diff --git a/src/main/ks-core/Chart.yaml b/src/main/ks-core/Chart.yaml index 76961973..ddfdcd06 100644 --- a/src/main/ks-core/Chart.yaml +++ b/src/main/ks-core/Chart.yaml @@ -7,12 +7,12 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.1.1 +version: 1.1.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: "v4.1.1" +appVersion: "v4.1.2" dependencies: - name: redis-ha diff --git a/src/main/ks-core/charts/ks-crds/crds/application.kubesphere.io_applicationreleases.yaml b/src/main/ks-core/charts/ks-crds/crds/application.kubesphere.io_applicationreleases.yaml index 9d27b83d..a13550b4 100644 --- a/src/main/ks-core/charts/ks-crds/crds/application.kubesphere.io_applicationreleases.yaml +++ b/src/main/ks-core/charts/ks-crds/crds/application.kubesphere.io_applicationreleases.yaml @@ -73,6 +73,8 @@ spec: type: string appVersionID: type: string + icon: + type: string values: format: byte type: string diff --git a/src/main/ks-core/charts/ks-crds/crds/kubesphere.io_repositories.yaml b/src/main/ks-core/charts/ks-crds/crds/kubesphere.io_repositories.yaml index 7cea525d..ddbff7cf 100644 --- a/src/main/ks-core/charts/ks-crds/crds/kubesphere.io_repositories.yaml +++ b/src/main/ks-core/charts/ks-crds/crds/kubesphere.io_repositories.yaml @@ -50,12 +50,18 @@ spec: type: string type: object caBundle: - description: if the caBundle is empty, use --insecure-skip-tls-verify. + description: The caBundle (base64 string) is used in helmExecutor + to verify the helm server. type: string description: type: string image: + description: 'DEPRECATED: the field will remove in future versions, + please use url.' type: string + insecure: + description: --insecure-skip-tls-verify. default false + type: boolean updateStrategy: properties: registryPoll: diff --git a/src/main/ks-core/charts/ks-crds/scripts/post-delete.sh b/src/main/ks-core/charts/ks-crds/scripts/post-delete.sh new file mode 100755 index 00000000..bf07838f --- /dev/null +++ b/src/main/ks-core/charts/ks-crds/scripts/post-delete.sh @@ -0,0 +1,48 @@ +#!/usr/bin/env bash + +# set -x + +CRD_NAMES=$1 +MAPPING_CONFIG=$2 + +for extension in `kubectl get installplan -o json | jq -r '.items[] | select(.status.state == "Installed") | .metadata.name'` +do + namespace=$(kubectl get installplan $extension -o=jsonpath='{.status.targetNamespace}') + version=$(kubectl get extension $extension -o=jsonpath='{.status.installedVersion}') + extensionversion=$extension-$version + echo "Found extension $extensionversion installed" + helm status $extension --namespace $namespace + if [ $? -eq 0 ]; then + helm mapkubeapis $extension --namespace $namespace --mapfile $MAPPING_CONFIG + fi + helm status $extension-agent --namespace $namespace + if [ $? -eq 0 ]; then + helm mapkubeapis $extension-agent --namespace $namespace --mapfile $MAPPING_CONFIG + fi +done + + +# remove namespace's finalizers && ownerReferences +kubectl patch workspaces.tenant.kubesphere.io system-workspace -p '{"metadata":{"finalizers":[]}}' --type=merge +kubectl patch workspacetemplates.tenant.kubesphere.io system-workspace -p '{"metadata":{"finalizers":[]}}' --type=merge +for ns in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}' -l 'kubesphere.io/managed=true') +do + kubectl label ns $ns kubesphere.io/workspace- && \ + kubectl patch ns $ns -p '{"metadata":{"ownerReferences":[]}}' --type=merge && \ + echo "{\"kind\":\"Namespace\",\"apiVersion\":\"v1\",\"metadata\":{\"name\":\"$ns\",\"finalizers\":null}}" | kubectl replace --raw "/api/v1/namespaces/$ns/finalize" -f - +done + + +# delete