From fee742d756797bff680a1c85ed4df5de772bae7f Mon Sep 17 00:00:00 2001 From: eball Date: Thu, 4 Dec 2025 00:19:28 +0800 Subject: [PATCH] systemserver: combine system providers into one provider pod (#2149) * feat: combine system provider configurations into a single deployment file * feat: add auth-provider-nginx-config to system provider deployment * feat: add auth-provider-nginx-config to system provider deployment --- .../cluster/deploy/auth_backend_provider.yaml | 82 +++++++ .../cluster/deploy/download_provider.yaml | 132 +++------- .../cluster/deploy/search3_provider.yaml | 88 +++---- .../cluster/deploy/system_provider.yaml | 225 ++++++++++++++++++ 4 files changed, 371 insertions(+), 156 deletions(-) create mode 100644 framework/authelia/.olares/config/cluster/deploy/auth_backend_provider.yaml create mode 100644 framework/system-server/.olares/config/cluster/deploy/system_provider.yaml diff --git a/framework/authelia/.olares/config/cluster/deploy/auth_backend_provider.yaml b/framework/authelia/.olares/config/cluster/deploy/auth_backend_provider.yaml new file mode 100644 index 000000000..1669400fa --- /dev/null +++ b/framework/authelia/.olares/config/cluster/deploy/auth_backend_provider.yaml @@ -0,0 +1,82 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: auth-provider-svc + namespace: {{ .Release.Namespace }} +spec: + type: ClusterIP + selector: + app: system-provider + ports: + - name: server + protocol: TCP + port: 28080 + targetPort: 28080 + +--- +# provider role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: backend:auth-provider + annotations: + provider-registry-ref: {{ .Release.Namespace }}/auth-provider-svc + provider-service-ref: auth-provider-svc.{{ .Release.Namespace }}:28080 +rules: + - nonResourceURLs: + - "/api/reset/*" + verbs: ["*"] + +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: auth-provider-nginx-config + namespace: {{ .Release.Namespace }} + annotations: + kubesphere.io/creator: bytetrade.io +data: + auth.conf: |- + server { + listen 8080; + server_name auth-provider-svc.{{ .Release.Namespace }}; + # Gzip Settings + gzip on; + gzip_disable "msie6"; + gzip_min_length 1k; + gzip_buffers 16 64k; + gzip_http_version 1.1; + gzip_comp_level 6; + gzip_types *; + index index.html; + location / { + proxy_pass http://authelia-backend.{{ .Release.Namespace }}:9091; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection '$connection_upgrade'; + } + } + + +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: olares-cli-sa + namespace: {{ .Release.Namespace }} + + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: backend:{{ .Release.Namespace }}:olares-cli-sa:provider +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: backend:auth-provider +subjects: + - kind: ServiceAccount + name: olares-cli-sa + namespace: {{ .Release.Namespace }} diff --git a/framework/download-server/.olares/config/cluster/deploy/download_provider.yaml b/framework/download-server/.olares/config/cluster/deploy/download_provider.yaml index 288e4b7ba..7d4fe17eb 100644 --- a/framework/download-server/.olares/config/cluster/deploy/download_provider.yaml +++ b/framework/download-server/.olares/config/cluster/deploy/download_provider.yaml @@ -1,57 +1,3 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: download-provider - applications.app.bytetrade.io/author: bytetrade.io - name: download-provider - namespace: {{ .Release.Namespace }} -spec: - progressDeadlineSeconds: 600 - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: download-provider - strategy: - type: Recreate - template: - metadata: - creationTimestamp: null - labels: - app: download-provider - io.bytetrade.app: "true" - provider: "true" - spec: - containers: - - name: provider-proxy - image: beclab/provider-proxy:0.1.0 - imagePullPolicy: IfNotPresent - args: - - --logtostderr - - --insecure-listen-address=:28080 - - --upstream=http://download-svc:8090/ - ports: - - containerPort: 28080 - resources: - requests: - cpu: 10m - memory: 200Mi - limits: - cpu: "500m" - memory: 350Mi - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - dnsPolicy: ClusterFirst - priorityClassName: system-cluster-critical - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - serviceAccount: provider-sa - serviceAccountName: provider-sa - terminationGracePeriodSeconds: 30 --- apiVersion: v1 @@ -62,58 +8,13 @@ metadata: spec: type: