From aa79d97dc64909ad375ec845b0578990dd4c87b2 Mon Sep 17 00:00:00 2001
From: aby913 <aby913@163.com>
Date: Sat, 18 Oct 2025 14:21:58 +0800
Subject: [PATCH] feat(integration): integration server (#1948)

---
 .../cluster/deploy/integration_deploy.yaml    | 143 ++++++++++++++++++
 .../config/cluster/deploy/provider.yaml       |  24 +++
 framework/integration/README.md               |   0
 3 files changed, 167 insertions(+)
 create mode 100644 framework/integration/.olares/config/cluster/deploy/integration_deploy.yaml
 create mode 100644 framework/integration/.olares/config/cluster/deploy/provider.yaml
 create mode 100644 framework/integration/README.md

diff --git a/framework/integration/.olares/config/cluster/deploy/integration_deploy.yaml b/framework/integration/.olares/config/cluster/deploy/integration_deploy.yaml
new file mode 100644
index 000000000..5d3d859be
--- /dev/null
+++ b/framework/integration/.olares/config/cluster/deploy/integration_deploy.yaml
@@ -0,0 +1,143 @@
+{{- $namespace := "os-protected" -}}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: integration
+    applications.app.bytetrade.io/author: bytetrade.io
+  name: integration
+  namespace: {{ $namespace }}
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app: integration
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: integration
+        io.bytetrade.app: "true"
+        provider: "true"
+    spec:
+      containers:
+        - name: provider-proxy
+          image: beclab/provider-proxy:0.1.0
+          imagePullPolicy: IfNotPresent
+          args:
+            - --logtostderr
+            - --insecure-listen-address=:28080
+            - --upstream=http://127.0.0.1:8090/
+          ports:
+            - containerPort: 28080
+          resources:
+            requests:
+              cpu: 10m
+              memory: 200Mi
+            limits:
+              cpu: "500m"
+              memory: 350Mi
+        - image: beclab/integration-server:0.0.1
+          imagePullPolicy: IfNotPresent
+          name: integration
+          env:
+            - name: DEBUG
+              value: "true"
+          ports:
+            - containerPort: 8090
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /ping
+              port: 8090
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          resources: {}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      priorityClassName: system-cluster-critical
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      serviceAccount: infisical-sa
+      serviceAccountName: infisical-sa
+      terminationGracePeriodSeconds: 30
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: integration-provider-svc
+  namespace: {{ $namespace }}
+spec:
+  type: ClusterIP
+  selector:
+    app: integration
+  ports:
+    - name: server
+      protocol: TCP
+      port: 28080
+      targetPort: 28080
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: backend:protected:integration-provider
+rules:
+  - apiGroups:
+      - "*"
+    resources:
+      - clusterrolebindings
+      - clusterroles
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "*"
+    resources:
+      - tokenreviews
+      - subjectaccessreviews
+    verbs:
+      - create
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backend:{{ $namespace }}:integration-provider
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: backend:protected:integration-provider
+subjects:
+  - kind: ServiceAccount
+    name: infisical-sa
+    namespace: {{ $namespace }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backend:{{ $namespace }}:integration-provider-svc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: backend:integration-provider-svc-account
+subjects:
+  - kind: ServiceAccount
+    name: os-internal
+    namespace: os-framework
+
diff --git a/framework/integration/.olares/config/cluster/deploy/provider.yaml b/framework/integration/.olares/config/cluster/deploy/provider.yaml
new file mode 100644
index 000000000..0311a65d7
--- /dev/null
+++ b/framework/integration/.olares/config/cluster/deploy/provider.yaml
@@ -0,0 +1,24 @@
+{{- $namespace := "os-protected" -}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: backend:integration-provider-svc-account
+  annotations:
+    provider-registry-ref: {{ $namespace }}/integration-provider-svc
+    provider-service-ref: integration-provider-svc.{{ $namespace }}:28080
+rules:
+  - nonResourceURLs: ["/api/account/*"]
+    verbs: ["*"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: backend:integration-provider-svc-cookie
+  annotations:
+    provider-registry-ref: {{ $namespace }}/integration-provider-svc
+    provider-service-ref: integration-provider-svc.{{ $namespace }}:28080
+rules:
+  - nonResourceURLs: ["/api/cookie/*"]
+    verbs: ["*"]
diff --git a/framework/integration/README.md b/framework/integration/README.md
new file mode 100644
index 000000000..e69de29bb