feat: all tailscale use tun interface (#1391)

* feat: all tailscale use tun interface * remove host subnet route * adjust tun naming rules * feat: files-server batch_delete (#1409) * feat: files-server batch_delete * feat: files-server delete all for search3 * tapr: bump postgresql and citus version & optimize middleware api (#1410) * fix: fix movedto event error (#1411) Co-authored-by: Ubuntu <ubuntu@localhost.localdomain> * feat: add user index and inject * feat(desktop & login): update desktop refresh token feat(user-service): update ws config --------- Co-authored-by: 0x7fffff92 <0x7fffff92@example.com> Co-authored-by: eball <liuy102@hotmail.com> Co-authored-by: lovehunter9 <39935488+lovehunter9@users.noreply.github.com> Co-authored-by: salt <bleachzou2@163.com> Co-authored-by: Ubuntu <ubuntu@localhost.localdomain> Co-authored-by: hys <hysyeah@gmail.com> Co-authored-by: qq815776412 <815776412@qq.com>
2026-05-23 16:58:26 +00:00 · 2025-06-07 00:48:09 +08:00 · 2025-06-07 00:48:09 +08:00 · cffa3bb1cc
commit cffa3bb1cc
parent 4781090e29
9 changed files with 233 additions and 43 deletions
--- a/apps/.olares/config/user/helm-charts/system-apps/templates/system-frontend.yaml
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/system-frontend.yaml
@ -471,7 +471,7 @@ spec:
            - mountPath: /www
              name: www-dir
        - name: edge-desktop-init
-          image: beclab/desktop:v1.3.70
+          image: beclab/desktop:v1.3.72
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
@ -611,22 +611,9 @@ spec:
                  key: nats_password
                  name: user-service-nats-secret
            - name: NATS_SUBJECT_USER_APPS
-              value: terminus.user.*.{{ .Values.bfl.username}}
-        - name: terminus-ws-sidecar
-          image: 'beclab/ws-gateway:v1.0.5'
-          imagePullPolicy: IfNotPresent
-          command:
-            - /ws-gateway
-          env:
-            - name: WS_PORT
-              value: '3010'
-            - name: WS_URL
-              value: /websocket/message
-          resources: {}
-          terminationMessagePath: /dev/termination-log
-          terminationMessagePolicy: File
+              value: terminus.user.vault.{{ .Values.bfl.username}}
        - name: user-service
-          image: beclab/user-service:v0.0.10
+          image: beclab/user-service:v0.0.11
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 3000
@ -736,7 +723,7 @@ spec:
            path: '{{ .Values.userspace.userData }}'
        - name: terminus-sidecar-config
          configMap:
-            name: sidecar-ws-configs
+            name: user-service-sidecar-ws-configs
            items:
              - key: envoy.yaml
                path: envoy.yaml
@ -939,10 +926,10 @@ spec:
            perm:
              - pub
              - sub
-      - appName: user-files
-        appNamespace: "user.{{ .Values.bfl.username }}"
+      - appName: user-service
+        appNamespace: user
        subjects:
-          - name: files
+          - name: "files.*"
            perm:
              - pub
              - sub
@ -1986,6 +1973,195 @@ metadata:
  name: sidecar-ws-configs
  namespace: {{ .Release.Namespace }}
 ---
+apiVersion: v1
+data:
+  envoy.yaml: |
+    admin:
+      access_log_path: "/dev/stdout"
+      address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: 15000
+    static_resources:
+      listeners:
+      - name: listener_0
+        address:
+          socket_address:
+            address: 0.0.0.0
+            port_value: 15003
+        listener_filters:
+          - name: envoy.filters.listener.original_dst
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst
+        filter_chains:
+          - filters:
+              - name: envoy.filters.network.http_connection_manager
+                typed_config:
+                  "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                  stat_prefix: desktop_http
+                  upgrade_configs:
+                  - upgrade_type: websocket      
+                  - upgrade_type: tailscale-control-protocol            
+                  skip_xff_append: false
+                  max_request_headers_kb: 500
+                  codec_type: AUTO
+                  route_config:
+                    name: local_route
+                    virtual_hosts:
+                      - name: service
+                        domains: ["*"]
+                        routes:
+                          - match:
+                              prefix: "/ws"
+                            route:
+                              cluster: ws_original_dst
+                          - match:
+                              prefix: "/"
+                            route:
+                              cluster: original_dst
+                              timeout: 180s
+                  http_protocol_options:
+                    accept_http_10: true
+                  http_filters:
+                  - name: envoy.filters.http.ext_authz
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
+                      http_service:
+                        path_prefix: '/api/verify/'
+                        server_uri:
+                          uri: authelia-backend.os-system:9091
+                          cluster: authelia
+                          timeout: 2s
+                        authorization_request:
+                          allowed_headers:
+                            patterns:
+                              - exact: accept
+                              - exact: cookie
+                              - exact: proxy-authorization
+                              - prefix: x-unauth-
+                              - exact: x-authorization
+                              - exact: x-bfl-user
+                              - exact: x-real-ip
