app-service: underlay namespace labels modified

fix(controlhub/studio): update dialog and fix studio deploy app

apps/desktop/config/user/helm-charts/desktop/templates/desktop_deploy.yaml

@@ -66,7 +66,7 @@ spec:
 
       containers:
       - name: edge-desktop
-        image: beclab/desktop:v0.2.56
+        image: beclab/desktop:v0.2.57
         imagePullPolicy: IfNotPresent
         securityContext:
           runAsNonRoot: false
@@ -78,7 +78,7 @@ spec:
             value: http://bfl.{{ .Release.Namespace }}:8080
 
       - name: desktop-server
-        image: beclab/desktop-server:v0.2.56
+        image: beclab/desktop-server:v0.2.57
         imagePullPolicy: IfNotPresent
         securityContext:
           allowPrivilegeEscalation: false
@@ -450,6 +450,7 @@ data:
                               - prefix: x-unauth-
                               - exact: x-authorization
                               - exact: x-bfl-user
+                              - exact: x-real-ip
                               - exact: terminus-nonce
                           headers_to_add:
                             - key: X-Forwarded-Method
@@ -626,6 +627,7 @@ data:
                               - prefix: x-unauth-
                               - exact: x-authorization
                               - exact: x-bfl-user
+                              - exact: x-real-ip
                               - exact: terminus-nonce
                           headers_to_add:
                             - key: X-Forwarded-Method

apps/files/config/cluster/deploy/files_deploy.yaml

@@ -84,7 +84,7 @@ spec:
             - containerPort: 8080
           env:
             - name: FILES_SERVER_TAG
-              value: 'beclab/files-server:v0.2.65'
+              value: 'beclab/files-server:v0.2.67'
             - name: NAMESPACE
               valueFrom:
                 fieldRef:
@@ -120,7 +120,7 @@ spec:
 {{ end }}
 
         - name: files
-          image: beclab/files-server:v0.2.65
+          image: beclab/files-server:v0.2.67
           imagePullPolicy: IfNotPresent
           securityContext:
             allowPrivilegeEscalation: true
@@ -412,7 +412,7 @@ spec:
           name: check-nats
       containers:
         - name: files
-          image: beclab/files-server:v0.2.65
+          image: beclab/files-server:v0.2.67
           imagePullPolicy: IfNotPresent
           securityContext:
             allowPrivilegeEscalation: true

apps/files/config/user/helm-charts/files/templates/files_fe_deploy.yaml

@@ -302,7 +302,7 @@ spec:
 #        - /filebrowser
 #        - --noauth
       - name: files-frontend
-        image: beclab/files-frontend:v1.3.44
+        image: beclab/files-frontend:v1.3.46
         imagePullPolicy: IfNotPresent
         securityContext:
           runAsNonRoot: false
@@ -324,7 +324,7 @@ spec:
         - name: userspace-dir
           mountPath: /data
       - name: drive-server
-        image: beclab/drive:v0.0.70
+        image: beclab/drive:v0.0.72
         imagePullPolicy: IfNotPresent
         env:
         - name: OS_SYSTEM_SERVER
@@ -347,7 +347,7 @@ spec:
         - name: data-dir
           mountPath: /data
       - name: task-executor
-        image: beclab/driveexecutor:v0.0.70
+        image: beclab/driveexecutor:v0.0.72
         imagePullPolicy: IfNotPresent
         env:
         - name: OS_SYSTEM_SERVER
@@ -792,6 +792,7 @@ data:
                                   - prefix: x-unauth-
                                   - exact: x-authorization
                                   - exact: x-bfl-user
+                                  - exact: x-real-ip
                                   - exact: terminus-nonce
                               headers_to_add:
                                 - key: X-Forwarded-Method

apps/knowledge/config/user/helm-charts/knowledge/templates/knowledge_deployment.yaml

@@ -168,7 +168,7 @@ spec:
             value: user_space_{{ .Values.bfl.username }}_knowledge
       containers:
       - name: knowledge
-        image: "beclab/knowledge-base-api:v0.1.67"
+        image: "beclab/knowledge-base-api:v0.1.68"
         imagePullPolicy: IfNotPresent
         securityContext:
           allowPrivilegeEscalation: false
@@ -238,7 +238,7 @@ spec:
             memory: 1Gi
 
       - name: backend-server
-        image: "beclab/recommend-backend:v0.0.29"
+        image: "beclab/recommend-backend:v0.0.30"
         imagePullPolicy: IfNotPresent
         securityContext:
           allowPrivilegeEscalation: false

apps/market/config/user/helm-charts/market/templates/market_deploy.yaml

@@ -44,6 +44,7 @@ spec:
         app: appstore
         io.bytetrade.app: "true"
     spec:
+      priorityClassName: "system-cluster-critical"
       initContainers:
         - args:
           - -it
@@ -85,12 +86,12 @@ spec:
                 fieldPath: status.podIP
       containers:
       - name: appstore
-        image: beclab/market-frontend:v0.3.6
+        image: beclab/market-frontend:v0.3.9
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 80
       - name: appstore-backend
-        image: beclab/market-backend:v0.3.6
+        image: beclab/market-backend:v0.3.9
         imagePullPolicy: IfNotPresent
         ports:
           - containerPort: 81

apps/notifications/config/cluster/deploy/notification_deploy.yaml

@@ -0,0 +1,211 @@
+
+
+{{- $namespace := printf "%s%s" "os-system" -}}
+{{- $notifications_secret := (lookup "v1" "Secret" $namespace "notifications-secrets") -}}
+
+{{- $pg_password := "" -}}
+{{ if $notifications_secret -}}
+{{ $pg_password = (index $notifications_secret "data" "pg_password") }}
+{{ else -}}
+{{ $pg_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+{{- $nats_password := "" -}}
+{{ if $notifications_secret -}}
+{{ $nats_password = (index $notifications_secret "data" "nats_password") }}
+{{ else -}}
+{{ $nats_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: notifications-secrets
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  pg_password: {{ $pg_password }}
+  nats_password: {{ $nats_password }}
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: notifications-pg
+  namespace: {{ .Release.Namespace }}
+spec:
+  app: notifications
+  appNamespace: {{ .Release.Namespace }}
+  middleware: postgres
+  postgreSQL:
+    user: notifications_os_system
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: pg_password
+          name: notifications-secrets
+    databases:
+    - name: notifications   
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: notifications-nats
+  namespace: {{ .Release.Namespace }}
+spec:
+  app: notifications
+  appNamespace: {{ .Release.Namespace }}
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: nats_password
+          name: notifications-secrets
+    refs: []   # TODO: refs to notifications-proxy's subject
+    subjects:
+      - export:
+          - appName: notifications-proxy
+            pub: allow
+            sub: allow
+          - appName: lldap
+            pub: allow
+            sub: allow
+          - appName: ks-component
+            pub: allow
+            sub: allow
+          - appName: authelia
+            pub: allow
+            sub: allow
+        name: system.notification
+        permission:
+          pub: allow
+          sub: allow
+    user: os-system-notifications
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: notifications-server
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: notifications-server
+    applications.app.bytetrade.io/author: bytetrade.io
+  annotations:
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: notifications-server
+  template:
+    metadata:
+      labels:
+        app: notifications-server
+    spec:
+      initContainers:
+      - name: init-container
+        image: 'postgres:16.0-alpine3.18'
+        command:
+          - sh
+          - '-c'
+          - >-
+            echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
+        env:
+          - name: PGHOST
+            value: citus-headless.os-system
+          - name: PGPORT
+            value: "5432"
+          - name: PGUSER
+            value: notifications_os_system
+          - name: PGPASSWORD
+            valueFrom:
+              secretKeyRef:
+                key: pg_password
+                name: notifications-secrets
+          - name: PGDB
+            value: os_system_notifications
+      containers:
+      - name: notifications-api
+        image: beclab/notifications-api:v1.12.2
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 3010
+          protocol: TCP
+        env:
+        - name: DATABASE_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: pg_password
+              name: notifications-secrets
+
+        - name: PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING
+          value: '1'
+        - name: DATABASE_URL
+          value: postgres://notifications_os_system:$(DATABASE_PASSWORD)@citus-headless.os-system/os_system_notifications?sslmode=disable
+        - name: NATS_HOST
+          value: nats
+        - name: NATS_PORT
+          value: "4222"
+        - name: NATS_USERNAME
+          value: os-system-notifications
+        - name: NATS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: nats_password
+              name: notifications-secrets
+        - name: NATS_SUBJECT
+          value: "terminus.{{ .Release.Namespace }}.system.notification"
+
+        livenessProbe:
+          tcpSocket:
+            port: 3010
+          initialDelaySeconds: 25
+          timeoutSeconds: 15
+          periodSeconds: 10
+          successThreshold: 1
+          failureThreshold: 8
+        readinessProbe:
+          tcpSocket:
+            port: 3010
+          initialDelaySeconds: 25
+          periodSeconds: 10
+
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: notifications-service
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: ClusterIP
+  selector:
+    app: notifications-server
+  ports:
+  - name: "notifications-server"
+    protocol: TCP
+    port: 80
+    targetPort: 3010
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: notifications-server
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: ClusterIP
+  selector:
+    app: notifications-server
+  ports:
+  - name: "server"
+    protocol: TCP
+    port: 80
+    targetPort: 3010
+

apps/notifications/config/user/helm-charts/notification/templates/notification_deploy.yaml

@@ -1,234 +1 @@
-
+# TODO: deploy a notification proxy
-
-{{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
-{{- $notifications_secret := (lookup "v1" "Secret" $namespace "notifications-secrets") -}}
-{{- $password := "" -}}
-{{ if $notifications_secret -}}
-{{ $password = (index $notifications_secret "data" "pg_password") }}
-{{ else -}}
-{{ $password = randAlphaNum 16 | b64enc }}
-{{- end -}}
-
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: notifications-secrets
-  namespace: user-system-{{ .Values.bfl.username }}
-type: Opaque
-data:
-  pg_password: {{ $password }}
----
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
-metadata:
-  name: notifications-pg
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: notifications
-  appNamespace: {{ .Release.Namespace }}
-  middleware: postgres
-  postgreSQL:
-    user: notifications_{{ .Values.bfl.username }}
-    password:
-      valueFrom:
-        secretKeyRef:
-          key: pg_password
-          name: notifications-secrets
-    databases:
-    - name: notifications   
-
-
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: notifications-server
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: notifications-server
-    applications.app.bytetrade.io/author: bytetrade.io
-  annotations:
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: notifications-server
-  template:
-    metadata:
-      labels:
-        app: notifications-server
-    spec:
-      initContainers:
-      - name: init-container
-        image: 'postgres:16.0-alpine3.18'
-        command:
-          - sh
-          - '-c'
-          - >-
-            echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
-        env:
-          - name: PGHOST
-            value: citus-master-svc.user-system-{{ .Values.bfl.username }}
-          - name: PGPORT
-            value: "5432"
-          - name: PGUSER
-            value: notifications_{{ .Values.bfl.username }}
-          - name: PGPASSWORD
-            value: {{ $password | b64dec }}
-          - name: PGDB
-            value: user_space_{{ .Values.bfl.username }}_notifications
-      containers:
-      - name: notifications-api
-        image: beclab/notifications-api:v0.1.25
-        imagePullPolicy: IfNotPresent
-        ports:
-        - containerPort: 3010
-          protocol: TCP
-        env:
-        - name: OS_SYSTEM_SERVER
-          value: system-server.user-system-{{ .Values.bfl.username }}
-        - name: OS_APP_SECRET
-          value: '{{ .Values.os.notification.appSecret }}'
-        - name: OS_APP_KEY
-          value: {{ .Values.os.notification.appKey }}
-        - name: DATABASE_PASSWORD
-          value: {{ $password | b64dec }}
-        - name: PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING
-          value: '1'
-        - name: DATABASE_URL
-          value: postgres://notifications_{{ .Values.bfl.username }}:$(DATABASE_PASSWORD)@citus-master-svc.user-system-{{ .Values.bfl.username }}/user_space_{{ .Values.bfl.username }}_notifications?sslmode=disable
-        livenessProbe:
-          tcpSocket:
-            port: 3010
-          initialDelaySeconds: 25
-          timeoutSeconds: 15
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 8
-        readinessProbe:
-          tcpSocket:
-            port: 3010
-          initialDelaySeconds: 25
-          periodSeconds: 10
-
-
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: notifications-service
-  namespace: {{ .Release.Namespace }}
-spec:
-  type: ClusterIP
-  selector:
-    app: notifications-server
-  ports:
-  - name: "notifications-server"
-    protocol: TCP
-    port: 80
-    targetPort: 3010
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: notifications-server
-  namespace: {{ .Release.Namespace }}
-spec:
-  type: ClusterIP
-  selector:
-    app: notifications-server
-  ports:
-  - name: "server"
-    protocol: TCP
-    port: 80
-    targetPort: 3010
-
----
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: notifications-token-provider
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: token
-  deployment: notifications-server
-  description: notifications provider
-  endpoint: notifications-server.{{ .Release.Namespace }}
-  group: service.notification
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  opApis:
-  - name: Create
-    uri: /termipass/create_token
-  version: v1
-status:
-  state: active
- 
----
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: notifications-message-provider
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: message
-  deployment: notifications-server
-  description: notifications provider
-  endpoint: notifications-server.{{ .Release.Namespace }}
-  group: service.notification
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  opApis:
-  - name: SendMassage
-    uri: /notification/create_job
-  - name: SystemMessage
-    uri: /notification/system/push
-  version: v1
-status:
-  state: active
-
----
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ApplicationPermission
-metadata:
-  name: notification-call-vault
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: notifications
-  appid: notifications
-  key: {{ .Values.os.notification.appKey }}
-  secret: {{ .Values.os.notification.appSecret }}
-  permissions:
-  - dataType: notification
-    group: service.vault
-    ops:
-    - Create
-    - Query
-    version: v1
-  - dataType: notification
-    group: service.desktop
-    ops:
-    - Create
-    - Query
-    version: v1
-  - dataType: secret
-    group: secret.infisical
-    ops:
-    - RetrieveSecret?workspace=notification
-    - CreateSecret?workspace=notification
-    - DeleteSecret?workspace=notification
-    - UpdateSecret?workspace=notification
-    - ListSecret?workspace=notification
-    version: v1
-  - dataType: app
-    group: service.bfl
-    ops:
-    - UserApps
-    version: v1
-status:
-  state: active

