system-server: add RBAC permissions for media server and hami services (#1922)

* feat: add RBAC permissions for media server and hami services; update proxy services

* chore: update app-service image version to 0.4.19

apps/.olares/config/user/helm-charts/system-apps/templates/files-permission.yaml

@@ -11,3 +11,17 @@ subjects:
 - kind: ServiceAccount
   name: system-frontend
   namespace: {{ .Release.Namespace }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backend:{{ .Values.bfl.username }}:system-frontend:media-server-svc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:media-server-svc
+subjects:
+- kind: ServiceAccount
+  name: system-frontend
+  namespace: {{ .Release.Namespace }}

apps/.olares/config/user/helm-charts/system-apps/templates/files-provider.yaml

@@ -50,8 +50,21 @@ rules:
   - "/provider/update_search_folder_paths"
   - "/provider/get_dataset_folder_status"
   - "/provider/update_dataset_folder_paths"
+  - "/seahub/api/*"
   verbs: ["*"]
 
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:media-server-svc
+  annotations:
+    provider-registry-ref: user-system-{{ .Values.bfl.username }}/media-server-service
+    provider-service-ref: media-server-service.os-framework:9090
+rules:
+- nonResourceURLs: 
+  - "/System/Configuration/encoding"
+  verbs: ["*"]
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1

apps/.olares/config/user/helm-charts/system-apps/templates/hami-permission.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backend:{{ .Values.bfl.username }}:system-frontend:hami-scheduler-svc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:hami-scheduler-svc
+subjects:
+- kind: ServiceAccount
+  name: system-frontend
+  namespace: {{ .Release.Namespace }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backend:{{ .Values.bfl.username }}:system-frontend:hami-webui-svc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:hami-webui-svc
+subjects:
+- kind: ServiceAccount
+  name: system-frontend
+  namespace: {{ .Release.Namespace }}

apps/.olares/config/user/helm-charts/system-apps/templates/hami-provider.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:hami-scheduler-svc
+  annotations:
+    provider-registry-ref: user-system-{{ .Values.bfl.username }}/hami-scheduler
+    provider-service-ref: hami-scheduler.kube-system:80
+rules:
+- nonResourceURLs: 
+  - "/gpus"
+  verbs: ["*"]
+
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:hami-webui-svc
+  annotations:
+    provider-registry-ref: user-system-{{ .Values.bfl.username }}/hami-webui
+    provider-service-ref: hami-webui.kube-system:3000
+rules:
+- nonResourceURLs: 
+  - "/api/vgpu/v1/*"
+  verbs: ["*"]  

apps/.olares/config/user/helm-charts/system-apps/templates/search-permission.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backend:{{ .Values.bfl.username }}:search-provider-svc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:search-provider-svc
+subjects:
+- kind: ServiceAccount
+  name: system-frontend
+  namespace: {{ .Release.Namespace }}

apps/.olares/config/user/helm-charts/system-apps/templates/search-provider.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:search-provider-svc
+  annotations:
+    provider-registry-ref: user-system-{{ .Values.bfl.username }}/search3
+    provider-service-ref: search3.os-framework:80
+rules:
+- nonResourceURLs: 
+  - "/document/search"
+  verbs: ["*"]

framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml

@@ -170,7 +170,7 @@ spec:
       priorityClassName: "system-cluster-critical"
       containers:
       - name: app-service
-        image: beclab/app-service:0.4.18
+        image: beclab/app-service:0.4.19
         imagePullPolicy: IfNotPresent
         securityContext:
           runAsUser: 0

framework/bfl/.olares/config/launcher/templates/bfl_deploy.yaml

@@ -319,6 +319,9 @@ spec:
       - name: ingress
         image: beclab/bfl-ingress:v0.3.22
         imagePullPolicy: IfNotPresent
+        env:
+        - name: AUTHELIA_AUTH_URL
+          value: 'http://authelia-backend-provider.user-system-{{ .Values.bfl.username }}:28080/api/authz/auth-request'
         volumeMounts:
         - name: ngxlog
           mountPath: /var/log/nginx

framework/system-server/.olares/config/user/helm-charts/systemserver/templates/proxy.yaml

@@ -109,3 +109,63 @@ spec:
       port: 28080
       targetPort: 28080
 
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: hami-webui
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  type: ClusterIP
+  selector:
+    app: systemserver
+  ports:
+    - protocol: TCP
+      port: 28080
+      targetPort: 28080
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: hami-scheduler
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  type: ClusterIP
+  selector:
+    app: systemserver
+  ports:
+    - protocol: TCP
+      port: 28080
+      targetPort: 28080
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name:  media-server-service
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  type: ClusterIP
+  selector:
+    app: systemserver
+  ports:
+    - protocol: TCP
+      port: 28080
+      targetPort: 28080
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name:  search3
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  type: ClusterIP
+  selector:
+    app: systemserver
+  ports:
+    - protocol: TCP
+      port: 28080
+      targetPort: 28080