fix: market backend auth

fix: app-service entrance url api
Merge branch 'main' into refactor/rbac-proxy
2025-08-27 22:01:26 +08:00 · 2025-08-27 16:30:35 +08:00 · 2025-08-27 15:38:09 +08:00 · 2025-08-27 15:16:32 +08:00 · 2025-08-27 15:14:54 +08:00 · 2025-08-27 14:30:48 +08:00
30 changed files with 1254 additions and 659 deletions
--- a/apps/.olares/config/user/helm-charts/system-apps/templates/app-service-provider.yaml
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/app-service-provider.yaml
@@ -0,0 +1,39 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:app-service-frontend-svc
+  annotations:
+    provider-registry-ref: user-system-{{ .Values.bfl.username }}/app-service
+    provider-service-ref: app-service.os-framework:6755
+rules:
+- nonResourceURLs: ["*"]
+  verbs: ["*"]
+
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:app-service-provider-svc
+  annotations:
+    provider-registry-ref: user-system-{{ .Values.bfl.username }}/app-service
+    provider-service-ref: app-service.os-framework:6755
+rules:
+- nonResourceURLs: 
+  - "/app-service/*"
+  verbs: ["*"]
+
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: user:{{ .Values.bfl.username }}:app-service-frontend-svc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:app-service-frontend-svc
+subjects:
+- kind: User
+  name: '{{ .Values.bfl.username }}'
+
--- a/apps/.olares/config/user/helm-charts/system-apps/templates/backup-provider.yaml
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/backup-provider.yaml
@@ -0,0 +1,64 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:backup-frontend-svc
+  annotations:
+    provider-registry-ref: user-space-{{ .Values.bfl.username }}/backup
+    provider-service-ref: backup-server.os-framework:8082
+rules:
+- nonResourceURLs: ["/apis/backup*"]
+  verbs: ["*"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:backup-frontend-domain
+  annotations:
+    provider-registry-ref: {{ .Values.bfl.username }}/settings
+    provider-service-ref: backup-server.os-framework:8082
+rules:
+- nonResourceURLs: ["/apis/backup*"]
+  verbs: ["*"]
+
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: user:{{ .Values.bfl.username }}:backup-frontend-svc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:backup-frontend-svc
+subjects:
+- kind: User
+  name: '{{ .Values.bfl.username }}'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: user:{{ .Values.bfl.username }}:backup-frontend-domain
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:backup-frontend-domain
+subjects:
+- kind: User
+  name: '{{ .Values.bfl.username }}'
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: backup
+  namespace: user-space-{{ .Values.bfl.username }}
+spec:
+  type: ExternalName
+  externalName: system-server.user-system-{{ .Values.bfl.username }}.svc.cluster.local
+  ports:
+    - protocol: TCP
+      port: 28080
+      targetPort: 28080
--- a/apps/.olares/config/user/helm-charts/system-apps/templates/bfl-permission.yaml
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/bfl-permission.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backend:{{ .Values.bfl.username }}:system-frontend:bfl-svc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:bfl-svc
+subjects:
+- kind: ServiceAccount
+  name: system-frontend
+  namespace: {{ .Release.Namespace }}
+
--- a/apps/.olares/config/user/helm-charts/system-apps/templates/files-permission.yaml
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/files-permission.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backend:{{ .Values.bfl.username }}:system-frontend:files-provider-svc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:files-provider-svc
+subjects:
+- kind: ServiceAccount
+  name: system-frontend
+  namespace: {{ .Release.Namespace }}
--- a/apps/.olares/config/user/helm-charts/system-apps/templates/files-provider.yaml
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/files-provider.yaml
@@ -0,0 +1,136 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:files-frontend-svc
+  annotations:
+    provider-registry-ref: user-space-{{ .Values.bfl.username }}/files
+    provider-service-ref: files-service.os-framework:80
+rules:
+- nonResourceURLs: ["*"]
+  verbs: ["*"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:files-frontend-domain
+  annotations:
+    provider-registry-ref: {{ .Values.bfl.username }}/files
+    provider-service-ref: files-service.os-framework:80
+rules:
+- nonResourceURLs: ["*"]
+  verbs: ["*"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:files-frontend-domain-settings
+  annotations:
+    provider-registry-ref: {{ .Values.bfl.username }}/settings
+    provider-service-ref: files-service.os-framework:80
+rules:
+- nonResourceURLs: 
+  - "/api/resources/*"
+  - "/api/nodes/*"
+  verbs: ["*"]
+
+# ---
+# apiVersion: sys.bytetrade.io/v1alpha1
+# kind: ProviderRegistry
+# metadata:
+#   name: files-provider
+#   namespace: user-system-{{ .Values.bfl.username }}
+# spec:
+#   dataType: files
+#   deployment: files
+#   description: files provider
+#   endpoint: files-service.{{ .Release.Namespace }}
+#   group: service.files
+#   kind: provider
+#   namespace: {{ .Release.Namespace }}
+#   opApis:
+#     - name: Query
+#       uri: /provider/query_file
+#     - name: GetSearchFolderStatus
+#       uri: /provider/get_search_folder_status
+#     - name: UpdateSearchFolderPaths
+#       uri: /provider/update_search_folder_paths
+#     - name: GetDatasetFolderStatus
+#       uri: /provider/get_dataset_folder_status
+#     - name: UpdateDatasetFolderPaths
+#       uri: /provider/update_dataset_folder_paths
+#   version: v1
+# status:
+#   state: active
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:files-provider-svc
+  annotations:
+    provider-registry-ref: user-system-{{ .Values.bfl.username }}/files
+    provider-service-ref: files-service.os-framework:80
+rules:
+- nonResourceURLs: 
+  - "/provider/query_file"
+  - "/provider/get_search_folder_status"
+  - "/provider/update_search_folder_paths"
+  - "/provider/get_dataset_folder_status"
+  - "/provider/update_dataset_folder_paths"
+  verbs: ["*"]
+
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: user:{{ .Values.bfl.username }}:files-frontend-svc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:files-frontend-svc
+subjects:
+- kind: User
+  name: '{{ .Values.bfl.username }}'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: user:{{ .Values.bfl.username }}:files-frontend-domain
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:files-frontend-domain
+subjects:
+- kind: User
+  name: '{{ .Values.bfl.username }}'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: user:{{ .Values.bfl.username }}:files-frontend-domain-settings
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:files-frontend-domain-settings
+subjects:
+- kind: User
+  name: '{{ .Values.bfl.username }}'
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: files
+  namespace: user-space-{{ .Values.bfl.username }}
+spec:
+  type: ExternalName
+  externalName: system-server.user-system-{{ .Values.bfl.username }}.svc.cluster.local
+  ports:
+    - protocol: TCP
+      port: 28080
+      targetPort: 28080
--- a/apps/.olares/config/user/helm-charts/system-apps/templates/infisical-provider.yaml
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/infisical-provider.yaml
@@ -0,0 +1,64 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:infisical-frontend-svc
+  annotations:
+    provider-registry-ref: user-space-{{ .Values.bfl.username }}/infisical
+    provider-service-ref: infisical-service.os-framework:8080
+rules:
+- nonResourceURLs: ["/admin/*"]
+  verbs: ["*"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:infisical-frontend-domain
+  annotations:
+    provider-registry-ref: {{ .Values.bfl.username }}/settings
+    provider-service-ref: infisical-service.os-framework:8080
+rules:
+- nonResourceURLs: ["/admin/*"]
+  verbs: ["*"]
+
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: user:{{ .Values.bfl.username }}:infisical-frontend-svc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:infisical-frontend-svc
+subjects:
+- kind: User
+  name: '{{ .Values.bfl.username }}'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: user:{{ .Values.bfl.username }}:infisical-frontend-domain
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:infisical-frontend-domain
+subjects:
+- kind: User
+  name: '{{ .Values.bfl.username }}'
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: infisical
+  namespace: user-space-{{ .Values.bfl.username }}
+spec:
+  type: ExternalName
+  externalName: system-server.user-system-{{ .Values.bfl.username }}.svc.cluster.local
+  ports:
+    - protocol: TCP
+      port: 28080
+      targetPort: 28080
--- a/apps/.olares/config/user/helm-charts/system-apps/templates/market-provider.yaml
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/market-provider.yaml
@@ -0,0 +1,76 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:market-frontend-svc
+  annotations:
