From cffa3bb1cc07acb610c0dc770820e2d289c3fa66 Mon Sep 17 00:00:00 2001 From: 0x7fffff92 <40755502+0x7fffff92@users.noreply.github.com> Date: Sat, 7 Jun 2025 00:48:09 +0800 Subject: [PATCH] feat: all tailscale use tun interface (#1391) * feat: all tailscale use tun interface * remove host subnet route * adjust tun naming rules * feat: files-server batch_delete (#1409) * feat: files-server batch_delete * feat: files-server delete all for search3 * tapr: bump postgresql and citus version & optimize middleware api (#1410) * fix: fix movedto event error (#1411) Co-authored-by: Ubuntu * feat: add user index and inject * feat(desktop & login): update desktop refresh token feat(user-service): update ws config --------- Co-authored-by: 0x7fffff92 <0x7fffff92@example.com> Co-authored-by: eball Co-authored-by: lovehunter9 <39935488+lovehunter9@users.noreply.github.com> Co-authored-by: salt Co-authored-by: Ubuntu Co-authored-by: hys Co-authored-by: qq815776412 <815776412@qq.com> --- .../templates/system-frontend.yaml | 231 ++++++++++++++++-- .../build/ks-core/templates/ks-apiserver.yml | 2 +- .../templates/ks-controller-manager.yaml | 2 +- .../cluster/deploy/appservice_deploy.yaml | 2 +- .../auth/templates/auth_deploy.yaml | 2 +- .../headscale/templates/headscale_deploy.yaml | 29 ++- .../cluster/deploy/lldap-deployment.yaml | 2 +- .../cluster/deploy/middleware_deploy.yaml | 2 +- infrastructure/kubesphere/.olares/Olares.yaml | 4 +- 9 files changed, 233 insertions(+), 43 deletions(-) diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/system-frontend.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/system-frontend.yaml index 2fa146783..4fd872076 100644 --- a/apps/.olares/config/user/helm-charts/system-apps/templates/system-frontend.yaml +++ b/apps/.olares/config/user/helm-charts/system-apps/templates/system-frontend.yaml @@ -471,7 +471,7 @@ spec: - mountPath: /www name: www-dir - name: edge-desktop-init - image: beclab/desktop:v1.3.70 + image: beclab/desktop:v1.3.72 imagePullPolicy: IfNotPresent command: - /bin/sh @@ -611,22 +611,9 @@ spec: key: nats_password name: user-service-nats-secret - name: NATS_SUBJECT_USER_APPS - value: terminus.user.*.{{ .Values.bfl.username}} - - name: terminus-ws-sidecar - image: 'beclab/ws-gateway:v1.0.5' - imagePullPolicy: IfNotPresent - command: - - /ws-gateway - env: - - name: WS_PORT - value: '3010' - - name: WS_URL - value: /websocket/message - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File + value: terminus.user.vault.{{ .Values.bfl.username}} - name: user-service - image: beclab/user-service:v0.0.10 + image: beclab/user-service:v0.0.11 imagePullPolicy: IfNotPresent ports: - containerPort: 3000 @@ -736,7 +723,7 @@ spec: path: '{{ .Values.userspace.userData }}' - name: terminus-sidecar-config configMap: - name: sidecar-ws-configs + name: user-service-sidecar-ws-configs items: - key: envoy.yaml path: envoy.yaml @@ -939,10 +926,10 @@ spec: perm: - pub - sub - - appName: user-files - appNamespace: "user.{{ .Values.bfl.username }}" + - appName: user-service + appNamespace: user subjects: - - name: files + - name: "files.*" perm: - pub - sub @@ -1986,6 +1973,195 @@ metadata: name: sidecar-ws-configs namespace: {{ .Release.Namespace }} --- +apiVersion: v1 +data: + envoy.yaml: | + admin: + access_log_path: "/dev/stdout" + address: + socket_address: + address: 0.0.0.0 + port_value: 15000 + static_resources: + listeners: + - name: listener_0 + address: + socket_address: + address: 0.0.0.0 + port_value: 15003 + listener_filters: + - name: envoy.filters.listener.original_dst + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: desktop_http + upgrade_configs: + - upgrade_type: websocket + - upgrade_type: tailscale-control-protocol + skip_xff_append: false + max_request_headers_kb: 500 + codec_type: AUTO + route_config: + name: local_route + virtual_hosts: + - name: service + domains: ["*"] + routes: + - match: + prefix: "/ws" + route: + cluster: ws_original_dst + - match: + prefix: "/" + route: + cluster: original_dst + timeout: 180s + http_protocol_options: + accept_http_10: true + http_filters: + - name: envoy.filters.http.ext_authz + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + http_service: + path_prefix: '/api/verify/' + server_uri: + uri: authelia-backend.os-system:9091 + cluster: authelia + timeout: 2s + authorization_request: + allowed_headers: + patterns: + - exact: accept + - exact: cookie + - exact: proxy-authorization + - prefix: x-unauth- + - exact: x-authorization + - exact: x-bfl-user + - exact: x-real-ip + - exact: terminus-nonce + headers_to_add: + - key: X-Forwarded-Method + value: '%REQ(:METHOD)%' + - key: X-Forwarded-Proto + value: '%REQ(:SCHEME)%' + - key: X-Forwarded-Host + value: '%REQ(:AUTHORITY)%' + - key: X-Forwarded-Uri + value: '%REQ(:PATH)%' + - key: X-Forwarded-For + value: '%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%' + authorization_response: + allowed_upstream_headers: + patterns: + - exact: authorization + - exact: proxy-authorization + - prefix: remote- + - prefix: authelia- + allowed_client_headers: + patterns: + - exact: set-cookie + allowed_client_headers_on_success: + patterns: + - exact: set-cookie + failure_mode_allow: false + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + - name: listener_image + address: + socket_address: + address: 127.0.0.1 + port_value: 15080 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: tapr_http + http_protocol_options: + accept_http_10: true + upgrade_configs: + - upgrade_type: websocket + skip_xff_append: false + codec_type: AUTO + route_config: + name: local_route + virtual_hosts: + - name: service + domains: ["*"] + routes: + - match: + prefix: "/images/upload" + route: + cluster: images + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + + clusters: + - name: original_dst + connect_timeout: 5000s + type: ORIGINAL_DST + lb_policy: CLUSTER_PROVIDED + common_http_protocol_options: + idle_timeout: 10s + - name: ws_original_dst + connect_timeout: 5000s + type: LOGICAL_DNS + dns_lookup_family: V4_ONLY + dns_refresh_rate: 600s + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: ws_original_dst + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: localhost + port_value: 3100 + - name: authelia + connect_timeout: 2s + type: LOGICAL_DNS + dns_lookup_family: V4_ONLY + dns_refresh_rate: 600s + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: authelia + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: authelia-backend.os-system + port_value: 9091 + - name: images + connect_timeout: 5s + type: LOGICAL_DNS + dns_lookup_family: V4_ONLY + dns_refresh_rate: 600s + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: images + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: tapr-images-svc.user-system-{{ .Values.bfl.username }} + port_value: 8080 +kind: ConfigMap +metadata: + name: user-service-sidecar-ws-configs + namespace: {{ .Release.Namespace }} +--- kind: ConfigMap apiVersion: v1 metadata: @@ -2094,7 +2270,7 @@ data: } location /ws { - proxy_pass http://127.0.0.1:40010; + proxy_pass http://127.0.0.1:3100; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; @@ -2569,7 +2745,7 @@ data: } location /ws { - proxy_pass http://127.0.0.1:40010; + proxy_pass http://127.0.0.1:3100; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; @@ -2780,7 +2956,7 @@ data: } location /ws { - proxy_pass http://127.0.0.1:40010; + proxy_pass http://127.0.0.1:3100; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; @@ -3212,7 +3388,7 @@ data: add_header X-Frame-Options SAMEORIGIN; } location /ws { - proxy_pass http://127.0.0.1:40010; + proxy_pass http://127.0.0.1:3100; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; @@ -3381,7 +3557,7 @@ data: proxy_send_timeout 60s; } location /ws { - proxy_pass http://127.0.0.1:40010; + proxy_pass http://127.0.0.1:3100; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; @@ -3414,7 +3590,10 @@ spec: - appName: files-server sub: allow pub: allow - name: "*." + - appName: files-frontend + sub: allow + pub: allow + name: "files.