+                              - exact: terminus-nonce
+                          headers_to_add:
+                            - key: X-Forwarded-Method
+                              value: '%REQ(:METHOD)%'
+                            - key: X-Forwarded-Proto
+                              value: '%REQ(:SCHEME)%'
+                            - key: X-Forwarded-Host
+                              value: '%REQ(:AUTHORITY)%'
+                            - key: X-Forwarded-Uri
+                              value: '%REQ(:PATH)%'
+                            - key: X-Forwarded-For
+                              value: '%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%'
+                        authorization_response:
+                          allowed_upstream_headers:
+                            patterns:
+                              - exact: authorization
+                              - exact: proxy-authorization
+                              - prefix: remote-
+                              - prefix: authelia-
+                          allowed_client_headers:
+                            patterns:
+                              - exact: set-cookie
+                          allowed_client_headers_on_success:
+                            patterns:
+                              - exact: set-cookie
+                      failure_mode_allow: false                      
+                  - name: envoy.filters.http.router
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+
+      - name: listener_image
+        address:
+          socket_address:
+            address: 127.0.0.1
+            port_value: 15080
+        filter_chains:
+          - filters:
+              - name: envoy.filters.network.http_connection_manager
+                typed_config:
+                  "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                  stat_prefix: tapr_http
+                  http_protocol_options:
+                    accept_http_10: true
+                  upgrade_configs:
+                  - upgrade_type: websocket                  
+                  skip_xff_append: false
+                  codec_type: AUTO
+                  route_config:
+                    name: local_route
+                    virtual_hosts:
+                      - name: service
+                        domains: ["*"]
+                        routes:
+                          - match:
+                              prefix: "/images/upload"
+                            route:
+                              cluster: images
+                  http_filters:
+                  - name: envoy.filters.http.router
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+        
+        
+      clusters:
+      - name: original_dst
+        connect_timeout: 5000s
+        type: ORIGINAL_DST
+        lb_policy: CLUSTER_PROVIDED
+        common_http_protocol_options:
+          idle_timeout: 10s
+      - name: ws_original_dst
+        connect_timeout: 5000s
+        type: LOGICAL_DNS
+        dns_lookup_family: V4_ONLY
+        dns_refresh_rate: 600s
+        lb_policy: ROUND_ROBIN
+        load_assignment:
+          cluster_name: ws_original_dst
+          endpoints:
+            - lb_endpoints:
+                - endpoint:
+                    address:
+                      socket_address:
+                        address: localhost
+                        port_value: 3100
+      - name: authelia
+        connect_timeout: 2s
+        type: LOGICAL_DNS
+        dns_lookup_family: V4_ONLY
+        dns_refresh_rate: 600s
+        lb_policy: ROUND_ROBIN
+        load_assignment:
+          cluster_name: authelia
+          endpoints:
+            - lb_endpoints:
+                - endpoint:
+                    address:
+                      socket_address:
+                        address: authelia-backend.os-system
+                        port_value: 9091
+      - name: images
+        connect_timeout: 5s
+        type: LOGICAL_DNS
+        dns_lookup_family: V4_ONLY
+        dns_refresh_rate: 600s
+        lb_policy: ROUND_ROBIN
+        load_assignment:
+          cluster_name: images
+          endpoints:
+            - lb_endpoints:
+                - endpoint:
+                    address:
+                      socket_address:
+                        address: tapr-images-svc.user-system-{{ .Values.bfl.username }}
+                        port_value: 8080
+kind: ConfigMap
+metadata:
+  name: user-service-sidecar-ws-configs
+  namespace: {{ .Release.Namespace }}
+---
 kind: ConfigMap
 apiVersion: v1
 metadata:
@ -2094,7 +2270,7 @@ data:
      }

      location /ws {
-        proxy_pass http://127.0.0.1:40010;
+        proxy_pass http://127.0.0.1:3100;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
@ -2569,7 +2745,7 @@ data:
        }

        location /ws {
-          proxy_pass http://127.0.0.1:40010;
+          proxy_pass http://127.0.0.1:3100;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
@ -2780,7 +2956,7 @@ data:
      }

      location /ws {
-        proxy_pass http://127.0.0.1:40010;
+        proxy_pass http://127.0.0.1:3100;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
@ -3212,7 +3388,7 @@ data:
            add_header X-Frame-Options SAMEORIGIN;
        }
        location /ws {
-            proxy_pass http://127.0.0.1:40010;
+            proxy_pass http://127.0.0.1:3100;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
@ -3381,7 +3557,7 @@ data:
            proxy_send_timeout 60s;
        }
        location /ws {
-            proxy_pass http://127.0.0.1:40010;
+            proxy_pass http://127.0.0.1:3100;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
@ -3414,7 +3590,10 @@ spec:
          - appName: files-server
            sub: allow
            pub: allow
-        name: "*."