+    provider-registry-ref: user-space-{{ .Values.bfl.username }}/market
+    provider-service-ref: appstore-svc.os-framework:81
+rules:
+- nonResourceURLs: ["*"]
+  verbs: ["*"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:market-frontend-domain
+  annotations:
+    provider-registry-ref: {{ .Values.bfl.username }}/market
+    provider-service-ref: appstore-svc.os-framework:81
+rules:
+- nonResourceURLs: ["*"]
+  verbs: ["*"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:market-provider-svc
+  annotations:
+    provider-registry-ref: user-system-{{ .Values.bfl.username }}/market
+    provider-service-ref: appstore-svc.os-framework:81
+rules:
+- nonResourceURLs: ["/app-store/*"]
+  verbs: ["*"]
+
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: user:{{ .Values.bfl.username }}:market-frontend-svc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:market-frontend-svc
+subjects:
+- kind: User
+  name: '{{ .Values.bfl.username }}'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: user:{{ .Values.bfl.username }}:market-frontend-domain
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:market-frontend-domain
+subjects:
+- kind: User
+  name: '{{ .Values.bfl.username }}'
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: market
+  namespace: user-space-{{ .Values.bfl.username }}
+spec:
+  type: ExternalName
+  externalName: system-server.user-system-{{ .Values.bfl.username }}.svc.cluster.local
+  ports:
+    - protocol: TCP
+      port: 28080
+      targetPort: 28080
--- a/apps/.olares/config/user/helm-charts/system-apps/templates/middleware-provider.yaml
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/middleware-provider.yaml
@@ -0,0 +1,64 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:middleware-frontend-svc
+  annotations:
+    provider-registry-ref: user-space-{{ .Values.bfl.username }}/middleware
+    provider-service-ref: middleware-service.os-platform:80
+rules:
+- nonResourceURLs: ["*"]
+  verbs: ["*"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:middleware-frontend-domain-controlhub
+  annotations:
+    provider-registry-ref: {{ .Values.bfl.username }}/control-hub
+    provider-service-ref: middleware-service.os-platform:80
+rules:
+- nonResourceURLs: ["/middleware/*"]
+  verbs: ["*"]
+
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: user:{{ .Values.bfl.username }}:middleware-frontend-svc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:middleware-frontend-svc
+subjects:
+- kind: User
+  name: '{{ .Values.bfl.username }}'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: user:{{ .Values.bfl.username }}:middleware-frontend-domain-controlhub
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:middleware-frontend-domain-controlhub
+subjects:
+- kind: User
+  name: '{{ .Values.bfl.username }}'
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: middleware
+  namespace: user-space-{{ .Values.bfl.username }}
+spec:
+  type: ExternalName
+  externalName: system-server.user-system-{{ .Values.bfl.username }}.svc.cluster.local
+  ports:
+    - protocol: TCP
+      port: 28080
+      targetPort: 28080
--- a/apps/.olares/config/user/helm-charts/system-apps/templates/monitoring-provider.yaml
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/monitoring-provider.yaml
@@ -0,0 +1,94 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:monitoring-frontend-svc
+  annotations:
+    provider-registry-ref: user-space-{{ .Values.bfl.username }}/monitoring
+    provider-service-ref: monitoring-server.os-framework:80
+rules:
+- nonResourceURLs: ["*"]
+  verbs: ["*"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:monitoring-frontend-domain-controlhub
+  annotations:
+    provider-registry-ref: {{ .Values.bfl.username }}/control-hub
+    provider-service-ref: monitoring-server.os-framework:80
+rules:
+- nonResourceURLs: 
+  - "/kapis/*"
+  - "/api/*"
+  - "/capi/*"
+  - "/apis/apps/*"
+  verbs: ["*"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:monitoring-frontend-domain-dashboard
+  annotations:
+    provider-registry-ref: {{ .Values.bfl.username }}/dashboard
+    provider-service-ref: monitoring-server.os-framework:80
+rules:
+- nonResourceURLs: ["*"]
+  verbs: ["*"]  
+
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: user:{{ .Values.bfl.username }}:monitoring-frontend-svc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:monitoring-frontend-svc
+subjects:
+- kind: User
+  name: '{{ .Values.bfl.username }}'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: user:{{ .Values.bfl.username }}:monitoring-frontend-domain-controlhub
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:monitoring-frontend-domain-controlhub
+subjects:
+- kind: User
+  name: '{{ .Values.bfl.username }}'
+
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: user:{{ .Values.bfl.username }}:monitoring-frontend-domain-dashboard
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:monitoring-frontend-domain-dashboard
+subjects:
+- kind: User
+  name: '{{ .Values.bfl.username }}'
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: monitoring
+  namespace: user-space-{{ .Values.bfl.username }}
+spec:
+  type: ExternalName
+  externalName: system-server.user-system-{{ .Values.bfl.username }}.svc.cluster.local
+  ports:
+    - protocol: TCP
+      port: 28080
+      targetPort: 28080
--- a/apps/.olares/config/user/helm-charts/system-apps/templates/olares-app.yaml
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/olares-app.yaml
@@ -153,19 +153,6 @@ spec:
 ---
 apiVersion: v1
 kind: Service
-metadata:
-  name: vault-admin-server
-  namespace: {{ .Release.Namespace }}
-spec:
-  type: ExternalName
-  externalName: vault-server.os-framework.svc.cluster.local
-  ports:
-    - protocol: TCP
-      port: 3010
-      targetPort: 3010
---
-apiVersion: v1
-kind: Service
 metadata:
  name: files-fe-service
  namespace: user-space-{{ .Values.bfl.username }}
@@ -258,6 +245,7 @@ spec:
 {{ end }}        
    spec:
      priorityClassName: "system-cluster-critical"
+      serviceAccountName: system-frontend
      initContainers:
        - args:
            - -it
@@ -333,7 +321,7 @@ spec:
            - name: PGDB
              value: user_space_{{ .Values.bfl.username }}_cloud_drive_integration
        - name: olares-app-init
-          image: beclab/system-frontend:v1.4.13
+          image: beclab/system-frontend:v1.4.15
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
@@ -455,7 +443,7 @@ spec:
            - name: NATS_SUBJECT_VAULT
              value: os.vault.{{ .Values.bfl.username}}
        - name: user-service
-          image: beclab/user-service:v0.0.45
+          image: beclab/user-service:v0.0.46
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 3000
@@ -466,12 +454,8 @@ spec:
        {{- end }}
            - name: DEV_MODE
              value: ''
-            - name: OS_SYSTEM_SERVER
-              value: system-server.user-system-{{ .Values.bfl.username }}
-            - name: OS_APP_SECRET
-              value: '{{ .Values.os.settings.appSecret }}'
-            - name: OS_APP_KEY
-              value: {{ .Values.os.settings.appKey }}
+            - name: MY_NAME
+              value: '{{ .Values.bfl.username }}'
            - name: NODE_IP
              valueFrom:
                fieldRef:
@@ -682,34 +666,7 @@ data:
  appData: "{{ .Values.userspace.appData }}"
  appCache: "{{ .Values.userspace.appCache }}"
  username: "{{ .Values.bfl.username }}"
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: files-provider
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: files
-  deployment: files
-  description: files provider
-  endpoint: files-service.{{ .Release.Namespace }}
-  group: service.files
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  opApis:
-    - name: Query
-      uri: /provider/query_file
-    - name: GetSearchFolderStatus
-      uri: /provider/get_search_folder_status
-    - name: UpdateSearchFolderPaths
-      uri: /provider/update_search_folder_paths
-    - name: GetDatasetFolderStatus
-      uri: /provider/get_dataset_folder_status
-    - name: UpdateDatasetFolderPaths
-      uri: /provider/update_dataset_folder_paths
-  version: v1
-status:
-  state: active
+
 ---
 apiVersion: v1
 kind: Secret
@@ -847,6 +804,7 @@ data:
                                  - exact: x-bfl-user
                                  - exact: x-real-ip
                                  - exact: terminus-nonce
+                                  - exact: x-provider-proxy
                              headers_to_add:
                                - key: X-Forwarded-Method
                                  value: '%REQ(:METHOD)%'
@@ -965,256 +923,7 @@ kind: ConfigMap
 metadata:
  name: sidecar-upload-configs
  namespace: {{ .Release.Namespace }}
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ApplicationPermission
-metadata:
-  name: dashboard-vault
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: dashboard
-  appid: dashboard
-  key: {{ .Values.os.dashboard.appKey }}