apps/studio/README.md

@@ -0,0 +1,4 @@
+# devbox
+Terminus App development management tools
+
+https://github.com/beclab/devbox

apps/studio/config/user/helm-charts/studio/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

apps/studio/config/user/helm-charts/studio/Chart.yaml

@@ -0,0 +1,26 @@
+apiVersion: v2
+name: studio
+description: A Terminus app development tool
+maintainers:
+- name: bytetrade
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.3
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "4.9.1"

apps/studio/config/user/helm-charts/studio/templates/deployment.yaml

@@ -0,0 +1,549 @@
+{{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
+{{- $studio_secret := (lookup "v1" "Secret" $namespace "studio-secrets") -}}
+
+{{- $pg_password := "" -}}
+{{ if $studio_secret -}}
+{{ $pg_password = (index $studio_secret "data" "pg_password") }}
+{{ else -}}
+{{ $pg_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: studio-secrets
+  namespace: user-system-{{ .Values.bfl.username }}
+type: Opaque
+data:
+  pg_password: {{ $pg_password }}
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: studio-pg
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  app: studio
+  appNamespace: {{ .Release.Namespace }}
+  middleware: postgres
+  postgreSQL:
+    user: studio_{{ .Values.bfl.username }}
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: pg_password
+          name: studio-secrets
+    databases:
+      - name: studio
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: studio-server
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    app: studio-server
+  ports:
+    - protocol: TCP
+      port: 8080
+      targetPort: 8088
+      name: http
+    - protocol: TCP
+      port: 8083
+      targetPort: 8083
+      name: https
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: chartmuseum-studio
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+    - name: http
+      protocol: TCP
+      port: 8080
+      targetPort: 8888
+  selector:
+    app: studio-server
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: studio-san-cnf
+  namespace: {{ .Release.Namespace }}
+data:
+  san.cnf: |
+    [req]
+    distinguished_name = req_distinguished_name
+    req_extensions = v3_req
+    prompt = no
+
+    [req_distinguished_name]
+    countryName = CN
+    stateOrProvinceName = Beijing
+    localityName = Beijing
+    0.organizationName = bytetrade
+    commonName = studio-server.{{ .Release.Namespace }}.svc
+
+    [v3_req]
+    basicConstraints = CA:FALSE
+    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+    subjectAltName = @bytetrade
+
+    [bytetrade]
+    DNS.1 = studio-server.{{ .Release.Namespace }}.svc
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: studio-server
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: studio-server
+    applications.app.bytetrade.io/author: bytetrade.io
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: studio-server
+  template:
+    metadata:
+      labels:
+        app: studio-server
+    spec:
+      serviceAccountName: bytetrade-controller
+      volumes:
+        - name: chart
+          hostPath:
+            type: DirectoryOrCreate
+            path: {{ .Values.userspace.appData}}/studio/Chart
+        - name: data
+          hostPath:
+            type: DirectoryOrCreate
+            path: {{ .Values.userspace.appData }}/studio/Data
+        - name: storage-volume
+          hostPath:
+            path: {{ .Values.userspace.appData }}/studio/helm-repo-dev
+            type: DirectoryOrCreate
+        - name: config-san
+          configMap:
+            name: studio-san-cnf
+            items:
+              - key: san.cnf
+                path: san.cnf
+        - name: sidecar-configs-studio
+          configMap:
+            name: sidecar-configs-studio
+            items:
+              - key: envoy.yaml
+                path: envoy.yaml
+        - name: certs
+          emptyDir: {}
+      initContainers:
+        - name: init-chmod-data
+          image: busybox:1.28
+          imagePullPolicy: IfNotPresent
+          command:
+            - sh
+            - '-c'
+            - |
+              chown -R 1000:1000 /home/coder
+              chown -R 65532:65532 /charts
+              chown -R 65532:65532 /data
+          securityContext:
+            runAsUser: 0
+          resources: { }
+          volumeMounts:
+            - name: storage-volume
+              mountPath: /home/coder
+            - name: chart
+              mountPath: /charts
+            - name: data
+              mountPath: /data
+        - name: terminus-sidecar-init
+          image: aboveos/openservicemesh-init:v1.2.3
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+            - -c
+            - |
+              iptables-restore --noflush <<EOF
+              # sidecar interception rules
+              *nat
+              :PROXY_IN_REDIRECT - [0:0]
+              :PROXY_INBOUND - [0:0]
+              :PROXY_OUTBOUND - [0:0]
+              :PROXY_OUT_REDIRECT - [0:0]
+
+              -A PREROUTING -p tcp -j PROXY_INBOUND
+              -A OUTPUT -p tcp -j PROXY_OUTBOUND
+              -A PROXY_INBOUND -p tcp --dport 15000 -j RETURN
+              -A PROXY_INBOUND -p tcp --dport 8083 -j RETURN
+              -A PROXY_INBOUND -p tcp -j PROXY_IN_REDIRECT
+              -A PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15003
+
+
+              -A PROXY_OUTBOUND -p tcp --dport 5432 -j RETURN
+              -A PROXY_OUTBOUND -p tcp --dport 6379 -j RETURN
+              -A PROXY_OUTBOUND -p tcp --dport 27017 -j RETURN
+              -A PROXY_OUTBOUND -p tcp --dport 443 -j RETURN
+
+
+              -A PROXY_OUTBOUND -d ${POD_IP}/32 -j RETURN
+
+              -A PROXY_OUTBOUND -o lo ! -d 127.0.0.1/32 -m owner --uid-owner 1555 -j PROXY_IN_REDIRECT
+              -A PROXY_OUTBOUND -o lo -m owner ! --uid-owner 1555 -j RETURN
+              -A PROXY_OUTBOUND -m owner --uid-owner 1555 -j RETURN
+              -A PROXY_OUTBOUND -d 127.0.0.1/32 -j RETURN
+
+              -A PROXY_OUTBOUND -j PROXY_OUT_REDIRECT
+              -A PROXY_OUT_REDIRECT -p tcp -j REDIRECT --to-port 15001
+
+              COMMIT
+              EOF
+          env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: status.podIP
+          securityContext:
+            privileged: true
+            capabilities:
+              add:
+                - NET_ADMIN
+            runAsNonRoot: false
+            runAsUser: 0
+
+        - name: generate-certs
+          image: beclab/openssl:v3
+          imagePullPolicy: IfNotPresent
+          command: [ "/bin/sh", "-c" ]
+          args:
+            - |
+              openssl genrsa -out /etc/certs/ca.key 2048
+              openssl req -new -x509 -days 3650 -key /etc/certs/ca.key -out /etc/certs/ca.crt \
+                -subj "/CN=bytetrade CA/O=bytetrade/C=CN"
+              openssl req -new -newkey rsa:2048 -nodes \
+                -keyout /etc/certs/server.key -out /etc/certs/server.csr \
+                -config /etc/san/san.cnf
+              openssl x509 -req -days 3650 -in /etc/certs/server.csr \
+                -CA /etc/certs/ca.crt -CAkey /etc/certs/ca.key \
+                -CAcreateserial -out /etc/certs/server.crt \
+                -extensions v3_req -extfile /etc/san/san.cnf
+              chown -R 65532 /etc/certs/*
+          volumeMounts:
+            - name: config-san
+              mountPath: /etc/san
+            - name: certs
+              mountPath: /etc/certs
+
+      containers:
+        - name: studio
+          image: beclab/studio-server:v0.1.48
+          imagePullPolicy: IfNotPresent
+          args:
+            - server
+          ports:
+            - name: port
+              containerPort: 8088
+              protocol: TCP
+            - name: ssl-port
+              containerPort: 8083
+              protocol: TCP
+          volumeMounts:
+            - name: chart
+              mountPath: /charts
+            - name: data
+              mountPath: /data
+            - mountPath: /etc/certs
+              name: certs
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - "/studio"
+                  - "clean"
+          env:
+            - name: BASE_DIR
+              value: /charts
+            - name: OS_API_KEY
+              value: {{ .Values.os.studio.appKey }}
+            - name: OS_API_SECRET
+              value: {{ .Values.os.studio.appSecret }}
+            - name: OS_SYSTEM_SERVER
+              value: system-server.user-system-{{ .Values.bfl.username }}
+            - name: NAME_SPACE
+              value: {{ .Release.Namespace }}
+            - name: OWNER
+              value: '{{ .Values.bfl.username }}'
+            - name: DB_HOST
+              value: citus-master-svc.user-system-{{ .Values.bfl.username }}
+            - name: DB_USERNAME
+              value: studio_{{ .Values.bfl.username }}
+            - name: DB_PASSWORD
+              value: "{{ $pg_password | b64dec }}"
+            - name: DB_NAME
+              value: user_space_{{ .Values.bfl.username }}_studio
+            - name: DB_PORT
+              value: "5432"
+          resources:
+            requests:
+              cpu: "50m"
+              memory: 100Mi
+            limits:
+              cpu: "0.5"
+              memory: 1000Mi
+        - name: terminus-envoy-sidecar
+          image: bytetrade/envoy:v1.25.11.1
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsUser: 1555
+          ports:
+            - name: proxy-admin
+              containerPort: 15000
+            - name: proxy-inbound
+              containerPort: 15003
+            - name: proxy-outbound
+              containerPort: 15001
+          resources:
+            requests:
+              cpu: "50m"
+              memory: 100Mi
+            limits:
+              cpu: "0.5"
+              memory: 200Mi
+          volumeMounts:
+            - name: sidecar-configs-studio
+              readOnly: true
+              mountPath: /etc/envoy/envoy.yaml
+              subPath: envoy.yaml
+          command:
+            - /usr/local/bin/envoy
+            - --log-level
+            - debug
+            - -c
+            - /etc/envoy/envoy.yaml
+          env:
+            - name: POD_UID
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.uid
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: APP_KEY
+              value: {{ .Values.os.appKey }}
+            - name: APP_SECRET
+              value: {{ .Values.os.appSecret }}
+        - name: chartmuseum
+          image: aboveos/helm-chartmuseum:v0.15.0
+          args:
+            - '--port=8888'
+            - '--storage-local-rootdir=/storage'
+          ports:
+            - name: http
+              containerPort: 8888
+              protocol: TCP
+          env:
+            - name: CHART_POST_FORM_FIELD_NAME
+              value: chart
+            - name: DISABLE_API
+              value: 'false'
+            - name: LOG_JSON
+              value: 'true'
+            - name: PROV_POST_FORM_FIELD_NAME
+              value: prov
+            - name: STORAGE
+              value: local
+          resources:
+            requests:
+              cpu: "50m"
+              memory: 100Mi
+            limits:
+              cpu: "0.5"
+              memory: 256Mi
+          volumeMounts:
+            - name: storage-volume
+              mountPath: /storage
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+              scheme: HTTP
+            initialDelaySeconds: 5
+            timeoutSeconds: 1
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: http
+              scheme: HTTP
+            initialDelaySeconds: 5
+            timeoutSeconds: 1
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 3
+
+---
+apiVersion: v1
+data:
+  envoy.yaml: |
+    admin:
+      access_log_path: "/dev/stdout"
+      address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: 15000
+    static_resources:
+      listeners:
+        - name: listener_0
+          address:
+            socket_address:
+              address: 0.0.0.0
+              port_value: 15003
+          listener_filters:
+            - name: envoy.filters.listener.original_dst
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst
+          filter_chains:
+            - filters:
+                - name: envoy.filters.network.http_connection_manager
+                  typed_config:
+                    "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                    stat_prefix: desktop_http
+                    upgrade_configs:
+                      - upgrade_type: websocket
+                      - upgrade_type: tailscale-control-protocol
+                    skip_xff_append: false
+                    codec_type: AUTO
+                    route_config:
+                      name: local_route
+                      virtual_hosts:
+                        - name: service
+                          domains: ["*"]
+                          routes:
+                            - match:
+                                prefix: "/"
+                              route:
+                                cluster: original_dst
+                                timeout: 180s
+                    http_protocol_options:
+                      accept_http_10: true
+                    http_filters:
+                      - name: envoy.filters.http.router
+                        typed_config:
+                          "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+        - name: listener_1
+          address:
+            socket_address:
+              address: 0.0.0.0
+              port_value: 15001
+          listener_filters:
+            - name: envoy.filters.listener.original_dst
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst
+          filter_chains:
+            - filters:
+                - name: envoy.filters.network.http_connection_manager
+                  typed_config:
+                    "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                    stat_prefix: studio_out_http
+                    skip_xff_append: false
+                    codec_type: AUTO
+                    route_config:
+                      name: local_route
+                      virtual_hosts:
+                        - name: service
+                          domains: ["*"]
+                          routes:
+                            - match:
+                                prefix: "/server/intent/send"
+                              request_headers_to_add:
+                                - header:
+                                    key: X-App-Key
+                                    value: {{ .Values.os.appKey }}
+                              route:
+                                cluster: system-server
+                                prefix_rewrite: /system-server/v2/legacy_api/api.intent/v2/server/intent/send
+                            - match:
+                                prefix: "/"
+                              route:
+                                cluster: original_dst
+                                timeout: 180s
+                              typed_per_filter_config:
+                                envoy.filters.http.lua:
+                                  "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.LuaPerRoute
+                                  disabled: true
+
+                    http_protocol_options:
+                      accept_http_10: true
+                    http_filters:
+                      - name: envoy.filters.http.lua
+                        typed_config:
+                          "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
+                          inline_code:
+                            local sha = require("lib.sha2")
+                            function envoy_on_request(request_handle)
+                            local app_key = os.getenv("APP_KEY")
+                            local app_secret = os.getenv("APP_SECRET")
+                            local current_time = os.time()
+                            local minute_level_time = current_time - (current_time % 60)
+                            local time_string = tostring(minute_level_time)
+                            local s = app_key .. app_secret .. time_string
+                            request_handle:logInfo("originstring:" .. s)
+                            local hash = sha.sha256(s)
+                            request_handle:logInfo("Hello World.")
+                            request_handle:logInfo(hash)
+                            request_handle:headers():add("X-Auth-Signature",hash)
+                            end
+                      - name: envoy.filters.http.router
+                        typed_config:
+                          "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+
+
+      clusters:
+        - name: original_dst
+          connect_timeout: 5000s
+          type: ORIGINAL_DST
+          lb_policy: CLUSTER_PROVIDED
+        - name: system-server
+          connect_timeout: 2s
+          type: LOGICAL_DNS
+          dns_lookup_family: V4_ONLY
+          dns_refresh_rate: 600s
+          lb_policy: ROUND_ROBIN
+          load_assignment:
+            cluster_name: system-server
+            endpoints:
+              - lb_endpoints:
+                  - endpoint:
+                      address:
+                        socket_address:
+                          address: system-server.user-system-{{ .Values.bfl.username }}
+                          port_value: 80
+kind: ConfigMap
+metadata:
+  name: sidecar-configs-studio
+  namespace: {{ .Release.Namespace }}