*" permission: pub: allow sub: allow diff --git a/cli/pkg/kubesphere/plugins/files/build/ks-core/templates/ks-apiserver.yml b/cli/pkg/kubesphere/plugins/files/build/ks-core/templates/ks-apiserver.yml index 1c98e151d..faa96d140 100644 --- a/cli/pkg/kubesphere/plugins/files/build/ks-core/templates/ks-apiserver.yml +++ b/cli/pkg/kubesphere/plugins/files/build/ks-core/templates/ks-apiserver.yml @@ -32,7 +32,7 @@ spec: - command: - ks-apiserver - --logtostderr=true - image: beclab/ks-apiserver:0.0.15 + image: beclab/ks-apiserver:0.0.16 imagePullPolicy: {{ .Values.image.pullPolicy }} name: ks-apiserver ports: diff --git a/cli/pkg/kubesphere/plugins/files/build/ks-core/templates/ks-controller-manager.yaml b/cli/pkg/kubesphere/plugins/files/build/ks-core/templates/ks-controller-manager.yaml index 89751cd81..d511dcc8b 100644 --- a/cli/pkg/kubesphere/plugins/files/build/ks-core/templates/ks-controller-manager.yaml +++ b/cli/pkg/kubesphere/plugins/files/build/ks-core/templates/ks-controller-manager.yaml @@ -35,7 +35,7 @@ spec: - controller-manager - --logtostderr=true - --leader-elect=false - image: beclab/ks-controller-manager:0.0.15 + image: beclab/ks-controller-manager:0.0.16 imagePullPolicy: {{ .Values.image.pullPolicy }} name: ks-controller-manager ports: diff --git a/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml b/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml index 5d471a56d..92c3ed130 100644 --- a/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml +++ b/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml @@ -162,7 +162,7 @@ spec: priorityClassName: "system-cluster-critical" containers: - name: app-service - image: beclab/app-service:0.3.38 + image: beclab/app-service:0.3.40 imagePullPolicy: IfNotPresent securityContext: runAsUser: 0 diff --git a/framework/authelia/.olares/config/user/helm-charts/auth/templates/auth_deploy.yaml b/framework/authelia/.olares/config/user/helm-charts/auth/templates/auth_deploy.yaml index 8c26771a4..2e027b41c 100644 --- a/framework/authelia/.olares/config/user/helm-charts/auth/templates/auth_deploy.yaml +++ b/framework/authelia/.olares/config/user/helm-charts/auth/templates/auth_deploy.yaml @@ -28,7 +28,7 @@ spec: name: check-auth containers: - name: auth-front - image: beclab/login:v1.3.64 + image: beclab/login:v1.3.72 imagePullPolicy: IfNotPresent ports: - containerPort: 80 diff --git a/framework/headscale/.olares/config/user/helm-charts/headscale/templates/headscale_deploy.yaml b/framework/headscale/.olares/config/user/helm-charts/headscale/templates/headscale_deploy.yaml index 6ccbe6b58..ef3be3f04 100644 --- a/framework/headscale/.olares/config/user/helm-charts/headscale/templates/headscale_deploy.yaml +++ b/framework/headscale/.olares/config/user/helm-charts/headscale/templates/headscale_deploy.yaml @@ -110,7 +110,7 @@ spec: - | chown -R 1000:1000 /headscale - name: init - image: beclab/headscale-init:v0.1.10 + image: beclab/headscale-init:v0.1.11 imagePullPolicy: IfNotPresent securityContext: privileged: true @@ -131,6 +131,8 @@ spec: value: "{{ $pg_password | b64dec }}" - name: PG_DB value: user_space_{{ .Values.bfl.username }}_headscale + - name: USER_SUBNET + value: {{ .Values.tailscaleUserSubnet | default "100.64.0.0/20" }} volumeMounts: - name: config mountPath: /etc/headscale @@ -175,7 +177,7 @@ spec: command: - "sh" - "-xc" - - "(date; for i in `seq 1 600`; do if ! test -S /var/run/headscale.sock; then echo wait-headscale.sock-1s; sleep 1; else break; fi; done; headscale apikeys create -e 3650d > /etc/headscale/apikey; headscale