-  secret: {{ .Values.os.dashboard.appSecret }}
-  permissions:
-    - dataType: secret
-      group: secret.infisical
-      ops:
-        - RetrieveSecret?workspace=dashboard
-        - CreateSecret?workspace=dashboard
-        - DeleteSecret?workspace=dashboard
-        - UpdateSecret?workspace=dashboard
-        - ListSecret?workspace=dashboard
-      version: v1
-status:
-  state: active
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ApplicationPermission
-metadata:
-  name: profile
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: profile
-  appid: profile
-  key: {{ .Values.os.profile.appKey }}
-  secret: {{ .Values.os.profile.appSecret }}
-  permissions:
-    - dataType: datastore
-      group: service.bfl
-      ops:
-        - GetKey
-        - GetKeyPrefix
-        - SetKey
-        - DeleteKey
-      version: v1
-    - dataType: nft
-      group: service.settings
-      ops:
-        - getNFTAddress
-      version: v1
-status:
-  state: active
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ApplicationPermission
-metadata:
-  name: settings
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: settings
-  appid: settings
-  key: {{ .Values.os.settings.appKey }}
-  secret: {{ .Values.os.settings.appSecret }}
-  permissions:
-    - dataType: config
-      group: service.desktop
-      ops:
-        - Update
-      version: v1
-    - dataType: secret
-      group: secret.infisical
-      ops:
-        - RetrieveSecret?workspace=settings
-        - CreateSecret?workspace=settings
-        - DeleteSecret?workspace=settings
-        - UpdateSecret?workspace=settings
-        - ListSecret?workspace=settings
-      version: v1
-    - dataType: headscale
-      group: service.headscale
-      ops:
-        - GetMachine
-        - RenameMachine
-        - DeleteMachine
-        - GetRoute
-        - EnableRoute
-        - DisableRoute
-        - SetTags
-      version: v1
-    - dataType: files
-      group: service.files
-      ops:
-        - Query
-        - GetSearchFolderStatus
-        - UpdateSearchFolderPaths
-        - GetDatasetFolderStatus
-        - UpdateDatasetFolderPaths
-      version: v1
-    - dataType: datastore
-      group: service.bfl
-      ops:
-        - GetKey
-        - GetKeyPrefix
-        - SetKey
-        - DeleteKey
-      version: v1
-    - dataType: app
-      group: service.bfl
-      ops:
-        - UserApps
-      version: v1
-status:
-  state: active
-
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: settings-nft
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: nft
-  deployment: settings
-  description: Get Cloud Bind NFT List
-  endpoint: settings-service.{{ .Release.Namespace }}
-  group: service.settings
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  opApis:
-    - name: getNFTAddress
-      uri: /api/cloud/getNFTAddress
-  version: v1
-status:
-  state: active
-
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: settings-account
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: account
-  deployment: settings
-  description: Get Acccount saved in Settings
-  endpoint: settings-service.{{ .Release.Namespace }}
-  group: service.settings
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  opApis:
-    - name: getAccount
-      uri: /api/account
-  version: v1
-status:
-  state: active
-
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: settings-backup-password
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: backupPassword
-  deployment: settings
-  description: Get Backup Plan's Password
-  endpoint: settings-service.{{ .Release.Namespace }}
-  group: service.settings
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  opApis:
-    - name: getAccount
-      uri: /api/backup/password
-  version: v1
-status:
-  state: active
-
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: settings-event-watcher
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  callbacks:
-    - filters:
-        type:
-          - backup-state-event
-      op: Create
-      uri: /api/event/backup_state_event
-    - filters:
-        type:
-          - restore-state-event
-      op: Create
-      uri: /api/event/restore_state_event
-    - filters:
-        type:
-          - app-installation-event
-      op: Create
-      uri: /api/event/app_installation_event
-    - filters:
-        type:
-          - settings-event
-      op: Create
-      uri: /api/event/app_installation_event
-    - filters:
-        type:
-          - entrance-state-event
-      op: Create
-      uri: /api/event/entrance_state_event
-    - filters:
-        type:
-          - system-upgrade-event
-      op: Create
-      uri: /api/event/system_upgrade_event
-  dataType: event
-  deployment: settings
-  description: desktop event watcher
-  endpoint: settings-service.{{ .Release.Namespace }}
-  group: message-disptahcer.system-server
-  kind: watcher
-  namespace: {{ .Release.Namespace }}
-  version: v1
-status:
-  state: active
-
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: settings-account-retrieve
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: legacy_api
-  deployment: settings
-  description: settings account retrieve legacy api
-  endpoint: settings-service.{{ .Release.Namespace }}
-  group: service.settings
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  version: v1
-  opApis:
-    - name: POST
-      uri: /api/account/retrieve
-    - name: GET
-      uri: /api/account/all
-    - name: POST
-      uri: /api/cookie/retrieve
-    - name: POST
-      uri: /api/cookie
-status:
-  state: active
+  
 ---
 apiVersion: v1
 kind: Secret
@@ -1284,166 +993,6 @@ spec:
    - protocol: TCP
      port: 3000
      targetPort: 3000
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  namespace: {{ .Release.Namespace }}
-  name: internal-kubectl
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ .Release.Namespace }}:edge-desktop-rb
-subjects:
-  - kind: ServiceAccount
-    namespace: {{ .Release.Namespace }}
-    name: internal-kubectl
-roleRef:
-  # kind: Role
-  kind: ClusterRole
-  name: cluster-admin
-  apiGroup: rbac.authorization.k8s.io
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: app-event-watcher
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  callbacks:
-  - filters:
-      type:
-      - app-installation-event
-    op: Create
-    uri: /server/app_installation_event
-  - filters:
-      type:
-        - entrance-state-event
-    op: Create
-    uri: /server/entrance_state_event
-  - filters:
-      type:
-      - settings-event
-    op: Create
-    uri: /server/app_installation_event
-  - filters:
-      type:
-      - system-upgrade-event
-    op: Create
-    uri: /server/system_upgrade_event
-  dataType: event
-  deployment: edge-desktop
-  description: desktop event watcher
-  endpoint: edge-desktop.{{ .Release.Namespace }}
-  group: message-disptahcer.system-server
-  kind: watcher
-  namespace: {{ .Release.Namespace }}
-  version: v1
-status:
-  state: active
-
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: intent-api
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: legacy_api
-  deployment: edge-desktop
-  description: edge-desktop legacy api
-  endpoint: edge-desktop.{{ .Release.Namespace }}
-  group: api.intent
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  version: v1
-  opApis:
-  - name: POST
-    uri: /server/intent/send
-status:
-  state: active
-
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: intent-api-v2
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: legacy_api
-  deployment: edge-desktop
-  description: edge-desktop legacy api
-  endpoint: edge-desktop.{{ .Release.Namespace }}
-  group: api.intent
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  version: v2
-  opApis:
-    - name: POST
-      uri: /server/intent/send
-status:
-  state: active
-
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: destktop-ai-provider
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: ai_message
-  deployment: edge-desktop
-  description: search ai callback
-  endpoint: edge-desktop.{{ .Release.Namespace }}
-  group: service.desktop
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  opApis:
-  - name: AIMessage
-    uri: /server/ai_message
-  version: v1
-status:
-  state: active
-
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ApplicationPermission
-metadata:
-  name: desktop
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: desktop
-  appid: desktop
-  key: {{ .Values.os.desktop.appKey }}
-  secret: {{ .Values.os.desktop.appSecret }}
-  permissions:
-  - dataType: files
-    group: service.files
-    ops:
-    - Query
-    version: v1
-  - dataType: datastore
-    group: service.bfl
-    ops:
-    - GetKey
-    - GetKeyPrefix
-    - SetKey
-    - DeleteKey
-    version: v1
-  - dataType: app
-    group: service.bfl
-    ops:
-    - UserApps
-    version: v1
-  - dataType: app
-    group: service.appstore
-    ops:
-    - UninstallDevApp
-    version: v1
-status:
-  state: active