apps/studio/config/user/helm-charts/studio/values.yaml

@@ -0,0 +1,44 @@
+
+bfl:
+  nodeport: 30883
+  nodeport_ingress_http: 30083
+  nodeport_ingress_https: 30082
+  username: 'test'
+  url: 'test'
+  nodeName: test
+pvc:
+  userspace: test
+userspace:
+  userData: test/Home
+  appData: test/Data
+  appCache: test
+  dbdata: test
+docs:
+  nodeport: 30881
+desktop:
+  nodeport: 30180
+os:
+  portfolio:
+    appKey: '${ks[0]}'
+    appSecret: test
+  vault:
+    appKey: '${ks[0]}'
+    appSecret: test
+  desktop:
+    appKey: '${ks[0]}'
+    appSecret: test
+  message:
+    appKey: '${ks[0]}'
+    appSecret: test
+  rss:
+    appKey: '${ks[0]}'
+    appSecret: test
+  search:
+    appKey: '${ks[0]}'
+    appSecret: test
+  search2:
+    appKey: '${ks[0]}'
+    appSecret: test
+kubesphere:
+  redis_password: ""
+

apps/system-apps/config/user/helm-charts/monitoring/templates/system-frontend.yaml

@@ -109,6 +109,19 @@ spec:
       port: 3010
       targetPort: 3010
 ---
+apiVersion: v1
+kind: Service
+metadata:
+  name: studio-svc
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    app: system-frontend
+  ports:
+    - protocol: TCP
+      port: 8080
+      targetPort: 87
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -121,11 +134,11 @@ metadata:
     applications.app.bytetrade.io/group: 'true'
     applications.app.bytetrade.io/author: bytetrade.io
   annotations:
-    applications.app.bytetrade.io/icon: '{"dashboard":"https://file.bttcdn.com/appstore/dashboard/icon.png","control-hub":"https://file.bttcdn.com/appstore/control-hub/icon.png","profile":"https://file.bttcdn.com/appstore/profile/icon.png","wise":"https://file.bttcdn.com/appstore/rss/icon.png","headscale": "https://file.bttcdn.com/appstore/headscale/icon.png","settings": "https://file.bttcdn.com/appstore/settings/icon.png"}'
+    applications.app.bytetrade.io/icon: '{"dashboard":"https://file.bttcdn.com/appstore/dashboard/icon.png","control-hub":"https://file.bttcdn.com/appstore/control-hub/icon.png","profile":"https://file.bttcdn.com/appstore/profile/icon.png","wise":"https://file.bttcdn.com/appstore/rss/icon.png","headscale": "https://file.bttcdn.com/appstore/headscale/icon.png","settings": "https://file.bttcdn.com/appstore/settings/icon.png","studio":"https://file.bttcdn.com/appstore/devbox/icon.png"}'
-    applications.app.bytetrade.io/title: '{"dashboard": "Dashboard","control-hub":"Control Hub","profile":"Profile","wise":"Wise","headscale":"Headscale","settings":"Settings"}'
+    applications.app.bytetrade.io/title: '{"dashboard": "Dashboard","control-hub":"Control Hub","profile":"Profile","wise":"Wise","headscale":"Headscale","settings":"Settings","studio":"Studio"}'
-    applications.app.bytetrade.io/version: '{"dashboard": "0.0.1","control-hub":"0.0.1","profile":"0.0.1","wise":"0.0.1","headscale":"0.0.1","settings":"0.0.1"}'
+    applications.app.bytetrade.io/version: '{"dashboard": "0.0.1","control-hub":"0.0.1","profile":"0.0.1","wise":"0.0.1","headscale":"0.0.1","settings":"0.0.1","studio":"0.0.1"}'
     applications.app.bytetrade.io/policies: '{"dashboard":{"policies":[{"entranceName":"dashboard","uriRegex":"/js/script.js", "level":"public"},{"entranceName":"dashboard","uriRegex":"/js/api/send", "level":"public"}]}}'
-    applications.app.bytetrade.io/entrances: '{"dashboard":[{"name":"dashboard","host":"dashboard-service","port":80,"title":"Dashboard","windowPushState":true}],"control-hub":[{"name":"control-hub","host":"control-hub-service","port":80,"title":"Control Hub","windowPushState":true}],"profile":[{"name":"profile", "host":"profile-service", "port":80,"title":"Profile","windowPushState":true}],"wise":[{"name":"wise", "host":"wise-svc", "port":80,"title":"Wise","windowPushState":true}],"headscale":[{"name":"headscale", "host":"headscale-svc", "port":80,"title":"Headscale","invisible": true}],"settings":[{"name":"settings", "host":"settings-service", "port":80,"title":"Settings"}]}'
+    applications.app.bytetrade.io/entrances: '{"dashboard":[{"name":"dashboard","host":"dashboard-service","port":80,"title":"Dashboard","windowPushState":true}],"control-hub":[{"name":"control-hub","host":"control-hub-service","port":80,"title":"Control Hub","windowPushState":true}],"profile":[{"name":"profile", "host":"profile-service", "port":80,"title":"Profile","windowPushState":true}],"wise":[{"name":"wise", "host":"wise-svc", "port":80,"title":"Wise","windowPushState":true}],"headscale":[{"name":"headscale", "host":"headscale-svc", "port":80,"title":"Headscale","invisible": true}],"settings":[{"name":"settings", "host":"settings-service", "port":80,"title":"Settings"}],"studio":[{"name":"studio","host":"studio-svc","port":8080,"title":"Studio","openMethod":"window"}]}'
 spec:
   replicas: 1
   selector:
@@ -136,7 +149,7 @@ spec:
       labels:
         app: system-frontend
         io.bytetrade.app: "true"
-      annotations:
+      # annotations:
         # instrumentation.opentelemetry.io/inject-nodejs: "olares-instrumentation"
         # instrumentation.opentelemetry.io/nodejs-container-names: "settings-server"    
         # instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
@@ -195,7 +208,7 @@ spec:
             - mountPath: /www
               name: www-dir
         - name: control-hub-init
-          image: beclab/admin-console-frontend-v1:v0.5.2
+          image: beclab/admin-console-frontend-v1:v0.5.5
           imagePullPolicy: IfNotPresent
           command:
             - /bin/sh
@@ -231,7 +244,7 @@ spec:
             - mountPath: /www
               name: www-dir
         - name: wise-init
-          image: beclab/wise:v1.3.44
+          image: beclab/wise:v1.3.47
           imagePullPolicy: IfNotPresent
           command:
             - /bin/sh
@@ -243,7 +256,7 @@ spec:
             - mountPath: /www
               name: www-dir
         - name: settings-init
-          image: beclab/settings:v0.2.15
+          image: beclab/settings:v0.2.17
           imagePullPolicy: IfNotPresent
           command:
             - /bin/sh
@@ -254,6 +267,18 @@ spec:
           volumeMounts:
             - mountPath: /www
               name: www-dir
+        - name: studio-init
+          image: beclab/studio:v0.2.9
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+            - -c
+            - |
+              mkdir -p /www/studio
+              cp -r /app/* /www/studio
+          volumeMounts:
+            - mountPath: /www
+              name: www-dir
       containers:
         - name: terminus-envoy-sidecar
           image: bytetrade/envoy:v1.25.11
@@ -326,6 +351,9 @@ spec:
             - name: system-frontend-nginx-config
               mountPath: /etc/nginx/conf.d/settings.conf
               subPath: settings.conf
+            - name: system-frontend-nginx-config
+              mountPath: /etc/nginx/conf.d/studio.conf
+              subPath: studio.conf
           env:
             - name: POD_UID
               valueFrom:
@@ -357,7 +385,7 @@ spec:
           terminationMessagePath: /dev/termination-log
           terminationMessagePolicy: File
         - name: settings-server
-          image: beclab/settings-server:v0.2.15
+          image: beclab/settings-server:v0.2.17
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 3000
@@ -428,6 +456,8 @@ spec:
                 path: headscale.conf
               - key: settings.conf
                 path: settings.conf
+              - key: studio.conf
+                path: studio.conf
 