crds +for crd in `kubectl get crds -o jsonpath="{.items[*].metadata.name}"` +do + if [[ ${CRD_NAMES[@]/${crd}/} != ${CRD_NAMES[@]} ]]; then + scop=$(eval echo $(kubectl get crd ${crd} -o jsonpath="{.spec.scope}")) + if [[ $scop =~ "Namespaced" ]] ; then + kubectl get $crd -A --no-headers | awk '{print $1" "$2" ""'$crd'"}' | xargs -n 3 sh -c 'kubectl patch $2 -n $0 $1 -p "{\"metadata\":{\"finalizers\":null}}" --type=merge 2>/dev/null && kubectl delete $2 -n $0 $1 2>/dev/null' + else + kubectl get $crd -A --no-headers | awk '{print $1" ""'$crd'"}' | xargs -n 2 sh -c 'kubectl patch $1 $0 -p "{\"metadata\":{\"finalizers\":null}}" --type=merge 2>/dev/null && kubectl delete $1 $0 2>/dev/null' + fi + kubectl delete crd $crd 2>/dev/null; + fi +done diff --git a/src/main/ks-core/charts/ks-crds/templates/_images.tpl b/src/main/ks-core/charts/ks-crds/templates/_images.tpl new file mode 100644 index 00000000..d27be2fd --- /dev/null +++ b/src/main/ks-core/charts/ks-crds/templates/_images.tpl @@ -0,0 +1,21 @@ +{{- define "kubectl.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.kubectl.image "global" (default .Values.global (dict "imageRegistry" "docker.io"))) }} +{{- end -}} + +{{- define "common.images.image" -}} +{{- $registryName := .global.imageRegistry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $separator := ":" -}} +{{- $termination := .global.tag | toString -}} +{{- if .imageRoot.registry }} + {{- $registryName = .imageRoot.registry -}} +{{- end -}} +{{- if .imageRoot.tag }} + {{- $termination = .imageRoot.tag | toString -}} +{{- end -}} +{{- if .imageRoot.digest }} + {{- $separator = "@" -}} + {{- $termination = .imageRoot.digest | toString -}} +{{- end -}} +{{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- end -}} diff --git a/src/main/ks-core/charts/ks-crds/templates/post-delete-crd-job.yaml b/src/main/ks-core/charts/ks-crds/templates/post-delete-crd-job.yaml new file mode 100644 index 00000000..82827d43 --- /dev/null +++ b/src/main/ks-core/charts/ks-crds/templates/post-delete-crd-job.yaml @@ -0,0 +1,89 @@ +{{- $kubeVersion := .Capabilities.KubeVersion }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ .Release.Name }}-post-delete-crd-scripts" + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-weight": "-3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed +data: + map.yaml: | + mappings: + {{- range $path, $_ := .Files.Glob "crds/**" }} + {{- $crd := $.Files.Get $path | fromYaml }} + {{- range $_, $version := $crd.spec.versions }} + - deprecatedAPI: "apiVersion: {{ $crd.spec.group }}/{{ $version.name }}\nkind: {{ $crd.spec.names.kind }}\n" + removedInVersion: "{{ $kubeVersion }}" + {{- end }} + {{- end }} +{{ (.Files.Glob "scripts/post-delete.sh").AsConfig | indent 2 }} + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "{{ .Release.Name }}-post-delete-crd" + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-weight": "-3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: "{{ .Release.Name }}-post-delete-crd" + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-weight": "-3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: "{{ .Release.Name }}-post-delete-crd" + namespace: {{ .Release.Namespace }} + +--- + +{{- $crdNameList := list }} +{{- range $path, $_ := .Files.Glob "crds/**" }} +{{- $crd := $.Files.Get $path | fromYaml }} +{{- $crdNameList = append $crdNameList $crd.metadata.name }} +{{- end }} + +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ .Release.Name }}-post-delete-crd" + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-weight": "-2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + template: + spec: + restartPolicy: Never + serviceAccountName: "{{ .Release.Name }}-post-delete-crd" + containers: + - name: post-delete-job + image: {{ template "kubectl.image" . }} + command: + - /bin/bash + - /scripts/post-delete.sh + - '{{ join " " $crdNameList }}' + - /scripts/map.yaml + volumeMounts: + - mountPath: /scripts + name: scripts + resources: {{- toYaml .Values.kubectl.resources | nindent 12 }} + volumes: + - name: scripts + configMap: + name: "{{ .Release.Name }}-post-delete-crd-scripts" + defaultMode: 420 diff --git a/src/main/ks-core/charts/ks-crds/templates/pre-upgrade-job.yaml b/src/main/ks-core/charts/ks-crds/templates/pre-upgrade-crd-job.yaml similarity index 53% rename from src/main/ks-core/charts/ks-crds/templates/pre-upgrade-job.yaml rename to src/main/ks-core/charts/ks-crds/templates/pre-upgrade-crd-job.yaml index 29872d06..a3e342a2 100644 --- a/src/main/ks-core/charts/ks-crds/templates/pre-upgrade-job.yaml +++ b/src/main/ks-core/charts/ks-crds/templates/pre-upgrade-crd-job.yaml @@ -10,6 +10,36 @@ data: {{ (.Files.Glob "scripts/install.sh").AsConfig | indent 2 }} {{ (.Files.Glob "crds/*").AsConfig | indent 2 }} +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "{{ .Release.Name }}-pre-upgrade-crd" + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "-1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: "{{ .Release.Name }}-pre-upgrade-crd" + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "-1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: "{{ .Release.Name }}-pre-upgrade-crd" + namespace: {{ .Release.Namespace }} + --- apiVersion: batch/v1 kind: Job @@ -23,10 +53,10 @@ spec: template: spec: restartPolicy: Never - serviceAccountName: {{ include "ks-core.serviceAccountName" . }} + serviceAccountName: "{{ .Release.Name }}-pre-upgrade-crd" containers: - name: crd-install - image: {{ template "preUpgrade.image" . }} + image: {{ template "kubectl.image" . }} command: - /bin/bash - /scripts/install.sh @@ -34,7 +64,7 @@ spec: volumeMounts: - mountPath: /scripts name: scripts - resources: {{- toYaml .Values.preUpgrade.resources | nindent 12 }} + resources: {{- toYaml .Values.kubectl.resources | nindent 12 }} volumes: - name: scripts configMap: diff --git a/src/main/ks-core/charts/ks-crds/values.yaml b/src/main/ks-core/charts/ks-crds/values.yaml index f5790d2d..5816ade1 100644 --- a/src/main/ks-core/charts/ks-crds/values.yaml +++ b/src/main/ks-core/charts/ks-crds/values.yaml @@ -1,12 +1,11 @@ # Default values for ks-crds. # This is a YAML-formatted file. # Declare variables to be passed into your templates. - -preUpgrade: +kubectl: image: registry: "" - repository: kubesphereio/kubectl - tag: "v1.27.12" + repository: kubesphere/kubectl + tag: "v1.27.16" pullPolicy: IfNotPresent resources: limits: @@ -14,4 +13,4 @@ preUpgrade: memory: 1024Mi requests: cpu: 20m - memory: 100Mi \ No newline at end of file + memory: 100Mi diff --git a/src/main/ks-core/scripts/post-delete.sh b/src/main/ks-core/scripts/post-delete.sh index e97f9a8b..44e8c8db 100755 --- a/src/main/ks-core/scripts/post-delete.sh +++ b/src/main/ks-core/scripts/post-delete.sh @@ -2,55 +2,9 @@ # set -x -CRD_NAMES=$1 -MAPPING_CONFIG=$2 - -for extension in `kubectl get installplan -o json | jq -r '.items[] | select(.status.state == "Installed") | .metadata.name'` -do - namespace=$(kubectl get installplan $extension -o=jsonpath='{.status.targetNamespace}') - version=$(kubectl get extension $extension -o=jsonpath='{.status.installedVersion}') - extensionversion=$extension-$version - echo "Found extension $extensionversion installed" - helm status $extension --namespace $namespace - if [ $? -eq 0 ]; then - helm mapkubeapis $extension --namespace $namespace --mapfile $MAPPING_CONFIG - fi - helm status $extension-agent --namespace $namespace - if [ $? -eq 0 ]; then - helm mapkubeapis $extension-agent --namespace $namespace --mapfile $MAPPING_CONFIG - fi -done - - -# remove namespace's finalizers && ownerReferences -kubectl patch workspaces.tenant.kubesphere.io system-workspace -p '{"metadata":{"finalizers":[]}}' --type=merge -kubectl patch workspacetemplates.tenant.kubesphere.io system-workspace -p '{"metadata":{"finalizers":[]}}' --type=merge -for ns in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}' -l 'kubesphere.io/managed=true') -do - kubectl label ns $ns kubesphere.io/workspace- && \ - kubectl patch ns $ns -p '{"metadata":{"ownerReferences":[]}}' --type=merge && \ - echo "{\"kind\":\"Namespace\",\"apiVersion\":\"v1\",\"metadata\":{\"name\":\"$ns\",\"finalizers\":null}}" | kubectl replace --raw "/api/v1/namespaces/$ns/finalize" -f - -done - - -# delete crds -for crd in `kubectl get crds -o jsonpath="{.items[*].metadata.name}"` -do - if [[ ${CRD_NAMES[@]/${crd}/} != ${CRD_NAMES[@]} ]]; then - scop=$(eval echo $(kubectl get crd ${crd} -o jsonpath="{.spec.scope}")) - if [[ $scop =~ "Namespaced" ]] ; then - kubectl get $crd -A --no-headers | awk '{print $1" "$2" ""'$crd'"}' | xargs -n 3 sh -c 'kubectl patch $2 -n $0 $1 -p "{\"metadata\":{\"finalizers\":null}}" --type=merge 2>/dev/null && kubectl delete $2 -n $0 $1 2>/dev/null' - else - kubectl get $crd -A --no-headers | awk '{print $1" ""'$crd'"}' | xargs -n 2 sh -c 'kubectl patch $1 $0 -p "{\"metadata\":{\"finalizers\":null}}" --type=merge 2>/dev/null && kubectl delete $1 $0 2>/dev/null' - fi - kubectl delete crd $crd 2>/dev/null; - fi -done - - EXTENSION_RELATED_RESOURCES='jobs.batch roles.rbac.authorization.k8s.io rolebindings.rbac.authorization.k8s.io clusterroles.rbac.authorization.k8s.io clusterrolebindings.rbac.authorization.k8s.io' for resource in $EXTENSION_RELATED_RESOURCES;do echo "kubectl delete $resource -l kubesphere.io/extension-ref --all-namespaces" kubectl delete $resource -l kubesphere.io/managed=true --all-namespaces -done \ No newline at end of file +done diff --git a/src/main/ks-core/templates/_images.tpl b/src/main/ks-core/templates/_images.tpl index f77da091..cb9fd0d5 100644 --- a/src/main/ks-core/templates/_images.tpl +++ b/src/main/ks-core/templates/_images.tpl @@ -33,10 +33,6 @@ Return the proper image name {{ include "common.images.image" (dict "imageRoot" .Values.redis.image "global" .Values.global) }} {{- end -}} -{{- define "preUpgrade.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.preUpgrade.image "global" .Values.global) }} -{{- end -}} - {{- define "extensions_museum.image" -}} {{ include "common.images.image" (dict "imageRoot" .Values.ksExtensionRepository.image "global" .Values.global) }} {{- end -}} diff --git a/src/main/ks-core/templates/extension-museum.yaml b/src/main/ks-core/templates/extension-museum.yaml index ae9ca355..48c4805b 100644 --- a/src/main/ks-core/templates/extension-museum.yaml +++ b/src/main/ks-core/templates/extension-museum.yaml @@ -1,4 +1,11 @@ {{- if .Values.ksExtensionRepository.enabled }} + +{{- $ca := genCA "self-signed-ca" 3650 }} +{{- $cn := printf "%s-extensions-museum" .Release.Name }} +{{- $altName1 := printf "extensions-museum.