 ---
 apiVersion: v1
@@ -1512,6 +1061,7 @@ data:
                              - exact: x-bfl-user
                              - exact: x-real-ip
                              - exact: terminus-nonce
+                              - exact: x-provider-proxy
                          headers_to_add:
                            - key: X-Forwarded-Method
                              value: '%REQ(:METHOD)%'
@@ -1687,6 +1237,7 @@ data:
                              - exact: x-bfl-user
                              - exact: x-real-ip
                              - exact: terminus-nonce
+                              - exact: x-provider-proxy
                          headers_to_add:
                            - key: X-Forwarded-Method
                              value: '%REQ(:METHOD)%'
@@ -1876,6 +1427,7 @@ data:
                              - exact: x-bfl-user
                              - exact: x-real-ip
                              - exact: terminus-nonce
+                              - exact: x-provider-proxy
                          headers_to_add:
                            - key: X-Forwarded-Method
                              value: '%REQ(:METHOD)%'
@@ -2154,3 +1706,11 @@ spec:
          pub: allow

    user: user-service-{{ .Values.bfl.username }}
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: system-frontend
+
--- a/apps/.olares/config/user/helm-charts/system-apps/templates/secret-permission.yaml
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/secret-permission.yaml
@@ -0,0 +1,28 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backend:{{ .Values.bfl.username }}:secret-settings-provider-svc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:secret-settings-provider-svc
+subjects:
+- kind: ServiceAccount
+  name: system-frontend
+  namespace: {{ .Release.Namespace }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backend:{{ .Values.bfl.username }}:system-frontend:secret-dashboard-provider-svc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:secret-dashboard-provider-svc
+subjects:
+- kind: ServiceAccount
+  name: system-frontend
+  namespace: {{ .Release.Namespace }}
+
--- a/apps/.olares/config/user/helm-charts/system-apps/templates/user-service-provider.yaml
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/user-service-provider.yaml
@@ -0,0 +1,185 @@
+# ---
+# apiVersion: sys.bytetrade.io/v1alpha1
+# kind: ProviderRegistry
+# metadata:
+#   name: settings-nft
+#   namespace: user-system-{{ .Values.bfl.username }}
+# spec:
+#   dataType: nft
+#   deployment: settings
+#   description: Get Cloud Bind NFT List
+#   endpoint: settings-service.{{ .Release.Namespace }}
+#   group: service.settings
+#   kind: provider
+#   namespace: {{ .Release.Namespace }}
+#   opApis:
+#     - name: getNFTAddress
+#       uri: /api/cloud/getNFTAddress
+#   version: v1
+# status:
+#   state: active
+
+# ---
+# apiVersion: sys.bytetrade.io/v1alpha1
+# kind: ProviderRegistry
+# metadata:
+#   name: settings-account
+#   namespace: user-system-{{ .Values.bfl.username }}
+# spec:
+#   dataType: account
+#   deployment: settings
+#   description: Get Acccount saved in Settings
+#   endpoint: settings-service.{{ .Release.Namespace }}
+#   group: service.settings
+#   kind: provider
+#   namespace: {{ .Release.Namespace }}
+#   opApis:
+#     - name: getAccount
+#       uri: /api/account
+#   version: v1
+# status:
+#   state: active
+
+# ---
+# apiVersion: sys.bytetrade.io/v1alpha1
+# kind: ProviderRegistry
+# metadata:
+#   name: settings-backup-password
+#   namespace: user-system-{{ .Values.bfl.username }}
+# spec:
+#   dataType: backupPassword
+#   deployment: settings
+#   description: Get Backup Plan's Password
+#   endpoint: settings-service.{{ .Release.Namespace }}
+#   group: service.settings
+#   kind: provider
+#   namespace: {{ .Release.Namespace }}
+#   opApis:
+#     - name: getAccount
+#       uri: /api/backup/password
+#   version: v1
+# status:
+#   state: active
+
+# ---
+# apiVersion: sys.bytetrade.io/v1alpha1
+# kind: ProviderRegistry
+# metadata:
+#   name: settings-account-retrieve
+#   namespace: user-system-{{ .Values.bfl.username }}
+# spec:
+#   dataType: legacy_api
+#   deployment: settings
+#   description: settings account retrieve legacy api
+#   endpoint: settings-service.{{ .Release.Namespace }}
+#   group: service.settings
+#   kind: provider
+#   namespace: {{ .Release.Namespace }}
+#   version: v1
+#   opApis:
+#     - name: POST
+#       uri: /api/account/retrieve
+#     - name: GET
+#       uri: /api/account/all
+#     - name: POST
+#       uri: /api/cookie/retrieve
+#     - name: POST
+#       uri: /api/cookie
+# status:
+#   state: active
+
+# ---
+# apiVersion: sys.bytetrade.io/v1alpha1
+# kind: ProviderRegistry
+# metadata:
+#   name: intent-api
+#   namespace: user-system-{{ .Values.bfl.username }}
+# spec:
+#   dataType: legacy_api
+#   deployment: edge-desktop
+#   description: edge-desktop legacy api
+#   endpoint: edge-desktop.{{ .Release.Namespace }}
+#   group: api.intent
+#   kind: provider
+#   namespace: {{ .Release.Namespace }}
+#   version: v1
+#   opApis:
+#   - name: POST
+#     uri: /server/intent/send
+# status:
+#   state: active
+
+# ---
+# apiVersion: sys.bytetrade.io/v1alpha1
+# kind: ProviderRegistry
+# metadata:
+#   name: intent-api-v2
+#   namespace: user-system-{{ .Values.bfl.username }}
+# spec:
+#   dataType: legacy_api
+#   deployment: edge-desktop
+#   description: edge-desktop legacy api
+#   endpoint: edge-desktop.{{ .Release.Namespace }}
+#   group: api.intent
+#   kind: provider
+#   namespace: {{ .Release.Namespace }}
+#   version: v2
+#   opApis:
+#     - name: POST
+#       uri: /server/intent/send
+# status:
+#   state: active
+
+# ---
+# apiVersion: sys.bytetrade.io/v1alpha1
+# kind: ProviderRegistry
+# metadata:
+#   name: destktop-ai-provider
+#   namespace: user-system-{{ .Values.bfl.username }}
+# spec:
+#   dataType: ai_message
+#   deployment: edge-desktop
+#   description: search ai callback
+#   endpoint: edge-desktop.{{ .Release.Namespace }}
+#   group: service.desktop
+#   kind: provider
+#   namespace: {{ .Release.Namespace }}
+#   opApis:
+#   - name: AIMessage
+#     uri: /server/ai_message
+#   version: v1
+# status:
+#   state: active
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:settings-provider-svc
+  annotations:
+    provider-registry-ref: user-system-{{ .Values.bfl.username }}/settings
+    provider-service-ref: settings-service.{{ .Release.Namespace }}
+rules:
+- nonResourceURLs: 
+  - "/api/cloud/getNFTAddress"
+  - "/api/account/"
+  - "/api/backup/password"
+  - "/api/account/retrieve"
+  - "/api/account/all"
+  - "/api/cookie/retrieve"
+  - "/api/cookie/"
+  verbs: ["*"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:edge-desktop-provider-svc
+  annotations:
+    provider-registry-ref: user-system-{{ .Values.bfl.username }}/edge-desktop
+    provider-service-ref: edge-desktop.{{ .Release.Namespace }}
+rules:
+- nonResourceURLs: 
+  - "/server/intent/send"
+  - "/server/ai_message"
+  verbs: ["*"]  
--- a/apps/.olares/config/user/helm-charts/system-apps/templates/vault-provider.yaml
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/vault-provider.yaml
@@ -0,0 +1,88 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:vault-frontend-svc
+  annotations:
+    provider-registry-ref: user-space-{{ .Values.bfl.username }}/vault
+    provider-service-ref: vault-server.os-framework:3010
+rules:
+- nonResourceURLs: ["/vault*"]
+  verbs: ["*"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:vault-frontend-domain-settings
+  annotations:
+    provider-registry-ref: {{ .Values.bfl.username }}/settings
+    provider-service-ref: vault-server.os-framework:3010
+rules:
+- nonResourceURLs: ["/vault*"]
+  verbs: ["*"]
+
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:vault-frontend-domain
+  annotations:
+    provider-registry-ref: {{ .Values.bfl.username }}/vault
+    provider-service-ref: vault-server.os-framework:3010
+rules:
+- nonResourceURLs: ["/server*"]
+  verbs: ["*"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: user:{{ .Values.bfl.username }}:vault-frontend-svc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:vault-frontend-svc
+subjects:
+- kind: User
+  name: '{{ .Values.bfl.username }}'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: user:{{ .Values.bfl.username }}:vault-frontend-domain-settings
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:vault-frontend-domain-settings
+subjects:
+- kind: User
+  name: '{{ .Values.bfl.username }}'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: user:{{ .Values.bfl.username }}:vault-frontend-domain
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:vault-frontend-domain
+subjects:
+- kind: User
+  name: '{{ .Values.bfl.username }}'
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: vault
+  namespace: user-space-{{ .Values.bfl.username }}
+spec:
+  type: ExternalName
+  externalName: system-server.user-system-{{ .Values.bfl.username }}.svc.cluster.local
+  ports:
+    - protocol: TCP
+      port: 28080
+      targetPort: 28080
--- a/build/base-package/wizard/config/settings/templates/system-serviceaccount.yaml
+++ b/build/base-package/wizard/config/settings/templates/system-serviceaccount.yaml
@@ -100,6 +100,19 @@ rules:
  - patch
  - update
  - watch
+- apiGroups:
+  - '*'
+  resources:
+  - 'clusterroles'
+  - 'clusterrolebindings'
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
  - '*'
  resources:
@@ -107,11 +120,28 @@ rules:
  - users
  - configmaps
  - secrets
+  - nodes
+  - namespaces
  verbs:
  - get
  - list
  - watch