 
 ---
@@ -483,6 +513,31 @@ status:
 ---
 apiVersion: sys.bytetrade.io/v1alpha1
 kind: ApplicationPermission
+metadata:
+  name: studio
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  app: studio
+  appid: studio
+  key: {{ .Values.os.studio.appKey }}
+  secret: {{ .Values.os.studio.appSecret }}
+  permissions:
+    - dataType: app
+      group: service.appstore
+      ops:
+        - InstallDevApp
+        - UninstallDevApp
+      version: v1
+    - dataType: legacy_api
+      group: api.intent
+      ops:
+        - POST
+      version: v2
+status:
+  state: active
+---
+apiVersion: sys.bytetrade.io/v1alpha1
+kind: ApplicationPermission
 metadata:
   name: settings
   namespace: user-system-{{ .Values.bfl.username }}
@@ -759,6 +814,10 @@ data:
         server anayltic2-server.os-system:3010;
     }
 
+    upstream HamiServer {
+        server hami-webui.kube-system:3000;
+    }
+
     server {
       listen 81;
       gzip off;
@@ -798,6 +857,11 @@ data:
       location /kapis {
         proxy_pass http://SettingsServer;
       }
+
+      location /hami/ {
+        proxy_pass http://HamiServer/;
+      }
+
     
       location /api/profile/init {
         proxy_pass http://127.0.0.1:3010;
@@ -1219,10 +1283,6 @@ data:
         server infisical-service:8080;
     }
 
-    upstream NotificationServer {
-        server notifications-server;
-    }
-
     server {
         listen 86;
 
@@ -1318,11 +1378,193 @@ data:
             proxy_set_header X-Forwarded-Host $host;
         }
 
-        location /notification {
-            proxy_pass http://NotificationServer;
-        }
-
         location ~.*\.(js|css|png|jpg|svg|woff|woff2)$ {
             add_header Cache-Control "public, max-age=2678400";
         }
     }
+  studio.conf: |-
+    upstream SettingsServerStudio {
+        server monitoring-server.os-system;
+    }
+
+    upstream MiddlewareStudio {
+        server middleware-service.os-system;
+    }
+
+    upstream AnalyticsStudio {
+      server anayltic2-server.os-system:3010;
+    }
+
+    server {
+        listen 87;
+        # Gzip Settings
+        gzip off;
+        gzip_disable "msie6";
+        gzip_min_length 1k;
+        gzip_buffers 16 64k;
+        gzip_http_version 1.1;
+        gzip_comp_level 6;
+        gzip_types *;
+        root /www/studio;
+
+        location / {
+          try_files $uri $uri/index.html /index.html;
+          add_header Cache-Control "private,no-cache";
+          add_header Last-Modified "Oct, 03 Jan 2022 13:46:41 GMT";
+          expires 0;
+        }
+
+       location /api/command {
+          proxy_pass http://studio-server:8080;
+          proxy_set_header            Host $http_host;
+          proxy_set_header            X-real-ip $remote_addr;
+          proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection $http_connection;
+          proxy_set_header Accept-Encoding gzip;
+          proxy_read_timeout 180;
+      }
+      location /api/apps {
+          proxy_pass http://studio-server:8080;
+          proxy_set_header            Host $http_host;
+          proxy_set_header            X-real-ip $remote_addr;
+          proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection $http_connection;
+          proxy_set_header Accept-Encoding gzip;
+          proxy_read_timeout 180;
+      }
+      location /api/app-cfg {
+        proxy_pass http://studio-server:8080;
+        proxy_set_header            Host $http_host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+        proxy_set_header Accept-Encoding gzip;
+        proxy_read_timeout 180;
+      }
+      location /api/app-state {
+        proxy_pass http://studio-server:8080;
+        proxy_set_header            Host $http_host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+        proxy_set_header Accept-Encoding gzip;
+        proxy_read_timeout 180;
+      }
+      location /api/app-status {
+        proxy_pass http://studio-server:8080;
+        proxy_set_header            Host $http_host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+        proxy_set_header Accept-Encoding gzip;
+        proxy_read_timeout 180;
+      }
+      location /api/list-my-containers {
+        proxy_pass http://studio-server:8080;
+        proxy_set_header            Host $http_host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+        proxy_set_header Accept-Encoding gzip;
+        proxy_read_timeout 180;
+      }
+      location /api/files {
+        proxy_pass http://studio-server:8080;
+        proxy_set_header            Host $http_host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+        proxy_set_header Accept-Encoding gzip;
+        proxy_read_timeout 180;
+      }
+
+      location /ws {
+        proxy_pass http://127.0.0.1:40010;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+      }
+
+      location /bfl {
+        add_header 'Access-Control-Allow-Headers' 'x-api-nonce,x-api-ts,x-api-ver,x-api-source';
+        proxy_pass http://bfl;
+        proxy_set_header            Host $host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        add_header X-Frame-Options SAMEORIGIN;
+      }
+
+      location /kapis {
+        proxy_pass http://SettingsServerStudio;
+      }
+
+      location /api/profile/init {
+        proxy_pass http://127.0.0.1:3010;
+        proxy_set_header            Host $host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+      }
+
+      location /api {
+        proxy_pass http://SettingsServerStudio;
+      }
+
+      location /capi {
+        proxy_pass http://SettingsServerStudio;
+        proxy_set_header            Host $host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+      }
+
+      location = /js/api/send {
+        proxy_pass http://AnalyticsStudio;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        rewrite ^/js(.*)$ $1 break;
+      }
+
+      location /analytics_service {
+        proxy_pass http://AnalyticsStudio;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+        rewrite ^/analytics_service(.*)$ $1 break;
+      }
+
+      location ~ /(kapis/terminal|api/v1/watch|apis/apps/v1/watch) {
+        proxy_pass http://SettingsServerStudio;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+      }
+
+
+      location = /js/script.js {
+        add_header Access-Control-Allow-Origin "*";
+      }
+
+      location ~.*\.(js|css|png|jpg|svg|woff|woff2)$ {
+        add_header Cache-Control "public, max-age=2678400";
+      }
+    }

apps/vault/config/cluster/deploy/vault_server_deploy.yaml

@@ -83,7 +83,7 @@ spec:
             value: os_system_vault
       containers:
       - name: vault-server
-        image: beclab/vault-server:v1.3.44
+        image: beclab/vault-server:v1.3.46
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 3000
@@ -114,7 +114,7 @@ spec:
         - name: vault-attach
           mountPath: /padloc/packages/server/attachments
       - name: vault-admin
-        image: beclab/vault-admin:v1.3.44
+        image: beclab/vault-admin:v1.3.46
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 3010

apps/vault/config/user/helm-charts/vault/templates/vault_deploy.yaml

@@ -88,13 +88,13 @@ spec:
 
       containers:
       - name: vault-frontend
-        image: beclab/vault-frontend:v1.3.44
+        image: beclab/vault-frontend:v1.3.46
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 80
       
       - name: notification-server
-        image: beclab/vault-notification:v1.3.44
+        image: beclab/vault-notification:v1.3.46
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 3010

build/installer/install.ps1

@@ -48,7 +48,7 @@ if (-Not (Test-Path $CLI_PROGRAM_PATH)) {
   New-Item -Path $CLI_PROGRAM_PATH -ItemType Directory
 }
 
-$CLI_VERSION = "0.2.21"
+$CLI_VERSION = "0.2.27"
 $CLI_FILE = "olares-cli-v{0}_windows_{1}.tar.gz" -f $CLI_VERSION, $arch
 $CLI_URL = "{0}/{1}" -f $downloadUrl, $CLI_FILE
 $CLI_PATH = "{0}{1}" -f $CLI_PROGRAM_PATH, $CLI_FILE

build/installer/install.sh

@@ -74,7 +74,7 @@ if [ -z ${cdn_url} ]; then
     cdn_url="https://dc3p1870nn3cj.cloudfront.net"
 fi
 
-CLI_VERSION="0.2.21"
+CLI_VERSION="0.2.27"
 CLI_FILE="olares-cli-v${CLI_VERSION}_linux_${ARCH}.tar.gz"
 if [[ x"$os_type" == x"Darwin" ]]; then
     CLI_FILE="olares-cli-v${CLI_VERSION}_darwin_${ARCH}.tar.gz"

build/installer/joincluster.sh

@@ -157,7 +157,7 @@ fi
 
 set_master_host_ssh_options
 
-CLI_VERSION="0.2.21"
+CLI_VERSION="0.2.27"
 CLI_FILE="olares-cli-v${CLI_VERSION}_linux_${ARCH}.tar.gz"
 
 if command_exists olares-cli && [[ "$(olares-cli -v | awk '{print $3}')" == "$CLI_VERSION" ]]; then

build/installer/upgrade_cmd.sh

@@ -146,7 +146,7 @@ function get_app_key_secret(){
 
 function get_app_settings(){
     local username=$1
-    local apps=("vault" "desktop" "message" "wise" "search" "appstore" "notification" "dashboard" "settings" "devbox" "profile" "agent" "files")
+    local apps=("vault" "desktop" "message" "wise" "search" "appstore" "notification" "dashboard" "settings" "studio" "profile" "agent" "files")
     for a in ${apps[@]};do
         ks=($(get_app_key_secret "$username" "$a"))
         echo '

build/manifest/images

@@ -1,5 +1,5 @@
-beclab/ks-apiserver:0.0.5
+beclab/ks-apiserver:0.0.8
-beclab/ks-controller-manager:0.0.5
+beclab/ks-controller-manager:0.0.8
 beclab/kube-state-metrics:v2.3.0-ext.1
 calico/cni:v3.29.2
 calico/kube-controllers:v3.29.2
@@ -26,16 +26,19 @@ quay.io/argoproj/workflow-controller:v3.5.0
 redis:5.0.14-alpine
 beclab/velero:v1.11.3
 beclab/velero-plugin-for-terminus:v1.0.2
-beclab/l4-bfl-proxy:v0.2.8
+beclab/l4-bfl-proxy:v0.3.0
 gcr.io/k8s-minikube/storage-provisioner:v5
 owncloudci/wait-for:latest
 beclab/recommend-argotask:v0.0.12
 bytetrade/nvshare:nvshare-scheduler
 beclab/nats-server-config-reloader:v1
-beclab/reverse-proxy:v0.1.7
+beclab/reverse-proxy:v0.1.8
 beclab/upgrade-job:0.1.7
 bytetrade/envoy:v1.25.11.1
 liangjw/kube-webhook-certgen:v1.1.1
 beclab/hami:v2.5.1
 alpine:3.14
 mirrorgooglecontainers/defaultbackend-amd64:1.4
+projecthami/hami-webui-fe-oss:v1.0.5
+projecthami/hami-webui-be-oss:v1.0.5
+nvidia/dcgm-exporter:4.1.1-4.0.4-ubuntu22.04