+          - appName: files-frontend
+            sub: allow
+            pub: allow
+        name: "files.*"
        permission:
          pub: allow
          sub: allow
--- a/cli/pkg/kubesphere/plugins/files/build/ks-core/templates/ks-apiserver.yml
+++ b/cli/pkg/kubesphere/plugins/files/build/ks-core/templates/ks-apiserver.yml
@ -32,7 +32,7 @@ spec:
      - command:
        - ks-apiserver
        - --logtostderr=true
-        image: beclab/ks-apiserver:0.0.15
+        image: beclab/ks-apiserver:0.0.16
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        name: ks-apiserver
        ports:
--- a/cli/pkg/kubesphere/plugins/files/build/ks-core/templates/ks-controller-manager.yaml
+++ b/cli/pkg/kubesphere/plugins/files/build/ks-core/templates/ks-controller-manager.yaml
@ -35,7 +35,7 @@ spec:
        - controller-manager
        - --logtostderr=true
        - --leader-elect=false
-        image: beclab/ks-controller-manager:0.0.15
+        image: beclab/ks-controller-manager:0.0.16
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        name: ks-controller-manager
        ports:
--- a/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml
+++ b/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml
@ -162,7 +162,7 @@ spec:
      priorityClassName: "system-cluster-critical"
      containers:
      - name: app-service
-        image: beclab/app-service:0.3.38
+        image: beclab/app-service:0.3.40
        imagePullPolicy: IfNotPresent
        securityContext:
          runAsUser: 0
--- a/framework/authelia/.olares/config/user/helm-charts/auth/templates/auth_deploy.yaml
+++ b/framework/authelia/.olares/config/user/helm-charts/auth/templates/auth_deploy.yaml
@ -28,7 +28,7 @@ spec:
        name: check-auth
      containers:
      - name: auth-front
-        image: beclab/login:v1.3.64
+        image: beclab/login:v1.3.72
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
--- a/framework/headscale/.olares/config/user/helm-charts/headscale/templates/headscale_deploy.yaml
+++ b/framework/headscale/.olares/config/user/helm-charts/headscale/templates/headscale_deploy.yaml
@ -110,7 +110,7 @@ spec:
        - |
          chown -R 1000:1000 /headscale 
      - name: init
-        image: beclab/headscale-init:v0.1.10
+        image: beclab/headscale-init:v0.1.11
        imagePullPolicy: IfNotPresent
        securityContext:
          privileged: true
@ -131,6 +131,8 @@ spec:
          value: "{{ $pg_password | b64dec }}"
        - name: PG_DB
          value: user_space_{{ .Values.bfl.username }}_headscale
+        - name: USER_SUBNET
+          value: {{ .Values.tailscaleUserSubnet | default "100.64.0.0/20" }}
        volumeMounts:
        - name: config
          mountPath: /etc/headscale
@ -175,7 +177,7 @@ spec:
              command:
                - "sh"
                - "-xc"
-                - "(date; for i in `seq 1 600`; do if ! test -S /var/run/headscale.sock; then echo wait-headscale.sock-1s; sleep 1; else break; fi; done; headscale apikeys create -e 3650d > /etc/headscale/apikey; headscale users create default; headscale preauthkeys create -e 3650d -u default > /etc/headscale/preauthkey; if ! test -s /etc/headscale/apikey; then echo apikey-empty; exit 1; fi; if ! test -s /etc/headscale/preauthkey; then echo preauthkey-empty; exit 1; fi) >> /tmp/headscale.log 2>&1"