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: rbac-proxy
+rules:
+- apiGroups: ["authentication.k8s.io"]
+  resources:
+  - tokenreviews
+  verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+  resources:
+  - subjectaccessreviews
+  verbs: ["create"]
+
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
--- a/daemon/internel/apiserver/handlers/handler_did.go
+++ b/daemon/internel/apiserver/handlers/handler_did.go
@@ -10,19 +10,15 @@ func (h *Handlers) ResolveOlaresName(c *fiber.Ctx) error {
 	olaresName := c.Params("olaresName")
 	if olaresName == "" {
 		klog.Error("olaresName parameter is missing")
-		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{
-			"error": "olaresName parameter is required",
-		})
+		return h.ErrJSON(c, fiber.StatusBadRequest, "olaresName parameter is required")
 	}
 	klog.Infof("Received olaresName: %s", olaresName)
 	result, err := jws.ResolveOlaresName(olaresName)
 	if err != nil {
 		klog.Errorf("Failed to resolve DID for %s: %v", olaresName, err)
-		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{
-			"error": "Failed to resolve DID",
-		})
+		return h.ErrJSON(c, fiber.StatusInternalServerError, "Failed to resolve DID")
 	}
-	return c.Status(fiber.StatusOK).JSON(result)
+	return h.OkJSON(c, "success", result)
 }