%s" .Release.Namespace }} +{{- $altName2 := printf "extensions-museum.%s.svc" .Release.Namespace }} +{{- $cert := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }} + apiVersion: apps/v1 kind: Deployment metadata: @@ -15,6 +22,9 @@ spec: metadata: labels: app: extensions-museum + annotations: + # force restart ks-apiserver after the upgrade is complete if kubesphere-config changes + checksum/cert: {{ sha256sum $cert.Cert }} spec: {{- include "extensions_museum.imagePullSecrets" . | nindent 6 }} containers: @@ -26,8 +36,32 @@ spec: - "/charts" - "--storage" - "local" + - "--tls-cert" + - "/etc/certs/tls.crt" + - "--tls-key" + - "/etc/certs/tls.key" ports: - containerPort: 8080 + volumeMounts: + - name: certs + mountPath: /etc/certs/ + volumes: + - name: certs + secret: + secretName: extensions-museum-certs + +--- +apiVersion: v1 +kind: Secret +metadata: + name: extensions-museum-certs + namespace: {{ .Release.Namespace }} +type: kubernetes.io/tls +data: + ca.crt: {{ b64enc $ca.Cert }} + tls.crt: {{ b64enc $cert.Cert }} + tls.key: {{ b64enc $cert.Key }} + --- apiVersion: v1 kind: Service @@ -39,7 +73,7 @@ spec: app: extensions-museum ports: - protocol: TCP - port: 80 + port: 443 targetPort: 8080 --- @@ -48,10 +82,11 @@ kind: Repository metadata: name: extensions-museum spec: - url: http://extensions-museum.{{ .Release.Namespace }}.svc + url: https://extensions-museum.{{ .Release.Namespace }}.svc + caBundle: {{ b64enc $ca.Cert }} --- -apiVersion: batch/v1 +apiVersion: {{ if semverCompare ">=1.20.0" .Capabilities.KubeVersion.Version }}batch/v1{{ else }}batch/v1beta1{{end}} kind: CronJob metadata: name: restart-extensions-museum diff --git a/src/main/ks-core/templates/post-delete-job.yaml b/src/main/ks-core/templates/post-delete-job.yaml index 22c99bd0..cacb32d3 100644 --- a/src/main/ks-core/templates/post-delete-job.yaml +++ b/src/main/ks-core/templates/post-delete-job.yaml @@ -1,4 +1,3 @@ -{{- $kubeVersion := .Capabilities.KubeVersion }} apiVersion: v1 kind: ConfigMap metadata: @@ -8,15 +7,6 @@ metadata: "helm.sh/hook-weight": "-1" "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed data: - map.yaml: | - mappings: - {{- range $path, $_ := .Files.Glob "charts/ks-crds/crds/**" }} - {{- $crd := $.Files.Get $path | fromYaml }} - {{- range $_, $version := $crd.spec.versions }} - - deprecatedAPI: "apiVersion: {{ $crd.spec.group }}/{{ $version.name }}\nkind: {{ $crd.spec.names.kind }}\n" - removedInVersion: "{{ $kubeVersion }}" - {{- end }} - {{- end }} {{ (.Files.Glob "scripts/post-delete.sh").AsConfig | indent 2 }} --- @@ -51,12 +41,6 @@ subjects: --- -{{- $crdNameList := list }} -{{- range $path, $_ := .Files.Glob "charts/ks-crds/crds/**" }} -{{- $crd := $.Files.Get $path | fromYaml }} -{{- $crdNameList = append $crdNameList $crd.metadata.name }} -{{- end }} - apiVersion: batch/v1 kind: Job metadata: @@ -76,8 +60,6 @@ spec: command: - /bin/bash - /scripts/post-delete.sh - - '{{ join " " $crdNameList }}' - - /scripts/map.yaml volumeMounts: - mountPath: /scripts name: scripts diff --git a/src/main/ks-core/values.yaml b/src/main/ks-core/values.yaml index b865ad70..b23e935b 100644 --- a/src/main/ks-core/values.yaml +++ b/src/main/ks-core/values.yaml @@ -2,7 +2,7 @@ ## @param global.tag Global Docker image tag global: imageRegistry: docker.io - tag: v4.1.1 + tag: v4.1.2 imagePullSecrets: [] ## @param nameOverride String to partially override common.names.fullname @@ -421,7 +421,7 @@ redisHA: - "" ksCRDs: - preUpgrade: + kubectl: image: registry: "" repository: kubesphere/kubectl