frameworks/GPU/config/gpu/hami/templates/_helpers.tpl

@@ -106,3 +106,167 @@ imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 2 }}
 {{- define "strippedKubeVersion" -}}
 {{ regexReplaceAll "^(v[0-9]+\\.[0-9]+\\.[0-9]+)(.*)$" .Capabilities.KubeVersion.Version "$1" }}
 {{- end -}}
+
+
+{{- define "dcgm-exporter.name" -}}
+{{- .Values.dcgmExporter.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "dcgm-exporter.fullname" -}}
+{{- if .Values.dcgmExporter.fullnameOverride -}}
+{{- .Values.dcgmExporter.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := .Values.dcgmExporter.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "hami-%s" $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "dcgm-exporter.namespace" -}}
+  {{- if .Values.dcgmExporter.namespaceOverride -}}
+    {{- .Values.dcgmExporter.namespaceOverride -}}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "dcgm-exporter.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "dcgm-exporter.labels" -}}
+helm.sh/chart: {{ include "dcgm-exporter.chart" . }}
+{{ include "dcgm-exporter.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "dcgm-exporter.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "dcgm-exporter.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "dcgm-exporter.serviceAccountName" -}}
+{{- if .Values.dcgmExporter.serviceAccount.create -}}
+    {{ default (include "dcgm-exporter.fullname" .) .Values.dcgmExporter.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.dcgmExporter.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+
+{{/*
+Create the name of the tls secret to use
+*/}}
+{{- define "dcgm-exporter.tlsCertsSecretName" -}}
+{{- if .Values.dcgmExporter.tlsServerConfig.existingSecret -}}
+    {{- printf "%s" (tpl .Values.dcgmExporter.tlsServerConfig.existingSecret $) -}}
+{{- else -}}
+    {{ printf "%s-tls" (include "dcgm-exporter.fullname" .) }}
+{{- end -}}
+{{- end -}}
+
+
+{{/*
+Create the name of the web-config configmap name to use
+*/}}
+{{- define "dcgm-exporter.webConfigConfigMap" -}}
+  {{ printf "%s-web-config.yml" (include "dcgm-exporter.fullname" .) }}
+{{- end -}}
+
+{{- define "hami-webui.name" -}}
+{{- .Values.webui.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "hami-webui.fullname" -}}
+{{- if .Values.webui.fullnameOverride }}
+{{- .Values.webui.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := .Values.webui.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "hami-%s" $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "hami-webui.namespace" -}}
+  {{- if .Values.webui.namespaceOverride -}}
+    {{- .Values.webui.namespaceOverride -}}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "hami-webui.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "hami-webui.labels" -}}
+helm.sh/chart: {{ include "hami-webui.chart" . }}
+{{ include "hami-webui.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "hami-webui.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "hami-webui.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "hami-webui.serviceAccountName" -}}
+{{- if .Values.webui.serviceAccount.create }}
+{{- default (include "hami-webui.fullname" .) .Values.webui.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.webui.serviceAccount.name }}
+{{- end }}
+{{- end }}

frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/daemonset.yaml

@@ -0,0 +1,168 @@
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "dcgm-exporter.fullname" . }}
+  namespace: {{ include "dcgm-exporter.namespace" . }}
+  labels:
+    {{- include "dcgm-exporter.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "dcgm-exporter"
+spec:
+  updateStrategy:
+    type: RollingUpdate
+    {{- with .Values.dcgmExporter.rollingUpdate }}
+    rollingUpdate:
+      maxUnavailable: {{ .maxUnavailable }}
+      maxSurge: {{ .maxSurge }}
+    {{- end }}
+  selector:
+    matchLabels:
+      {{- include "dcgm-exporter.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: "dcgm-exporter"
+  template:
+    metadata:
+      labels:
+        {{- include "dcgm-exporter.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: "dcgm-exporter"
+      {{- if .Values.dcgmExporter.podLabels }}
+        {{- toYaml .Values.podLabels | nindent 8 }}
+      {{- end }}
+      {{- if .Values.dcgmExporter.podAnnotations }}
+      annotations:
+        {{- toYaml .Values.dcgmExporter.podAnnotations | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- if .Values.dcgmExporter.runtimeClassName }}
+      runtimeClassName: {{ .Values.dcgmExporter.runtimeClassName }}
+      {{- end }}
+      priorityClassName: {{ .Values.dcgmExporter.priorityClassName | default "system-node-critical" }}
+      serviceAccountName: {{ include "dcgm-exporter.serviceAccountName" . }}
+      {{- if .Values.dcgmExporter.podSecurityContext }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- end }}
+      {{- if .Values.dcgmExporter.affinity }}
+      affinity:
+        {{- toYaml .Values.dcgmExporter.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.dcgmExporter.nodeSelector }}
+      nodeSelector:
+        {{- toYaml .Values.dcgmExporter.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- with .Values.dcgmExporter.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      volumes:
+      - name: "pod-gpu-resources"
+        hostPath:
+          path: {{ .Values.dcgmExporter.kubeletPath }}
+      {{- if and .Values.dcgmExporter.tlsServerConfig.enabled }}
+      - name: "tls"
+        secret:
+          secretName: {{ include "dcgm-exporter.tlsCertsSecretName" . }}
+          defaultMode: 0664
+      {{- end }}
+      {{- if or .Values.dcgmExporter.tlsServerConfig.enabled $.Values.dcgmExporter.basicAuth.users}}
+      - name: "web-config-yaml"
+        configMap:
+          name: {{ include "dcgm-exporter.webConfigConfigMap" . }}
+          defaultMode: 0664
+      {{- end }}
+      {{- range .Values.dcgmExporter.extraHostVolumes }}
+      - name: {{ .name | quote }}
+        hostPath:
+          path: {{ .hostPath | quote }}
+      {{- end }}
+      {{- with .Values.dcgmExporter.extraConfigMapVolumes }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+      containers:
+      - name: exporter
+        securityContext:
+          {{- toYaml .Values.dcgmExporter.securityContext | nindent 10 }}
+        {{- if .Values.dcgmExporter.image.tag }}
+        image: "{{ .Values.dcgmExporter.image.repository }}:{{ .Values.dcgmExporter.image.tag }}"
+        {{- else }}
+        image: "{{ .Values.dcgmExporter.image.repository }}:{{ .Chart.AppVersion }}"
+        {{- end }}
+        imagePullPolicy: "{{ .Values.dcgmExporter.image.pullPolicy }}"
+        args:
+        {{- range $.Values.dcgmExporter.arguments }}
+        - {{ . }}
+        {{- end }}
+        env:
+        - name: "DCGM_EXPORTER_KUBERNETES"
+          value: "true"
+        - name: "DCGM_EXPORTER_LISTEN"
+          value: "{{ .Values.dcgmExporter.service.address }}"
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        {{- if or .Values.dcgmExporter.tlsServerConfig.enabled $.Values.dcgmExporter.basicAuth.users}}
+        - name: "DCGM_EXPORTER_WEB_CONFIG_FILE"
+          value: /etc/dcgm-exporter/web-config.yaml
+        {{- end }}
+        {{- if .Values.dcgmExporter.extraEnv }}
+        {{- toYaml .Values.dcgmExporter.extraEnv | nindent 8 }}
+        {{- end }}
+        ports:
+        - name: "metrics"
+          containerPort: {{ .Values.dcgmExporter.service.port }}
+        volumeMounts:
+        - name: "pod-gpu-resources"
+          readOnly: true
+          mountPath: "/var/lib/kubelet/pod-resources"
+        {{- if and .Values.dcgmExporter.tlsServerConfig.enabled }}
+        - name: "tls"
+          mountPath: /etc/dcgm-exporter/tls
+        {{- end }}
+        {{- if or .Values.dcgmExporter.tlsServerConfig.enabled $.Values.dcgmExporter.basicAuth.users}}
+        - name: "web-config-yaml"
+          mountPath: /etc/dcgm-exporter/web-config.yaml
+          subPath: web-config.yaml
+        {{- end }}
+        {{- if .Values.dcgmExporter.extraVolumeMounts }}
+        {{- toYaml .Values.dcgmExporter.extraVolumeMounts | nindent 8 }}
+        {{- end }}
+        livenessProbe:
+          {{- if not $.Values.dcgmExporter.basicAuth.users }}
+          httpGet:
+            path: /health
+            port: {{ .Values.dcgmExporter.service.port }}
+            scheme: {{ ternary "HTTPS" "HTTP" $.Values.dcgmExporter.tlsServerConfig.enabled }}
+          {{- else }}
+          tcpSocket:
+              port: {{ .Values.dcgmExporter.service.port }}
+          {{- end }}
+          initialDelaySeconds: 45
+          periodSeconds: 5
+        readinessProbe:
+          {{- if not $.Values.dcgmExporter.basicAuth.users }}
+          httpGet:
+            path: /health
+            port: {{ .Values.dcgmExporter.service.port }}
+            scheme: {{ ternary "HTTPS" "HTTP" $.Values.dcgmExporter.tlsServerConfig.enabled }}
+          {{- else }}
+          tcpSocket:
+              port: {{ .Values.dcgmExporter.service.port }}
+          {{- end }}
+          initialDelaySeconds: 45
+        {{- if .Values.dcgmExporter.resources }}
+        resources:
+          {{- toYaml .Values.dcgmExporter.resources | nindent 10 }}
+        {{- end }}

frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/metrics-configmap.yaml

@@ -0,0 +1,96 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: exporter-metrics-config-map
+  namespace: {{ include "dcgm-exporter.namespace" . }}
+data:
+{{- if .Values.dcgmExporter.customMetrics }}
+  metrics: |
+{{- .Values.dcgmExporter.customMetrics | nindent 4 }}
+{{- else }}
+  metrics: |
+      # Format
+      # If line starts with a '#' it is considered a comment
+      # DCGM FIELD, Prometheus metric type, help message
+      
+      DCGM_FI_DRIVER_VERSION, label, Driver Version.
+
+      DCGM_FI_DEV_BRAND,  label, Device Brand.
+      
+      DCGM_FI_DEV_SERIAL, label, Device Serial Number.
+
+      # Clocks
+      DCGM_FI_DEV_SM_CLOCK,  gauge, SM clock frequency (in MHz).
+      DCGM_FI_DEV_MEM_CLOCK, gauge, Memory clock frequency (in MHz).
+      
+      # Temperature
+      DCGM_FI_DEV_MEMORY_TEMP, gauge, Memory temperature (in C).
+      DCGM_FI_DEV_GPU_TEMP,    gauge, GPU temperature (in C).
+      
+      # Power
+      DCGM_FI_DEV_POWER_USAGE,              gauge, Power draw (in W).
+      DCGM_FI_DEV_TOTAL_ENERGY_CONSUMPTION, counter, Total energy consumption since boot (in mJ).
+      
+      # PCIE
+      # DCGM_FI_PROF_PCIE_TX_BYTES,  counter, Total number of bytes transmitted through PCIe TX via NVML.
+      # DCGM_FI_PROF_PCIE_RX_BYTES,  counter, Total number of bytes received through PCIe RX via NVML.
+      DCGM_FI_DEV_PCIE_REPLAY_COUNTER, counter, Total number of PCIe retries.
+      
+      # Utilization (the sample period varies depending on the product)
+      DCGM_FI_DEV_GPU_UTIL,      gauge, GPU utilization (in %).
+      DCGM_FI_DEV_MEM_COPY_UTIL, gauge, Memory utilization (in %).
+      DCGM_FI_DEV_ENC_UTIL,      gauge, Encoder utilization (in %).
+      DCGM_FI_DEV_DEC_UTIL ,     gauge, Decoder utilization (in %).
+      
+      # Errors and violations
+      DCGM_FI_DEV_XID_ERRORS,            gauge,   Value of the last XID error encountered.
+      # DCGM_FI_DEV_POWER_VIOLATION,       counter, Throttling duration due to power constraints (in us).
+      # DCGM_FI_DEV_THERMAL_VIOLATION,     counter, Throttling duration due to thermal constraints (in us).
+      # DCGM_FI_DEV_SYNC_BOOST_VIOLATION,  counter, Throttling duration due to sync-boost constraints (in us).
+      # DCGM_FI_DEV_BOARD_LIMIT_VIOLATION, counter, Throttling duration due to board limit constraints (in us).
+      # DCGM_FI_DEV_LOW_UTIL_VIOLATION,    counter, Throttling duration due to low utilization (in us).
+      # DCGM_FI_DEV_RELIABILITY_VIOLATION, counter, Throttling duration due to reliability constraints (in us).
+      
+      # Memory usage
+      DCGM_FI_DEV_FB_FREE, gauge, Framebuffer memory free (in MiB).
+      DCGM_FI_DEV_FB_USED, gauge, Framebuffer memory used (in MiB).
+      
+      # ECC
+      # DCGM_FI_DEV_ECC_SBE_VOL_TOTAL, counter, Total number of single-bit volatile ECC errors.
+      # DCGM_FI_DEV_ECC_DBE_VOL_TOTAL, counter, Total number of double-bit volatile ECC errors.
+      # DCGM_FI_DEV_ECC_SBE_AGG_TOTAL, counter, Total number of single-bit persistent ECC errors.
+      # DCGM_FI_DEV_ECC_DBE_AGG_TOTAL, counter, Total number of double-bit persistent ECC errors.
+      
+      # Retired pages
+      # DCGM_FI_DEV_RETIRED_SBE,     counter, Total number of retired pages due to single-bit errors.
+      # DCGM_FI_DEV_RETIRED_DBE,     counter, Total number of retired pages due to double-bit errors.
+      # DCGM_FI_DEV_RETIRED_PENDING, counter, Total number of pages pending retirement.
+      
+      # NVLink
+      # DCGM_FI_DEV_NVLINK_CRC_FLIT_ERROR_COUNT_TOTAL, counter, Total number of NVLink flow-control CRC errors.
+      # DCGM_FI_DEV_NVLINK_CRC_DATA_ERROR_COUNT_TOTAL, counter, Total number of NVLink data CRC errors.
+      # DCGM_FI_DEV_NVLINK_REPLAY_ERROR_COUNT_TOTAL,   counter, Total number of NVLink retries.
+      # DCGM_FI_DEV_NVLINK_RECOVERY_ERROR_COUNT_TOTAL, counter, Total number of NVLink recovery errors.
+      DCGM_FI_DEV_NVLINK_BANDWIDTH_TOTAL,            counter, Total number of NVLink bandwidth counters for all lanes.
+      # DCGM_FI_DEV_NVLINK_BANDWIDTH_L0,               counter, The number of bytes of active NVLink rx or tx data including both header and payload.
+      
+      # VGPU License status
+      DCGM_FI_DEV_VGPU_LICENSE_STATUS, gauge, vGPU License status
+      
+      # Remapped rows
+      DCGM_FI_DEV_UNCORRECTABLE_REMAPPED_ROWS, counter, Number of remapped rows for uncorrectable errors
+      DCGM_FI_DEV_CORRECTABLE_REMAPPED_ROWS,   counter, Number of remapped rows for correctable errors
+      DCGM_FI_DEV_ROW_REMAP_FAILURE,           gauge,   Whether remapping of rows has failed
+      
+      # DCP metrics
+      DCGM_FI_PROF_GR_ENGINE_ACTIVE,   gauge, Ratio of time the graphics engine is active.
+      # DCGM_FI_PROF_SM_ACTIVE,          gauge, The ratio of cycles an SM has at least 1 warp assigned.
+      # DCGM_FI_PROF_SM_OCCUPANCY,       gauge, The ratio of number of warps resident on an SM.
+      DCGM_FI_PROF_PIPE_TENSOR_ACTIVE, gauge, Ratio of cycles the tensor (HMMA) pipe is active.
+      DCGM_FI_PROF_DRAM_ACTIVE,        gauge, Ratio of cycles the device memory interface is active sending or receiving data.
+      # DCGM_FI_PROF_PIPE_FP64_ACTIVE,   gauge, Ratio of cycles the fp64 pipes are active.
+      # DCGM_FI_PROF_PIPE_FP32_ACTIVE,   gauge, Ratio of cycles the fp32 pipes are active.
+      # DCGM_FI_PROF_PIPE_FP16_ACTIVE,   gauge, Ratio of cycles the fp16 pipes are active.
+      DCGM_FI_PROF_PCIE_TX_BYTES,      counter, The number of bytes of active pcie tx data including both header and payload.
+      DCGM_FI_PROF_PCIE_RX_BYTES,      counter, The number of bytes of active pcie rx data including both header and payload.
+{{- end }}

frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/role.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dcgm-exporter-read-cm
+  namespace: {{ include "dcgm-exporter.namespace" . }}
+  labels:
+    {{- include "dcgm-exporter.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "dcgm-exporter"
+rules:
+- apiGroups: [""]
+  resources: ["configmaps"]
+  resourceNames: ["exporter-metrics-config-map"]
+  verbs: ["get"]

frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/rolebinding.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "dcgm-exporter.fullname" . }}
+  namespace: {{ include "dcgm-exporter.namespace" . }}
+  labels:
+    {{- include "dcgm-exporter.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "dcgm-exporter"
+subjects:
+- kind: ServiceAccount
+  name: {{ include "dcgm-exporter.serviceAccountName" . }}
+  namespace: {{ include "dcgm-exporter.namespace" . }}
+roleRef:
+  kind: Role 
+  name: dcgm-exporter-read-cm
+  apiGroup: rbac.authorization.k8s.io

frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/service-monitor.yaml

@@ -0,0 +1,42 @@
+{{- if .Values.dcgmExporter.serviceMonitor.enabled }}
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: {{ .Values.dcgmExporter.serviceMonitor.apiVersion }}
+kind: ServiceMonitor
+metadata:
+  name: {{ include "dcgm-exporter.fullname" . }}
+  namespace: kubesphere-monitoring-system
+  labels:
+    {{- include "dcgm-exporter.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "dcgm-exporter"
+    {{- if .Values.dcgmExporter.serviceMonitor.additionalLabels }}
+    {{- toYaml .Values.dcgmExporter.serviceMonitor.additionalLabels | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "dcgm-exporter.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: "dcgm-exporter"
+  namespaceSelector:
+    matchNames:
+    - "{{ include "dcgm-exporter.namespace" . }}"
+  endpoints:
+  - port: "metrics"
+    path: "/metrics"
+    interval: "{{ .Values.dcgmExporter.serviceMonitor.interval }}"
+    honorLabels: {{ .Values.dcgmExporter.serviceMonitor.honorLabels }}
+    relabelings:
+      {{ toYaml .Values.dcgmExporter.serviceMonitor.relabelings | nindent 6 }}
+{{- end -}}

frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/service.yaml

@@ -0,0 +1,40 @@
+{{- if .Values.dcgmExporter.service.enable }}
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "dcgm-exporter.fullname" . }}
+  namespace: {{ include "dcgm-exporter.namespace" . }}
+  labels:
+    {{- include "dcgm-exporter.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "dcgm-exporter"
+  {{- with .Values.dcgmExporter.service.annotations }}
+  annotations:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.dcgmExporter.service.type }}
+  {{- if .Values.dcgmExporter.service.clusterIP }}
+  clusterIP: {{ .Values.dcgmExporter.service.clusterIP | quote }}
+  {{- end }}
+  ports:
+  - name: "metrics"
+    port: {{ .Values.dcgmExporter.service.port }}
+    targetPort: {{ .Values.dcgmExporter.service.port }}
+    protocol: TCP
+  selector:
+    {{- include "dcgm-exporter.selectorLabels" . | nindent 4 }}
+{{- end }}

frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/serviceaccount.yaml

@@ -0,0 +1,28 @@
+{{- if .Values.dcgmExporter.serviceAccount.create -}}
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "dcgm-exporter.serviceAccountName" . }}
+  namespace: {{ include "dcgm-exporter.namespace" . }}
+  labels:
+    {{- include "dcgm-exporter.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "dcgm-exporter"
+  {{- with .Values.dcgmExporter.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}

frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/tls-secret.yaml

@@ -0,0 +1,43 @@
+# Copyright (c) 2024, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+{{- if and .Values.dcgmExporter.tlsServerConfig.enabled (not .Values.dcgmExporter.tlsServerConfig.existingSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ (include "dcgm-exporter.tlsCertsSecretName" .) }}
+  namespace: {{ include "dcgm-exporter.namespace" . }}
+  labels:
+    app.kubernetes.io/component: "dcgm-exporter"
+    {{- include "dcgm-exporter.labels" . | nindent 4 }}
+type: Opaque
+data:
+  {{- if .Values.dcgmExporter.tlsServerConfig.autoGenerated }}
+  {{- $ca := genCA "dcgm-exporter-ca" 3650 }}
+  {{- $hostname := printf "%s" (include "dcgm-exporter.fullname" .) }}
+  {{- $cert := genSignedCert $hostname nil (list $hostname) 3650 $ca }}
+  {{ .Values.dcgmExporter.tlsServerConfig.certFilename }}: {{ $cert.Cert | b64enc | quote }}
+  {{ .Values.dcgmExporter.tlsServerConfig.keyFilename }}: {{ $cert.Key | b64enc | quote }}
+  {{- if .Values.dcgmExporter.tlsServerConfig.clientAuthType }}
+  {{ .Values.dcgmExporter.tlsServerConfig.caFilename }}: {{ $ca.Cert | b64enc | quote }}
+  {{- end }}
+  {{- else }}
+  {{ .Values.dcgmExporter.tlsServerConfig.certFilename }}: {{ required "'tlsServerConfig.cert' is required when 'tlsServerConfig.enabled=true'" .Values.dcgmExporter.tlsServerConfig.cert | b64enc | quote }}
+  {{ .Values.dcgmExporter.tlsServerConfig.keyFilename }}: {{ required "'tlsServerConfig.key' is required when 'tlsServerConfig.enabled=true'" .Values.dcgmExporter.tlsServerConfig.key | b64enc | quote }}
+  {{- if .Values.dcgmExporter.tlsServerConfig.clientAuthType }}
+  {{ .Values.dcgmExporter.tlsServerConfig.caFilename }}: {{ required "'tlsServerConfig.ca' is required when 'tlsServerConfig.clientAuthType' is provided" .Values.dcgmExporter.tlsServerConfig.ca | b64enc | quote }}
+  {{- end }}
+  {{- end }}
+{{- end }}

frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/web-config-configmap.yaml

@@ -0,0 +1,40 @@
+# Copyright (c) 2024, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if or .Values.dcgmExporter.tlsServerConfig.enabled .Values.dcgmExporter.basicAuth.users }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "dcgm-exporter.webConfigConfigMap" . }}
+  namespace: {{ include "dcgm-exporter.namespace" . }}
+  labels:
+    app.kubernetes.io/component: "dcgm-exporter"
+    {{- include "dcgm-exporter.labels" . | nindent 4 }}
+data:
+  web-config.yaml: |
+{{- if .Values.dcgmExporter.tlsServerConfig.enabled }}
+    tls_server_config:
+       cert_file: {{ required "'tlsServerConfig.certFilename' is required when 'tlsServerConfig.enabled=true'" .Values.dcgmExporter.tlsServerConfig.certFilename | printf "/etc/dcgm-exporter/tls/%s" | quote }}
+       key_file: {{ required "'tlsServerConfig.keyFilename' is required when 'tlsServerConfig.enabled=true'" .Values.dcgmExporter.tlsServerConfig.keyFilename | printf "/etc/dcgm-exporter/tls/%s" | quote }}
+       {{- if .Values.dcgmExporter.tlsServerConfig.clientAuthType }}
+       client_auth_type: {{ .Values.dcgmExporter.tlsServerConfig.clientAuthType }}
+       client_ca_file: {{ required "'tlsServerConfig.caFilename' is required when 'tlsServerConfig.clientAuthType' is provided" .Values.dcgmExporter.tlsServerConfig.caFilename | printf "/etc/dcgm-exporter/tls/%s" | quote }}
+       {{- end }}
+{{- end }}
+{{- if .Values.dcgmExporter.basicAuth.users }}
+    basic_auth_users:
+      {{- range $user, $password := .Values.dcgmExporter.basicAuth.users }}
+      {{ $user }}: {{ (split ":" (htpasswd $user $password))._1 }}
+      {{- end }}
+{{- end }}
+{{- end }}

frameworks/GPU/config/gpu/hami/templates/webui/configmap.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "hami-webui.fullname" . }}-config
+  namespace: {{ include "hami-webui.namespace" . }}
+data:
+  config.yaml: |
+    server:
+      http:
+        addr: 0.0.0.0:8000
+        timeout: 1s
+      grpc:
+        addr: 0.0.0.0:9000
+        timeout: 1s
+    prometheus:
+      address: {{ ternary .Values.webui.externalPrometheus.address (printf "http://%s-kube-prometh-prometheus.%s.svc.cluster.local:9090" (include "hami-webui.fullname" .) (include "hami-webui.namespace" .)) .Values.webui.externalPrometheus.enabled }}
+      timeout: 1m
+    node_selectors:
+    {{- range $key, $value := .Values.webui.vendorNodeSelectors }}
+      {{ $key }}: {{ $value }}
+    {{- end }}