 func (h *Handlers) CheckJWS(c *fiber.Ctx) error {
@@ -35,16 +31,12 @@ func (h *Handlers) CheckJWS(c *fiber.Ctx) error {

 	if err := c.BodyParser(&body); err != nil {
 		klog.Errorf("Failed to parse request body: %v", err)
-		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{
-			"error": "Invalid request body format",
-		})
+		return h.ErrJSON(c, fiber.StatusBadRequest, "Invalid request body format")
 	}

 	if body.JWS == "" {
 		klog.Error("JWS is missing in request body")
-		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{
-			"error": "JWS is required in request body",
-		})
+		return h.ErrJSON(c, fiber.StatusBadRequest, "JWS is required in request body")
 	}

 	if body.Duration == 0 {
@@ -54,10 +46,8 @@ func (h *Handlers) CheckJWS(c *fiber.Ctx) error {
 	result, err := jws.CheckJWS(body.JWS, body.Duration)
 	if err != nil {
 		klog.Errorf("Failed to check JWS: %v", err)
-		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{
-			"error": "Invalid JWS",
-		})
+		return h.ErrJSON(c, fiber.StatusBadRequest, "Invalid JWS")
 	}

-	return c.Status(fiber.StatusOK).JSON(result)
+	return h.OkJSON(c, "success", result)
 }
--- a/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml
+++ b/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml
@@ -170,7 +170,7 @@ spec:
      priorityClassName: "system-cluster-critical"
      containers:
      - name: app-service
-        image: beclab/app-service:0.3.79
+        image: beclab/app-service:0.3.82
        imagePullPolicy: IfNotPresent
        securityContext:
          runAsUser: 0
--- a/framework/authelia/.olares/config/user/helm-charts/auth/templates/provider.yaml
+++ b/framework/authelia/.olares/config/user/helm-charts/auth/templates/provider.yaml
@@ -0,0 +1,48 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:authelia-frontend-svc
+  annotations:
+    provider-registry-ref: user-system-{{ .Values.bfl.username }}/authelia-backend-provider
+    provider-service-ref: authelia-backend.os-framework:9091
+rules:
+- nonResourceURLs: ["*"]
+  verbs: ["*"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:authelia-frontend-domain
+  annotations:
+    provider-registry-ref: {{ .Values.bfl.username }}/auth
+    provider-service-ref: authelia-backend.os-framework:9091
+rules:
+- nonResourceURLs: ["*"]
+  verbs: ["*"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: user:{{ .Values.bfl.username }}:authelia-frontend-svc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:authelia-frontend-svc
+subjects:
+- kind: User
+  name: '{{ .Values.bfl.username }}'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: user:{{ .Values.bfl.username }}:authelia-frontend-domain
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:authelia-frontend-domain
+subjects:
+- kind: User
+  name: '{{ .Values.bfl.username }}'
--- a/framework/bfl/.olares/config/launcher/templates/bfl_deploy.yaml
+++ b/framework/bfl/.olares/config/launcher/templates/bfl_deploy.yaml
@@ -266,7 +266,7 @@ spec:

      containers:
      - name: api
-        image: beclab/bfl:v0.4.23
+        image: beclab/bfl:v0.4.24
        imagePullPolicy: IfNotPresent
        securityContext:
          runAsUser: 1000
@@ -290,9 +290,9 @@ spec:
            port: 8080
        env:
        - name: APP_SERVICE_SERVICE_HOST
-          value: app-service.os-framework
+          value: app-service.user-system-{{ .Values.bfl.username }}
        - name: APP_SERVICE_SERVICE_PORT
-          value: '6755'
+          value: '28080'
        - name: USER_DEFAULT_MEMORY_LIMIT
          value: '3G'
        - name: USER_DEFAULT_CPU_LIMIT
@@ -301,12 +301,6 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
-        - name: OS_SYSTEM_SERVER
-          value: system-server.user-system-{{ .Values.bfl.username }}
-        - name: OS_APP_SECRET
-          value: {{ .Values.bfl.appSecret }}
-        - name: OS_APP_KEY
-          value: {{ .Values.bfl.appKey }}
        - name: BACKUP_SERVER
          value: backup-server.os-framework:8082
        - name: L4_PROXY_IMAGE_VERSION
@@ -327,7 +321,7 @@ spec:
              apiVersion: v1
              fieldPath: spec.nodeName
      - name: ingress
-        image: beclab/bfl-ingress:v0.3.16
+        image: beclab/bfl-ingress:v0.3.17
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - name: ngxlog
@@ -395,94 +389,4 @@ spec:
  selector:
    tier: bfl

---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ApplicationPermission
-metadata:
-  name: bfl
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: bfl
-  appid: bfl
-  key: {{ .Values.bfl.appKey }}
-  secret: {{ .Values.bfl.appSecret }}
-  permissions:
-  - dataType: event
-    group: message-disptahcer.system-server
-    ops:
-    - Create
-    version: v1
-status:
-  state: active