ClusterIP selector: - app: download-provider + app: system-provider ports: - name: server protocol: TCP port: 28080 targetPort: 28080 ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: provider-sa - namespace: {{ .Release.Namespace }} - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: backend:{{ .Release.Namespace }}:provider -rules: - - apiGroups: - - "*" - resources: - - clusterrolebindings - - clusterroles - - namespaces - verbs: - - get - - list - - watch - - apiGroups: - - "*" - resources: - - tokenreviews - - subjectaccessreviews - verbs: - - create - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: backend:{{ .Release.Namespace }}:provider -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: backend:{{ .Release.Namespace }}:provider -subjects: - - kind: ServiceAccount - name: provider-sa - namespace: {{ .Release.Namespace }} - --- # provider role apiVersion: rbac.authorization.k8s.io/v1 @@ -126,3 +27,34 @@ metadata: rules: - nonResourceURLs: ["/api/download/*"] verbs: ["*"] + +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: download-provider-nginx-config + namespace: {{ .Release.Namespace }} + annotations: + kubesphere.io/creator: bytetrade.io +data: + download.conf: |- + server { + listen 8080; + server_name download-provider-svc.{{ .Release.Namespace }}; + # Gzip Settings + gzip on; + gzip_disable "msie6"; + gzip_min_length 1k; + gzip_buffers 16 64k; + gzip_http_version 1.1; + gzip_comp_level 6; + gzip_types *; + index index.html; + location / { + proxy_pass http://download-svc.{{ .Release.Namespace }}:8080; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection '$connection_upgrade'; + } + } + diff --git a/framework/search3/.olares/config/cluster/deploy/search3_provider.yaml b/framework/search3/.olares/config/cluster/deploy/search3_provider.yaml index 91e4b26cf..b51624853 100644 --- a/framework/search3/.olares/config/cluster/deploy/search3_provider.yaml +++ b/framework/search3/.olares/config/cluster/deploy/search3_provider.yaml @@ -1,58 +1,3 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: search3-provider - applications.app.bytetrade.io/author: bytetrade.io - name: search3-provider - namespace: {{ .Release.Namespace }} -spec: - progressDeadlineSeconds: 600 - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: search3-provider - strategy: - type: Recreate - template: - metadata: - creationTimestamp: null - labels: - app: search3-provider - io.bytetrade.app: "true" - provider: "true" - spec: - containers: - - name: provider-proxy - image: beclab/provider-proxy:0.1.0 - imagePullPolicy: IfNotPresent - args: - - --logtostderr - - --insecure-listen-address=:28080 - - --upstream=http://search3:80/ - ports: - - containerPort: 28080 - resources: - requests: - cpu: 10m - memory: 200Mi - limits: - cpu: "500m" - memory: 350Mi - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - dnsPolicy: ClusterFirst - priorityClassName: system-cluster-critical - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - serviceAccount: provider-sa - serviceAccountName: provider-sa - terminationGracePeriodSeconds: 30 - --- apiVersion: v1 kind: Service @@ -62,7 +7,7 @@ metadata: spec: type: ClusterIP selector: - app: search3-provider + app: system-provider ports: - name: server protocol: TCP @@ -85,3 +30,34 @@ rules: - "/document/delete/*" - "/document/update/*" verbs: ["*"] + +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: search3-provider-nginx-config + namespace: {{ .Release.Namespace }} + annotations: + kubesphere.io/creator: bytetrade.io +data: + search3.conf: |- + server { + listen 8080; + server_name search3-provider-svc.{{ .Release.Namespace }}; + # Gzip Settings + gzip on; + gzip_disable "msie6"; + gzip_min_length 1k; + gzip_buffers 16 64k; + gzip_http_version 1.1; + gzip_comp_level 6; + gzip_types *; + index index.html; + location / { + proxy_pass http://search3.