+                - "(date; for i in `seq 1 600`; do if ! test -S /var/run/headscale.sock; then echo wait-headscale.sock-1s; sleep 1; else break; fi; done; headscale apikeys create -e 3650d > /etc/headscale/apikey; headscale users create default; headscale preauthkeys create -e 3650d --reusable -u default > /etc/headscale/preauthkey; if ! test -s /etc/headscale/apikey; then echo apikey-empty; exit 1; fi; if ! test -s /etc/headscale/preauthkey; then echo preauthkey-empty; exit 1; fi) >> /tmp/headscale.log 2>&1"
        volumeMounts:
        - name: config
          mountPath: /etc/headscale
@ -279,22 +281,29 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: status.hostIP
+        {{- if eq $role "platform-admin" }}
+        - name: TS_DEBUG_FIREWALL_MODE
+          value: nftables
+        {{- end }}
        - name: TS_SOCKET
          value: "/var/run/tailscale/tailscaled.sock"
        - name: TS_STATE_DIR
          value: "/var/lib/tailscale/"
        - name: TS_TAILSCALED_EXTRA_ARGS
-          value: "--no-logs-no-support  --verbose=1"
+          value: >-
+            --no-logs-no-support
+            --verbose=1
+            --tun=tailscale0{{ if ne $role "platform-admin" }}$(USER_INDEX){{ end }}
        - name: TS_ROUTES
-          value: $(NODE_IP)/32
+          value: $(COREDNS_SVC)/32
        - name: TS_EXTRA_ARGS
-          value: "--login-server http://headscale-server-svc:8080"
-        {{- if eq $role "platform-admin" }}
+          value: >-
+            --login-server http://headscale-server-svc:8080
+            --netfilter-mode {{ if eq $role "platform-admin" }}on{{ else }}off{{ end }}
        - name: TS_USERSPACE
          value: "false"
-        - name: TS_DEBUG_FIREWALL_MODE
-          value: nftables
-        {{- end }}
+        - name: USER_INDEX
+          value: {{ .Values.tailscaleUserIndex | default "0" | quote }}
        - name: TS_KUBE_SECRET
      volumes:
      - name: config
@ -383,7 +392,9 @@ data:
  acl.json: |
    {
      "acls":[
+        { "action": "accept", "src": ["*"], "proto": "tcp", "dst": ["*:80"] },
        { "action": "accept", "src": ["*"], "proto": "tcp", "dst": ["*:443"] },
+        { "action": "accept", "src": ["*"], "proto": "tcp", "dst": ["*:18088"] },
        { "action": "accept", "src": ["*"], "proto": "udp", "dst": ["*:53"] }
      ],
      "autoApprovers": {
--- a/framework/tapr/.olares/config/cluster/deploy/lldap-deployment.yaml
+++ b/framework/tapr/.olares/config/cluster/deploy/lldap-deployment.yaml
@ -174,7 +174,7 @@ spec:
            - name: NATS_SUBJECT_SYSTEM_GROUPS
              value: "terminus.{{ .Release.Namespace }}.system.groups"

-          image: beclab/lldap:0.0.2
+          image: beclab/lldap:0.0.3
          imagePullPolicy: IfNotPresent
          name: lldap
          ports:
--- a/framework/tapr/.olares/config/cluster/deploy/middleware_deploy.yaml
+++ b/framework/tapr/.olares/config/cluster/deploy/middleware_deploy.yaml
@ -99,7 +99,7 @@ spec:
        - name: DISABLE_TELEMETRY
          value: "false"
      - name: operator-api
-        image: beclab/middleware-operator:0.2.7
+        image: beclab/middleware-operator:0.2.8
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 9080
--- a/infrastructure/kubesphere/.olares/Olares.yaml
+++ b/infrastructure/kubesphere/.olares/Olares.yaml
@ -3,9 +3,9 @@ target: prebuilt
 output:
  containers:
    - 
-      name: beclab/ks-apiserver:0.0.15
+      name: beclab/ks-apiserver:0.0.16
    - 
-      name: beclab/ks-controller-manager:0.0.15
+      name: beclab/ks-controller-manager:0.0.16
    -
      name: kubesphere/kubectl:v1.22.0