---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: bfl-app-provider
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: app
-  deployment: bfl
-  description: app store provider
-  endpoint: bfl.{{ .Release.Namespace }}
-  group: service.bfl
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  opApis:
-  - name: InstallDevApp
-    uri: /bfl/app_store/v1alpha1/applications/installdev
-  - name: UserApps
-    uri: /bfl/backend/v1/myapps
-  version: v1
-status:
-  state: active
-
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: bfl-datastore-provider
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: datastore
-  deployment: bfl
-  description: data store provider
-  endpoint: bfl.{{ .Release.Namespace }}
-  group: service.bfl
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  opApis:
-  - name: GetKey
-    uri: /bfl/datastore/v1alpha1/get
-  - name: GetKeyPrefix
-    uri: /bfl/datastore/v1alpha1/get/prefix
-  - name: SetKey
-    uri: /bfl/datastore/v1alpha1/put
-  - name: DeleteKey
-    uri: /bfl/datastore/v1alpha1/delete
-  version: v1
-status:
-  state: active
-
---
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: SysEventRegistry
-metadata:
-  name: bfl-backup-new-cb
-  namespace: {{ .Release.Namespace }}
-spec:
-  type: subscriber
-  event: backup.new
-  callback: http://bfl.{{ .Release.Namespace }}/bfl/callback/v1alpha1/backup/new
-
---
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: SysEventRegistry
-metadata:
-  name: bfl-backup-finish-cb
-  namespace: {{ .Release.Namespace }}
-spec:
-  type: subscriber
-  event: backup.finish
-  callback: http://bfl.{{ .Release.Namespace }}/bfl/callback/v1alpha1/backup/finish
--- a/framework/bfl/.olares/config/launcher/templates/permission.yaml
+++ b/framework/bfl/.olares/config/launcher/templates/permission.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backend:{{ .Values.bfl.username }}:bytetrade-controller:app-service-svc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:app-service-provider-svc
+subjects:
+- kind: ServiceAccount
+  name: bytetrade-controller
+  namespace: {{ .Release.Namespace }}
--- a/framework/bfl/.olares/config/launcher/templates/provider.yaml
+++ b/framework/bfl/.olares/config/launcher/templates/provider.yaml
@@ -0,0 +1,36 @@
+# ---
+# apiVersion: sys.bytetrade.io/v1alpha1
+# kind: ProviderRegistry
+# metadata:
+#   name: bfl-app-provider
+#   namespace: user-system-{{ .Values.bfl.username }}
+# spec:
+#   dataType: app
+#   deployment: bfl
+#   description: app store provider
+#   endpoint: bfl.{{ .Release.Namespace }}
+#   group: service.bfl
+#   kind: provider
+#   namespace: {{ .Release.Namespace }}
+#   opApis:
+#   - name: InstallDevApp
+#     uri: /bfl/app_store/v1alpha1/applications/installdev
+#   - name: UserApps
+#     uri: /bfl/backend/v1/myapps
+#   version: v1
+# status:
+#   state: active
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:bfl-svc
+  annotations:
+    provider-registry-ref: user-system-{{ .Values.bfl.username }}/bfl
+    provider-service-ref: bfl.{{ .Release.Namespace }}
+rules:
+- nonResourceURLs: 
+  - "/bfl/app_store/v1alpha1/applications/installdev"
+  - "/bfl/backend/v1/myapps"
+  verbs: ["*"]
--- a/framework/chart-repo/.olares/config/cluster/deploy/chart_repo_deploy.yaml
+++ b/framework/chart-repo/.olares/config/cluster/deploy/chart_repo_deploy.yaml
@@ -119,7 +119,7 @@ spec:
          name: check-appservice
      containers:
      - name: chartrepo
-        image: beclab/dynamic-chart-repository:v0.1.9
+        image: beclab/dynamic-chart-repository:v0.1.10
        imagePullPolicy: IfNotPresent
        ports:
          - containerPort: 81
--- a/framework/headscale/.olares/config/user/helm-charts/headscale/templates/headscale_deploy.yaml
+++ b/framework/headscale/.olares/config/user/helm-charts/headscale/templates/headscale_deploy.yaml
@@ -370,39 +370,6 @@ spec:
      port: 9000
      targetPort: 9000

---
-
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: headscale-provider
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: headscale
-  deployment: headscale
-  description: headscale provider
-  endpoint: headscale-server-svc.{{ .Release.Namespace }}:8000
-  group: service.headscale
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  opApis:
-  - name: GetMachine
-    uri: /headscale/machine
-  - name: RenameMachine
-    uri: /headscale/machine/rename
-  - name: DeleteMachine
-    uri: /headscale/machine
-  - name: GetRoute
-    uri: /headscale/machine/routes
-  - name: EnableRoute
-    uri: /headscale/routes/enable
-  - name: DisableRoute
-    uri: /headscale/routes/disable
-  - name: SetTags
-    uri: /headscale/machine/tags
-  version: v1
-status:
-  state: active

 ---

--- a/framework/headscale/.olares/config/user/helm-charts/headscale/templates/provider.yaml
+++ b/framework/headscale/.olares/config/user/helm-charts/headscale/templates/provider.yaml
@@ -0,0 +1,51 @@
+# ---
+# apiVersion: sys.bytetrade.io/v1alpha1
+# kind: ProviderRegistry
+# metadata:
+#   name: headscale-provider
+#   namespace: user-system-{{ .Values.bfl.username }}
+# spec:
+#   dataType: headscale
+#   deployment: headscale
+#   description: headscale provider
+#   endpoint: headscale-server-svc.{{ .Release.Namespace }}:8000
+#   group: service.headscale
+#   kind: provider
+#   namespace: {{ .Release.Namespace }}
+#   opApis:
+#   - name: GetMachine
+#     uri: /headscale/machine
+#   - name: RenameMachine
+#     uri: /headscale/machine/rename
+#   - name: DeleteMachine
+#     uri: /headscale/machine
+#   - name: GetRoute
+#     uri: /headscale/machine/routes
+#   - name: EnableRoute
+#     uri: /headscale/routes/enable
+#   - name: DisableRoute
+#     uri: /headscale/routes/disable
+#   - name: SetTags
+#     uri: /headscale/machine/tags
+#   version: v1
+# status:
+#   state: active
+
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:headscale-svc
+  annotations:
+    provider-registry-ref: user-system-{{ .Values.bfl.username }}/headscale
+    provider-service-ref: headscale-server-svc.{{ .Release.Namespace }}:8000
+rules:
+- nonResourceURLs: 
+  - "/headscale/machine"
+  - "/headscale/machine/rename"
+  - "/headscale/machine/routes"
+  - "/headscale/routes/enable"
+  - "/headscale/routes/disable"
+  - "/headscale/machine/tags"
+  verbs: ["*"]
--- a/framework/infisical/.olares/config/cluster/deploy/infisical_deploy.yaml
+++ b/framework/infisical/.olares/config/cluster/deploy/infisical_deploy.yaml
@@ -231,7 +231,7 @@ spec:
          subPath: nginx.conf

      - name: tapr-sidecar
-        image: beclab/secret-vault:0.1.12
+        image: beclab/secret-vault:0.1.13
        imagePullPolicy: IfNotPresent
        ports:
        - name: proxy
--- a/framework/infisical/.olares/config/user/helm-charts/infisical/templates/infisical_deploy.yaml
+++ b/framework/infisical/.olares/config/user/helm-charts/infisical/templates/infisical_deploy.yaml
@@ -13,31 +13,3 @@ spec:
      protocol: TCP
      targetPort: 8080

