PG_ADDR value: citus-0.citus-headless.os-platform - name: PASSWORD @@ -265,7 +265,7 @@ apiVersion: v1 kind: Service metadata: name: infisical-service - namespace: {{ .Release.Namespace }} + namespace: {{ $namespace }} spec: selector: app: infisical @@ -288,7 +288,7 @@ apiVersion: v1 kind: Secret metadata: name: infisical-backend - namespace: {{ .Release.Namespace }} + namespace: {{ $namespace }} type: Opaque {{ if $backend_secret -}} data: @@ -334,7 +334,7 @@ apiVersion: v1 kind: Secret metadata: name: infisical-frontend - namespace: {{ .Release.Namespace }} + namespace: {{ $namespace }} type: Opaque stringData: SITE_URL: "infisical.local" @@ -344,7 +344,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: infisical-nginx-conf - namespace: {{ .Release.Namespace }} + namespace: {{ $namespace }} data: nginx.conf: | worker_processes 2; @@ -393,19 +393,19 @@ apiVersion: apr.bytetrade.io/v1alpha1 kind: SysEventRegistry metadata: name: infisical-user-create-cb - namespace: {{ .Release.Namespace }} + namespace: {{ $namespace }} spec: type: subscriber event: user.create - callback: http://infisical-service.{{ .Release.Namespace }}:8080/user/create + callback: http://infisical-service.{{ $namespace }}:8080/user/create --- apiVersion: apr.bytetrade.io/v1alpha1 kind: SysEventRegistry metadata: name: infisical-user-delete-cb - namespace: {{ .Release.Namespace }} + namespace: {{ $namespace }} spec: type: subscriber event: user.delete - callback: http://infisical-service.{{ .Release.Namespace }}:8080/user/delete + callback: http://infisical-service.{{ $namespace }}:8080/user/delete diff --git a/framework/infisical/.olares/config/user/helm-charts/infisical/templates/provider.yaml b/framework/infisical/.olares/config/user/helm-charts/infisical/templates/provider.yaml index 7a688aa19..194341ee7 100644 --- a/framework/infisical/.olares/config/user/helm-charts/infisical/templates/provider.yaml +++ b/framework/infisical/.olares/config/user/helm-charts/infisical/templates/provider.yaml @@ -35,7 +35,7 @@ metadata: name: {{ .Values.bfl.username }}:secret-settings-provider-svc annotations: provider-registry-ref: user-system-{{ .Values.bfl.username }}/secret - provider-service-ref: infisical-service.os-framework:8080 + provider-service-ref: infisical-service.os-protected:8080 rules: - nonResourceURLs: - /RetrieveSecret?workspace=settings @@ -53,7 +53,7 @@ metadata: name: {{ .Values.bfl.username }}:secret-dashboard-provider-svc annotations: provider-registry-ref: user-system-{{ .Values.bfl.username }}/secret - provider-service-ref: infisical-service.os-framework:8080 + provider-service-ref: infisical-service.os-protected:8080 rules: - nonResourceURLs: - /RetrieveSecret?workspace=dashboard diff --git a/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/systemserver_deploy.yaml b/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/systemserver_deploy.yaml index e86683cc8..4b66490d9 100644 --- a/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/systemserver_deploy.yaml +++ b/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/systemserver_deploy.yaml @@ -369,7 +369,7 @@ data: - endpoint: address: socket_address: - address: infisical-service.os-framework.svc.cluster.local + address: infisical-service.os-protected.svc.cluster.local port_value: 8080 - name: cluster_vault_proxy connect_timeout: 30s