frameworks/GPU/config/gpu/hami/templates/webui/deployment.yaml

@@ -0,0 +1,82 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "hami-webui.fullname" . }}
+  namespace: {{ include "hami-webui.namespace" . }}
+  labels:
+    {{- include "hami-webui.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "hami-webui"
+spec:
+  replicas: {{ .Values.webui.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "hami-webui.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: "hami-webui"
+  template:
+    metadata:
+      {{- with .Values.webui.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "hami-webui.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: "hami-webui"
+    spec:
+      serviceAccountName: {{ include "hami-webui.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.webui.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Release.Name }}-fe-oss
+          securityContext:
+            {{- toYaml .Values.webui.securityContext | nindent 12 }}
+          image: "{{ .Values.webui.image.frontend.repository }}:{{ .Values.webui.image.frontend.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.webui.image.frontend.pullPolicy }}
+          env:
+            {{- toYaml .Values.webui.env.frontend | nindent 12 }}
+          ports:
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+          command:
+            - "node"
+          args:
+            - "/apps/dist/main"
+          resources:
+            {{- toYaml .Values.webui.resources.frontend | nindent 12 }}
+        - name: {{ .Release.Name }}-be-oss
+          securityContext:
+                  {{- toYaml .Values.webui.securityContext | nindent 12 }}
+          image: "{{ .Values.webui.image.backend.repository }}:{{ .Values.webui.image.backend.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.webui.image.backend.pullPolicy }}
+          env:
+            {{- toYaml .Values.webui.env.backend | nindent 12 }}
+          ports:
+            - name: metrics
+              containerPort: 8000
+              protocol: TCP
+          command:
+            - "/apps/server"
+          args:
+            - "--conf"
+            - "/apps/config/config.yaml"
+          resources:
+            {{- toYaml .Values.webui.resources.backend | nindent 12 }}
+          volumeMounts:
+            - name: config
+              mountPath: /apps/config/
+      {{- with .Values.webui.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.webui.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: config
+          configMap:
+            name: {{ include "hami-webui.fullname" . }}-config

frameworks/GPU/config/gpu/hami/templates/webui/hamiservicemonitor.yaml

@@ -0,0 +1,27 @@
+{{- if .Values.webui.hamiServiceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "hami-webui.fullname" . }}-hami-svc-monitor
+  namespace: kubesphere-monitoring-system
+  labels:
+    {{- include "hami-webui.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "hami-webui"
+    {{- if .Values.webui.hamiServiceMonitor.additionalLabels }}
+    {{- toYaml .Values.webui.hamiServiceMonitor.additionalLabels | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: hami-device-plugin
+  namespaceSelector:
+    matchNames:
+      - "{{ .Values.webui.hamiServiceMonitor.svcNamespace }}"
+  endpoints:
+  - path: /metrics
+    port: monitorport
+    interval: "{{ .Values.webui.hamiServiceMonitor.interval }}"
+    honorLabels: {{ .Values.webui.hamiServiceMonitor.honorLabels }}
+    relabelings:
+      {{ toYaml .Values.webui.hamiServiceMonitor.relabelings | nindent 6 }}
+{{- end -}}

frameworks/GPU/config/gpu/hami/templates/webui/role.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: hami-webui-reader
+  namespace: {{ include "hami-webui.namespace" . }}
+  labels:
+    {{- include "hami-webui.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "hami-webui"
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "nodes" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: [ "get", "list", "watch" ]

frameworks/GPU/config/gpu/hami/templates/webui/rolebinding.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "hami-webui.fullname" . }}
+  namespace: {{ include "hami-webui.namespace" . }}
+  labels:
+    {{- include "hami-webui.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "hami-webui"
+subjects:
+- kind: ServiceAccount
+  name: {{ include "hami-webui.serviceAccountName" . }}
+  namespace: {{ include "hami-webui.namespace" . }}
+roleRef:
+  kind: ClusterRole
+  name: hami-webui-reader
+  apiGroup: rbac.authorization.k8s.io

frameworks/GPU/config/gpu/hami/templates/webui/service.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "hami-webui.fullname" . }}
+  namespace: {{ include "hami-webui.namespace" . }}
+  labels:
+    {{- include "hami-webui.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "hami-webui"
+spec:
+  type: {{ .Values.webui.service.type }}
+  ports:
+    - port: {{ .Values.webui.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+    - port: 8000
+      targetPort: metrics
+      protocol: TCP
+      name: metrics
+  selector:
+    {{- include "hami-webui.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: "hami-webui"

frameworks/GPU/config/gpu/hami/templates/webui/serviceaccount.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.webui.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "hami-webui.serviceAccountName" . }}
+  namespace: {{ include "hami-webui.namespace" . }}
+  labels:
+    {{- include "hami-webui.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "hami-webui"
+  {{- with .Values.webui.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

frameworks/GPU/config/gpu/hami/templates/webui/servicemonitor.yaml

@@ -0,0 +1,42 @@
+{{- if .Values.webui.serviceMonitor.enabled }}
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "hami-webui.fullname" . }}-svc-monitor
+  namespace: kubesphere-monitoring-system
+  labels:
+    {{- include "hami-webui.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "hami-webui"
+    {{- if .Values.webui.serviceMonitor.additionalLabels }}
+    {{- toYaml .Values.webui.serviceMonitor.additionalLabels | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "hami-webui.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: "hami-webui"
+  namespaceSelector:
+    matchNames:
+    - "{{ include "hami-webui.namespace" . }}"
+  endpoints:
+  - port: "metrics"
+    path: "/metrics"
+    interval: "{{ .Values.webui.serviceMonitor.interval }}"
+    honorLabels: {{ .Values.webui.serviceMonitor.honorLabels }}
+    relabelings:
+      {{ toYaml .Values.webui.serviceMonitor.relabelings | nindent 6 }}
+{{- end -}}

frameworks/GPU/config/gpu/hami/values.yaml

@@ -126,7 +126,7 @@ scheduler:
     tolerations: []
     runAsUser: 2000
   service:
-    type: NodePort  # Default type is NodePort, can be changed to ClusterIP
+    type: ClusterIP  # Default type is NodePort, can be changed to ClusterIP
     httpPort: 443   # HTTP port
     schedulerPort: 31998  # NodePort for HTTP
     monitorPort: 31993    # Monitoring port
@@ -149,7 +149,7 @@ devicePlugin:
     - -v=4
   
   service:
-    type: NodePort  # Default type is NodePort, can be changed to ClusterIP
+    type: ClusterIP  # Default type is NodePort, can be changed to ClusterIP
     httpPort: 31992
     labels: {}
     annotations: {}
@@ -217,3 +217,314 @@ devices:
       - huawei.com/Ascend910B4-memory
       - huawei.com/Ascend310P
       - huawei.com/Ascend310P-memory
+
+dcgmExporter:
+  image:
+    repository: nvidia/dcgm-exporter
+    pullPolicy: IfNotPresent
+    tag: 4.1.1-4.0.4-ubuntu22.04
+
+  # Change the following reference to "/etc/dcgm-exporter/default-counters.csv"
+  # to stop profiling metrics from DCGM
+  arguments: ["-f", "/etc/dcgm-exporter/default-counters.csv"]
+  # NOTE: in general, add any command line arguments to arguments above
+  # and they will be passed through.
+  # Use "-r", "<HOST>:<PORT>" to connect to an already running hostengine
+  # Example arguments: ["-r", "host123:5555"]
+  # Use "-n" to remove the hostname tag from the output.
+  # Example arguments: ["-n"]
+  # Use "-d" to specify the devices to monitor. -d must be followed by a string
+  # in the following format: [f] or [g[:numeric_range][+]][i[:numeric_range]]
+  # Where a numeric range is something like 0-4 or 0,2,4, etc.
+  # Example arguments: ["-d", "g+i"] to monitor all GPUs and GPU instances or
+  # ["-d", "g:0-3"] to monitor GPUs 0-3.
+  # Use "-m" to specify the namespace and name of a configmap containing
+  # the watched exporter fields.
+  # Example arguments: ["-m", "default:exporter-metrics-config-map"]
+
+  # Overrides the chart's name
+  nameOverride: "nvidia-dcgm-exporter"
+
+  # Overrides the chart's computed fullname
+  fullnameOverride: ""
+
+  # Overrides the deployment namespace
+  namespaceOverride: ""
+
+  # Defines the runtime class that will be used by the pod
+  runtimeClassName: ""
+  # Defines serviceAccount names for components.
+  serviceAccount:
+    # Specifies whether a service account should be created
+    create: true
+    # Annotations to add to the service account
+    annotations: {}
+    # The name of the service account to use.
+    # If not set and create is true, a name is generated using the fullname template
+    name:
+
+  rollingUpdate:
+    # Specifies maximum number of DaemonSet pods that can be unavailable during the update
+    maxUnavailable: 1
+    # Specifies maximum number of nodes with an existing available DaemonSet pod that can have an updated DaemonSet pod during during an update
+    maxSurge: 0
+
+  # Labels to be added to dcgm-exporter pods
+  podLabels: {}
+
+  # Annotations to be added to dcgm-exporter pods
+  podAnnotations: {}
+  # Using this annotation which is required for prometheus scraping
+    # prometheus.io/scrape: "true"
+    # prometheus.io/port: "9400"
+
+  # The SecurityContext for the dcgm-exporter pods
+  podSecurityContext: {}
+    # fsGroup: 2000
+
+  # The SecurityContext for the dcgm-exporter containers
+  securityContext:
+    runAsNonRoot: false
+    runAsUser: 0
+    capabilities:
+      add: ["SYS_ADMIN"]
+    # readOnlyRootFilesystem: true
+
+  # Defines the dcgm-exporter service
+  service:
+    # When enabled, the helm chart will create service
+    enable: true
+    type: ClusterIP
+    clusterIP: ""
+    port: 9400
+    address: ":9400"
+    # Annotations to add to the service
+    annotations: {}
+
+  # Allows to control pod resources
+  resources: {}
+    # limits:
+    #   cpu: 100m
+    #   memory: 128Mi
+    # requests:
+    #   cpu: 100m
+    #   memory: 128Mi
+  serviceMonitor:
+    apiVersion: "monitoring.coreos.com/v1"
+    enabled: true
+    interval: 15s
+    honorLabels: false
+    additionalLabels: {}
+      #monitoring: prometheus
+    relabelings: []
+      # - sourceLabels: [__meta_kubernetes_pod_node_name]
+      #   separator: ;
+      #   regex: ^(.*)$
+      #   targetLabel: nodename
+      #   replacement: $1
+      #   action: replace
+
+  nodeSelector: {}
+    #node: gpu
+
+  tolerations: []
+  #- operator: Exists
+
+  affinity: {}
+    #nodeAffinity:
+    #  requiredDuringSchedulingIgnoredDuringExecution:
+    #    nodeSelectorTerms:
+    #    - matchExpressions:
+    #      - key: nvidia-gpu
+    #        operator: Exists
+
+  extraHostVolumes: []
+  #- name: host-binaries
+  #  hostPath: /opt/bin
+
+  extraConfigMapVolumes:
+    - name: exporter-metrics-volume
+      configMap:
+        name: exporter-metrics-config-map
+        items:
+        - key: metrics
+          path: default-counters.csv
+
+  extraVolumeMounts:
+    - name: exporter-metrics-volume
+      mountPath: /etc/dcgm-exporter/default-counters.csv
+      subPath: default-counters.csv
+
+  extraEnv: []
+  #- name: EXTRA_VAR
+  #  value: "TheStringValue"
+
+  # Path to the kubelet socket for /pod-resources
+  kubeletPath: "/var/lib/kubelet/pod-resources"
+
+  # HTTPS configuration
+  tlsServerConfig:
+    # Enable or disable HTTPS configuration
+    enabled: false
+    # Use autogenerated self-signed TLS certificates. Not recommended for production environments.
+    autoGenerated: true
+    # Existing secret containing your own server key and certificate
+    existingSecret: ""
+    # Certificate file name
+    certFilename: "tls.crt"
+    # Key file name
+    keyFilename: "tls.key"
+    # CA certificate file name
+    caFilename: "ca.crt"
+    # Server policy for client authentication. Maps to ClientAuth Policies.
+    # For more detail on clientAuth options:
+    # https://golang.org/pkg/crypto/tls/#ClientAuthType
+    #
+    # NOTE: If you want to enable client authentication, you need to use
+    # RequireAndVerifyClientCert. Other values are insecure.
+    clientAuthType: ""
+    # TLS Key for HTTPS - ignored if existingSecret is provided
+    key: ""
+    # TLS Certificate for HTTPS - ignored if existingSecret is provided
+    cert: ""
+    # CA Certificate for HTTPS - ignored if existingSecret is provided
+    ca: ""
+
+  basicAuth:
+    #Object containing <user>:<passwords> key-value pairs for each user that will have access via basic authentication
+    users: {}
+
+  # Customized list of metrics to emit. Expected to be in the same format (CSV) as the default list.
+  # Must be the complete list and is not additive. If unset, the default list will take effect.
+  # customMetrics: |
+    # Format
+    # If line starts with a '#' it is considered a comment
+    # DCGM FIELD, Prometheus metric type, help message
+
+webui:
+  replicaCount: 1
+
+  vendorNodeSelectors:
+    NVIDIA: gpu.bytetrade.io/cuda-supported=true
+    Ascend: ascend=on
+    DCU: dcu=on
+    MLU: mlu=on
+
+  image:
+    frontend:
+      repository: projecthami/hami-webui-fe-oss
+      pullPolicy: IfNotPresent
+      # Overrides the image tag whose default is the chart appVersion.
+      tag: "v1.0.5"
+    backend:
+      repository: projecthami/hami-webui-be-oss
+      pullPolicy: IfNotPresent
+      tag: "v1.0.5"
+
+  imagePullSecrets: []
+  nameOverride: "webui"
+  fullnameOverride: ""
+  namespaceOverride: ""
+
+  serviceAccount:
+    # Specifies whether a service account should be created
+    create: true
+    # Annotations to add to the service account
+    annotations: {}
+    # The name of the service account to use.
+    # If not set and create is true, a name is generated using the fullname template
+    name: ""
+
+  podAnnotations: {}
+
+  podSecurityContext: {}
+  # fsGroup: 2000
+
+  securityContext: {}
+    # capabilities:
+    #   drop:
+    #   - ALL
+    # readOnlyRootFilesystem: true
+    # runAsNonRoot: true
+  # runAsUser: 1000
+
+  service:
+    type: ClusterIP
+    port: 3000
+
+  ingress:
+    enabled: false
+    className: ""
+    annotations: {}
+      # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+    hosts:
+      - host: chart-example.local
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+    tls: []
+    #  - secretName: chart-example-tls
+    #    hosts:
+    #      - chart-example.local
+
+  resources:
+    frontend:
+      limits:
+        cpu: 200m
+        memory: 500Mi
+      requests:
+        cpu: 200m
+        memory: 500Mi
+    backend:
+      limits:
+        cpu: 50m
+        memory: 250Mi
+      requests:
+        cpu: 50m
+        memory: 250Mi
+      # We usually recommend not to specify default resources and to leave this as a conscious
+      # choice for the user. This also increases chances charts run on environments with little
+      # resources, such as Minikube. If you do want to specify resources, uncomment the following
+      # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+      # requests:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+  env:
+    frontend:
+      - name: TZ
+        value: "Asia/Shanghai"
+    backend:
+      - name: TZ
+        value: "Asia/Shanghai"
+
+  serviceMonitor:
+    enabled: true
+    interval: 15s
+    honorLabels: false
+    additionalLabels:
+      jobRelease: hami-webui-prometheus
+    relabelings: []
+
+  hamiServiceMonitor:
+    enabled: true
+    interval: 15s
+    honorLabels: false
+    additionalLabels:
+      jobRelease: hami-webui-prometheus
+    svcNamespace: kube-system
+    relabelings: []
+
+  nodeSelector: {}
+
+  tolerations: []
+
+  affinity: {}
+
+  externalPrometheus:
+    address: "http://prometheus-k8s.kubesphere-monitoring-system:9090"
+    enabled: true