---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: secret-provider
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: secret
-  deployment: infisical
-  description: infisical secret provider
-  endpoint: infisical-service.{{ .Release.Namespace }}:8080
-  group: secret.infisical
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  opApis:
-  - name: CreateSecret
-    uri: /secret/create
-  - name: RetrieveSecret
-    uri: /secret/retrieve
-  - name: ListSecret
-    uri: /secret/list
-  - name: DeleteSecret
-    uri: /secret/delete
-  - name: UpdateSecret
-    uri: /secret/update
-  version: v1
-status:
-  state: active
--- a/framework/infisical/.olares/config/user/helm-charts/infisical/templates/provider.yaml
+++ b/framework/infisical/.olares/config/user/helm-charts/infisical/templates/provider.yaml
@@ -0,0 +1,64 @@
+# ---
+# apiVersion: sys.bytetrade.io/v1alpha1
+# kind: ProviderRegistry
+# metadata:
+#   name: secret-provider
+#   namespace: user-system-{{ .Values.bfl.username }}
+# spec:
+#   dataType: secret
+#   deployment: infisical
+#   description: infisical secret provider
+#   endpoint: infisical-service.{{ .Release.Namespace }}:8080
+#   group: secret.infisical
+#   kind: provider
+#   namespace: {{ .Release.Namespace }}
+#   opApis:
+#   - name: CreateSecret
+#     uri: /secret/create
+#   - name: RetrieveSecret
+#     uri: /secret/retrieve
+#   - name: ListSecret
+#     uri: /secret/list
+#   - name: DeleteSecret
+#     uri: /secret/delete
+#   - name: UpdateSecret
+#     uri: /secret/update
+#   version: v1
+# status:
+#   state: active
+
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:secret-settings-provider-svc
+  annotations:
+    provider-registry-ref: user-system-{{ .Values.bfl.username }}/secret
+    provider-service-ref: infisical-service.{{ .Release.Namespace }}:8080
+rules:
+- nonResourceURLs: 
+  - /RetrieveSecret?workspace=settings
+  - /CreateSecret?workspace=settings
+  - /DeleteSecret?workspace=settings
+  - /UpdateSecret?workspace=settings
+  - /ListSecret?workspace=settings
+  verbs: ["*"]
+
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:secret-dashboard-provider-svc
+  annotations:
+    provider-registry-ref: user-system-{{ .Values.bfl.username }}/secret
+    provider-service-ref: infisical-service.{{ .Release.Namespace }}:8080
+rules:
+- nonResourceURLs: 
+  - /RetrieveSecret?workspace=dashboard
+  - /CreateSecret?workspace=dashboard
+  - /DeleteSecret?workspace=dashboard
+  - /UpdateSecret?workspace=dashboard
+  - /ListSecret?workspace=dashboard
+  verbs: ["*"]
--- a/framework/market/.olares/config/cluster/deploy/market_deploy.yaml
+++ b/framework/market/.olares/config/cluster/deploy/market_deploy.yaml
@@ -99,7 +99,7 @@ spec:
          name: check-chart-repo
      containers:
      - name: appstore-backend
-        image: beclab/market-backend:v0.4.21
+        image: beclab/market-backend:v0.4.23
        imagePullPolicy: IfNotPresent
        ports:
          - containerPort: 81
--- a/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/proxy.yaml
+++ b/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/proxy.yaml
@@ -0,0 +1,96 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: system-server
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  type: ClusterIP
+  selector:
+    app: systemserver
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+      name: api
+    - protocol: TCP
+      port: 28080
+      targetPort: 28080
+      name: proxy
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: secret
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  type: ClusterIP
+  selector:
+    app: systemserver
+  ports:
+    - protocol: TCP
+      port: 28080
+      targetPort: 28080
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: bfl
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  type: ClusterIP
+  selector:
+    app: systemserver
+  ports:
+    - protocol: TCP
+      port: 28080
+      targetPort: 28080
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: app-service
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  type: ClusterIP
+  selector:
+    app: systemserver
+  ports:
+    - protocol: TCP
+      port: 28080
+      targetPort: 28080
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: authelia-backend-provider
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  type: ClusterIP
+  selector:
+    app: systemserver
+  ports:
+    - protocol: TCP
+      port: 28080
+      targetPort: 28080
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: headscale
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  type: ClusterIP
+  selector:
+    app: systemserver
+  ports:
+    - protocol: TCP
+      port: 28080
+      targetPort: 28080
+
--- a/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/systemserver_deploy.yaml
+++ b/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/systemserver_deploy.yaml
@@ -21,6 +21,20 @@ subjects:
  namespace: user-system-{{ .Values.bfl.username }}


+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: user-system-{{ .Values.bfl.username }}:bytetrade-sys-ops:rbac
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: rbac-proxy
+subjects:
+- kind: ServiceAccount
+  name: bytetrade-sys-ops
+  namespace: user-system-{{ .Values.bfl.username }}
+
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -53,14 +67,14 @@ spec:
      priorityClassName: "system-cluster-critical"
      containers:
      - name: system-server
-        image: beclab/system-server:0.1.25
+        image: beclab/system-server:0.1.26
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
        command:
        - /system-server
        - -v
-        - "4"
+        - "6"
        env:
        - name: MY_NAMESPACE
          valueFrom:
@@ -123,21 +137,6 @@ spec:
          - key: envoy.yaml
            path: envoy.yaml

---
-apiVersion: v1
-kind: Service
-metadata:
-  name: system-server
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  type: ClusterIP
-  selector:
-    app: systemserver
-  ports:
-    - protocol: TCP
-      port: 80
-      targetPort: 80
-
 ---
 apiVersion: v1
 data:
--- a/platform/tapr/.olares/config/cluster/deploy/middleware_deploy.yaml
+++ b/platform/tapr/.olares/config/cluster/deploy/middleware_deploy.yaml
@@ -99,7 +99,7 @@ spec:
        - name: DISABLE_TELEMETRY
          value: "false"
      - name: operator-api
-        image: beclab/middleware-operator:0.2.13
+        image: beclab/middleware-operator:0.2.14
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 9080
Author	SHA1	Message	Date
eball	20513370bc	fix: market backend auth	2025-08-27 22:01:26 +08:00
eball	829762b872	fix: app-service entrance url api	2025-08-27 16:30:35 +08:00
eball	f3b3eab49e	Merge branch 'main' into refactor/rbac-proxy * main: feat(daemon): Added an interface for querying the olaresName document and verifying the validity of the JWS. (#1756)	2025-08-27 15:38:09 +08:00
eball	4314bad303	revert: authelia-backend-svc	2025-08-27 15:16:32 +08:00
eball	a2b3ce0f83	Merge branch 'main' into refactor/rbac-proxy * main: cli: Rename resolveDID to ResolveOlaresName (#1757) fix: restrict user-service nats permission (#1755) feat: notification support application status change and system pressure change (#1753) fix(cli): explicitly set locale in etcd backup service (#1752)	2025-08-27 15:14:54 +08:00
eball	12c22d2502	refactor: change system frontend upstream to RBAC proxy	2025-08-27 14:30:48 +08:00
eball	c3f949f576	Merge branch 'main' into refactor/rbac-proxy * main: authelia: support default subdomains of system frontend (#1749) fix(system-frontend): update system-frontend (#1748) fix: files parse form bug & remove seahub & replace nginx for seafile (#1747) feat: support basic iGPU functions (#1746) system frontend: update version to v1.4.12 (#1742) feat: files hertz-thrift recons: all apis replaced (#1741) app-service,bfl,auth: merge multiple applications into one (#1740) ci(files): upload files to cloud (#1738) system frontend: update system-frontend, chart repo and market backend version (#1737) olaresd: add node pressure status (#1735) refactor(upgrade): remove path cmd & add spec/viable cmd for upgrade (#1734)	2025-08-26 16:56:18 +08:00
eball	e4114d831b	refactor: backend service provider and permission	2025-08-26 16:55:43 +08:00
eball	8bd8cdb6a7	feat: provider and permission define	2025-08-25 22:37:39 +08:00
eball	754f64c96e	fix: numeric user name	2025-08-22 11:42:48 +08:00
eball	15bdba0de3	refactor: add files provider	2025-08-21 21:10:42 +08:00
eball	739cfef419	system-server: refactor service provider based on RBAC	2025-08-21 20:28:42 +08:00