{{ .Release.Namespace }}:80; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection '$connection_upgrade'; + } + } + diff --git a/framework/system-server/.olares/config/cluster/deploy/system_provider.yaml b/framework/system-server/.olares/config/cluster/deploy/system_provider.yaml new file mode 100644 index 000000000..47cee5f56 --- /dev/null +++ b/framework/system-server/.olares/config/cluster/deploy/system_provider.yaml @@ -0,0 +1,225 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: system-provider + applications.app.bytetrade.io/author: bytetrade.io + name: system-provider + namespace: {{ .Release.Namespace }} +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: system-provider + strategy: + type: Recreate + template: + metadata: + creationTimestamp: null + labels: + app: system-provider + io.bytetrade.app: "true" + provider: "true" + spec: + containers: + - name: provider-proxy + image: beclab/provider-proxy:0.1.0 + imagePullPolicy: IfNotPresent + args: + - --logtostderr + - --insecure-listen-address=:28080 + - --upstream=http://127.0.0.1:8080/ + ports: + - containerPort: 28080 + resources: + requests: + cpu: 10m + memory: 200Mi + limits: + cpu: "500m" + memory: 350Mi + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + - name: system-apps + image: beclab/docker-nginx-headers-more:ubuntu-v0.1.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8080 + command: + - /bin/sh + - -c + - | + rm /etc/nginx/conf.d/default.conf + nginx -g 'daemon off;' + volumeMounts: + - name: system-app-nginx-config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + - name: download-provider-nginx-config + mountPath: /etc/nginx/conf.d/download.conf + subPath: download.conf + - name: search3-provider-nginx-config + mountPath: /etc/nginx/conf.d/search3.conf + subPath: search3.conf + - name: auth-provider-nginx-config + mountPath: /etc/nginx/conf.d/auth.conf + subPath: auth.conf + volumes: + - name: system-app-nginx-config + configMap: + name: system-app-nginx-config + items: + - key: nginx.conf + path: nginx.conf + - name: download-provider-nginx-config + configMap: + name: download-provider-nginx-config + items: + - key: download.conf + path: download.conf + - name: search3-provider-nginx-config + configMap: + name: search3-provider-nginx-config + items: + - key: search3.conf + path: search3.conf + - name: auth-provider-nginx-config + configMap: + name: auth-provider-nginx-config + items: + - key: auth.conf + path: auth.conf + + dnsPolicy: ClusterFirst + priorityClassName: system-cluster-critical + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: provider-sa + serviceAccountName: provider-sa + terminationGracePeriodSeconds: 30 + +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: provider-sa + namespace: {{ .Release.Namespace }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: backend:{{ .Release.Namespace }}:provider +rules: + - apiGroups: + - "*" + resources: + - clusterrolebindings + - clusterroles + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - "*" + resources: + - tokenreviews + - subjectaccessreviews + verbs: + - create + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: backend:{{ .Release.Namespace }}:provider +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: backend:{{ .Release.Namespace }}:provider +subjects: + - kind: ServiceAccount + name: provider-sa + namespace: {{ .Release.Namespace }} + +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: system-app-nginx-config + namespace: {{ .Release.Namespace }} + annotations: + kubesphere.io/creator: bytetrade.io +data: + nginx.conf: |- + user nginx; + worker_processes 2; + worker_rlimit_nofile 65535; + worker_shutdown_timeout 240s; + + error_log /var/log/nginx/error.log notice; + pid /var/run/nginx.pid; + + events { + multi_accept on; + worker_connections 16384; + use epoll; + } + + http { + aio threads; + aio_write on; + tcp_nopush on; + tcp_nodelay on; + log_subrequest on; + reset_timedout_connection on; + keepalive_timeout 75s; + keepalive_requests 100; + client_body_temp_path /tmp/client-body; + fastcgi_temp_path /tmp/fastcgi-temp; + proxy_temp_path /tmp/proxy-temp; + client_max_body_size 1g; + client_header_buffer_size 1k; + client_header_timeout 60s; + large_client_header_buffers 4 8k; + client_body_buffer_size 8k; + client_body_timeout 60s; + types_hash_max_size 2048; + server_names_hash_max_size 4096; + server_names_hash_bucket_size 1024; + map_hash_bucket_size 64; + proxy_headers_hash_max_size 512; + proxy_headers_hash_bucket_size 64; + variables_hash_bucket_size 256; + variables_hash_max_size 2048; + underscores_in_headers off; + ignore_invalid_headers on; + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + proxy_ssl_session_reuse on; + + sendfile on; + resolver_timeout 30s; + send_timeout 60s; + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + include /etc/nginx/conf.d/*.conf; + } + +