users create default; headscale preauthkeys create -e 3650d -u default > /etc/headscale/preauthkey; if ! test -s /etc/headscale/apikey; then echo apikey-empty; exit 1; fi; if ! test -s /etc/headscale/preauthkey; then echo preauthkey-empty; exit 1; fi) >> /tmp/headscale.log 2>&1" + - "(date; for i in `seq 1 600`; do if ! test -S /var/run/headscale.sock; then echo wait-headscale.sock-1s; sleep 1; else break; fi; done; headscale apikeys create -e 3650d > /etc/headscale/apikey; headscale users create default; headscale preauthkeys create -e 3650d --reusable -u default > /etc/headscale/preauthkey; if ! test -s /etc/headscale/apikey; then echo apikey-empty; exit 1; fi; if ! test -s /etc/headscale/preauthkey; then echo preauthkey-empty; exit 1; fi) >> /tmp/headscale.log 2>&1" volumeMounts: - name: config mountPath: /etc/headscale @@ -279,22 +281,29 @@ spec: valueFrom: fieldRef: fieldPath: status.hostIP + {{- if eq $role "platform-admin" }} + - name: TS_DEBUG_FIREWALL_MODE + value: nftables + {{- end }} - name: TS_SOCKET value: "/var/run/tailscale/tailscaled.sock" - name: TS_STATE_DIR value: "/var/lib/tailscale/" - name: TS_TAILSCALED_EXTRA_ARGS - value: "--no-logs-no-support --verbose=1" + value: >- + --no-logs-no-support + --verbose=1 + --tun=tailscale0{{ if ne $role "platform-admin" }}$(USER_INDEX){{ end }} - name: TS_ROUTES - value: $(NODE_IP)/32 + value: $(COREDNS_SVC)/32 - name: TS_EXTRA_ARGS - value: "--login-server http://headscale-server-svc:8080" - {{- if eq $role "platform-admin" }} + value: >- + --login-server http://headscale-server-svc:8080 + --netfilter-mode {{ if eq $role "platform-admin" }}on{{ else }}off{{ end }} - name: TS_USERSPACE value: "false" - - name: TS_DEBUG_FIREWALL_MODE - value: nftables - {{- end }} + - name: USER_INDEX + value: {{ .Values.tailscaleUserIndex | default "0" | quote }} - name: TS_KUBE_SECRET volumes: - name: config @@ -383,7 +392,9 @@ data: acl.json: | { "acls":[ + { "action": "accept", "src": ["*"], "proto": "tcp", "dst": ["*:80"] }, { "action": "accept", "src": ["*"], "proto": "tcp", "dst": ["*:443"] }, + { "action": "accept", "src": ["*"], "proto": "tcp", "dst": ["*:18088"] }, { "action": "accept", "src": ["*"], "proto": "udp", "dst": ["*:53"] } ], "autoApprovers": { diff --git a/framework/tapr/.olares/config/cluster/deploy/lldap-deployment.yaml b/framework/tapr/.olares/config/cluster/deploy/lldap-deployment.yaml index e73c75449..d38544c83 100644 --- a/framework/tapr/.olares/config/cluster/deploy/lldap-deployment.yaml +++ b/framework/tapr/.olares/config/cluster/deploy/lldap-deployment.yaml @@ -174,7 +174,7 @@ spec: - name: NATS_SUBJECT_SYSTEM_GROUPS value: "terminus.{{ .Release.Namespace }}.system.groups" - image: beclab/lldap:0.0.2 + image: beclab/lldap:0.0.3 imagePullPolicy: IfNotPresent name: lldap ports: diff --git a/framework/tapr/.olares/config/cluster/deploy/middleware_deploy.yaml b/framework/tapr/.olares/config/cluster/deploy/middleware_deploy.yaml index 1cede51db..8e4627429 100644 --- a/framework/tapr/.olares/config/cluster/deploy/middleware_deploy.yaml +++ b/framework/tapr/.olares/config/cluster/deploy/middleware_deploy.yaml @@ -99,7 +99,7 @@ spec: - name: DISABLE_TELEMETRY value: "false" - name: operator-api - image: beclab/middleware-operator:0.2.7 + image: beclab/middleware-operator:0.2.8 imagePullPolicy: IfNotPresent ports: - containerPort: 9080 diff --git a/infrastructure/kubesphere/.olares/Olares.yaml b/infrastructure/kubesphere/.olares/Olares.yaml index 761c04cbd..a2131e81b 100644 --- a/infrastructure/kubesphere/.olares/Olares.yaml +++ b/infrastructure/kubesphere/.olares/Olares.yaml @@ -3,9 +3,9 @@ target: prebuilt output: containers: - - name: beclab/ks-apiserver:0.0.15 + name: beclab/ks-apiserver:0.0.16 - - name: beclab/ks-controller-manager:0.0.15 + name: beclab/ks-controller-manager:0.0.16 - name: kubesphere/kubectl:v1.22.0