frameworks/app-service/config/cluster/deploy/appservice_deploy.yaml

@@ -149,7 +149,7 @@ spec:
       priorityClassName: "system-cluster-critical"
       containers:
       - name: app-service
-        image: beclab/app-service:0.3.12
+        image: beclab/app-service:0.3.23
         imagePullPolicy: IfNotPresent
         securityContext:
           runAsUser: 0
@@ -163,9 +163,9 @@ spec:
         - name: KS_APISERVER_SERVICE_PORT
           value: '80'
         - name: REQUIRE_PERMISSION_APPS
-          value: "vault,desktop,message,wise,search,appstore,notification,dashboard,settings,devbox,profile"
+          value: "vault,desktop,message,wise,search,appstore,notification,dashboard,settings,studio,profile"
         - name: SYS_APPS
-          value: "analytics,market,auth,citus,desktop,did,docs,files,fsnotify,headscale,infisical,intentprovider,ksserver,message,mongo,monitoring,notifications,profile,redis,wise,recommend,seafile,search,search-admin,settings,systemserver,tapr,vault,video,zinc,accounts,control-hub,dashboard,nitro,system-frontend"
+          value: "analytics,market,auth,citus,desktop,did,docs,files,fsnotify,headscale,infisical,intentprovider,ksserver,message,mongo,monitoring,notifications,profile,redis,wise,recommend,seafile,search,search-admin,settings,systemserver,tapr,vault,video,zinc,accounts,control-hub,dashboard,nitro,system-frontend,studio"
         - name: GENERATED_APPS
           value: "citus,mongo-cluster-cfg,mongo-cluster-mongos,mongo-cluster-rs0,frp-agent,l4-bfl-proxy,drc-redis-cluster,appdata-backend,argoworkflows,argoworkflow-workflow-controller,velero,kvrocks"
         - name: WS_CONTAINER_IMAGE
@@ -367,7 +367,7 @@ spec:
       hostNetwork: true
       containers:
         - name: image-service
-          image: beclab/image-service:0.2.66
+          image: beclab/image-service:0.3.21
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsUser: 0

frameworks/backup-server/config/cluster/crds/sys.bytetrade.io_backupconfigs.yaml

@@ -1,139 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.9.2
-  creationTimestamp: null
-  name: backupconfigs.sys.bytetrade.io
-spec:
-  group: sys.bytetrade.io
-  names:
-    categories:
-    - all
-    kind: BackupConfig
-    listKind: BackupConfigList
-    plural: backupconfigs
-    shortNames:
-    - bc
-    singular: backupconfig
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .spec.provider
-      name: provider
-      type: string
-    - jsonPath: .spec.region
-      name: region
-      type: string
-    - jsonPath: .spec.bucket
-      name: bucket
-      type: string
-    - jsonPath: .spec.prefix
-      name: prefix
-      type: string
-    - jsonPath: .spec.owner
-      name: owner
-      type: string
-    - jsonPath: .spec.location
-      name: location
-      type: string
-    - jsonPath: .spec.storageLocation
-      name: storageLocation
-      type: string
-    - jsonPath: .metadata.creationTimestamp
-      name: age
-      type: date
-    - jsonPath: .status.updateTime
-      name: updateTime
-      type: date
-    name: v1
-    schema:
-      openAPIV3Schema:
-        description: BackupConfig is the Schema for the backupconfigs API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: BackupConfigSpec defines the desired state of BackupConfig
-            properties:
-              accessKey:
-                type: string
-              backupPolicy:
-                properties:
-                  enabled:
-                    type: boolean
-                  name:
-                    type: string
-                  snapshotFrequency:
-                    type: string
-                  timesOfDay:
-                    type: string
-                  dayOfWeek:
-                    format: int64
-                    type: integer
-                required:
-                - enabled
-                - name
-                - snapshotFrequency
-                - timesOfDay
-                type: object
-              bucket:
-                type: string
-              extra:
-                additionalProperties:
-                  type: string
-                type: object
-              location:
-                type: string
-              owner:
-                type: string
-              plugins:
-                items:
-                  type: string
-                type: array
-              prefix:
-                type: string
-              provider:
-                type: string
-              region:
-                type: string
-              repositoryPassword:
-                type: string
-              s3Url:
-                type: string
-              secretKey:
-                type: string
-              storageLocation:
-                type: string
-            required:
-            - bucket
-            - location
-            - plugins
-            - provider
-            - region
-            - storageLocation
-            type: object
-          status:
-            description: BackupConfigStatus defines the observed state of BackupConfig
-            properties:
-              state:
-                description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file'
-                type: string
-              updateTime:
-                format: date-time
-                type: string
-            required:
-            - state
-            - updateTime
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}

frameworks/backup-server/config/cluster/crds/sys.bytetrade.io_backups.yaml

@@ -3,83 +3,125 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.9.2
+    controller-gen.kubebuilder.io/version: v0.11.3
   creationTimestamp: null
   name: backups.sys.bytetrade.io
 spec:
   group: sys.bytetrade.io
   names:
     categories:
-    - all
+      - all
     kind: Backup
     listKind: BackupList
     plural: backups
+    shortNames:
+      - bc
     singular: backup
   scope: Namespaced
   versions:
-  - additionalPrinterColumns:
+    - additionalPrinterColumns:
-    - jsonPath: .spec.owner
+        - jsonPath: .spec.name
-      name: owner
+          name: name
-      type: string
+          type: string
-    - jsonPath: .spec.phase
+        - jsonPath: .spec.owner
-      name: phase
+          name: owner
-      type: string
+          type: string
-    - jsonPath: .metadata.creationTimestamp
+        - jsonPath: .spec.deleted
-      name: creation
+          name: deleted
-      type: date
+          type: boolean
-    name: v1
+        - jsonPath: .metadata.creationTimestamp
-    schema:
+          name: creation
-      openAPIV3Schema:
+          type: date
-        description: Backup is the Schema for the backups API
+      name: v1
-        properties:
+      schema:
-          apiVersion:
+        openAPIV3Schema:
-            description: 'APIVersion defines the versioned schema of this representation
+          description: Backup is the Schema for the backups API.
-              of an object. Servers should convert recognized schemas to the latest
+          properties:
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            apiVersion:
-            type: string
+              description:
-          kind:
+                "APIVersion defines the versioned schema of this representation
-            description: 'Kind is a string value representing the REST resource this
+                of an object. Servers should convert recognized schemas to the latest
-              object represents. Servers may infer this from the endpoint the client
+                internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
-            type: string
+            kind:
-          metadata:
+              description:
-            type: object
+                "Kind is a string value representing the REST resource this
-          spec:
+                object represents. Servers may infer this from the endpoint the client
-            description: BackupSpec defines the desired state of Backup
+                submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
-            properties:
+              type: string
-              extra:
+            metadata:
-                additionalProperties:
+              type: object
+            spec:
+              description: BackupSpec defines the desired state of Backup.
+              properties:
+                backupPolicy:
+                  properties:
+                    dateOfMonth:
+                      type: integer
+                    dayOfWeek:
+                      type: integer
+                    enabled:
+                      type: boolean
+                    snapshotFrequency:
+                      type: string
+                    timesOfDay:
+                      type: string
+                  required:
+                    - dateOfMonth
+                    - dayOfWeek
+                    - enabled
+                    - snapshotFrequency
+                    - timesOfDay
+                  type: object
+                backupType:
+                  additionalProperties:
+                    type: string
+                  type: object
+                deleted:
+                  type: boolean
+                extra:
+                  additionalProperties:
+                    type: string
+                  type: object
+                location:
+                  additionalProperties:
+                    type: string
+                  type: object
+                name:
                   type: string
-                type: object
+                notified:
-              failedMessage:
+                  type: boolean
-                type: string
+                owner:
-              middleWareFailedMessage:
+                  type: string
-                type: string
+                size:
-              middleWarePhase:
+                  format: int64
-                type: string
+                  type: integer
-              owner:
+              required:
-                type: string
+                - backupType
-              phase:
+                - deleted
-                type: string
+                - location
-              resticPhase:
+                - name
-                type: string
+                - notified
-              resticFailedMessage:
+                - owner
-                type: string
+              type: object
-              size:
+            status:
-                format: int64
+              description: BackupStatus defines the observed state of Backup.
-                type: integer
+              properties:
-              terminusVersion:
+                state:
-                type: string
+                  description:
-            required:
+                    'INSERT ADDITIONAL STATUS FIELD - define observed state
-            - owner
+                    of cluster Important: Run "make" to regenerate code after modifying
-            - phase
+                    this file'
-            - terminusVersion
+                  type: string
-            type: object
+                updateTime:
-          status:
+                  format: date-time
-            description: BackupStatus defines the observed state of Backup
+                  type: string
-            type: object
+              required:
-        type: object
+                - state
-    served: true
+                - updateTime
-    storage: true
+              type: object
-    subresources:
+          type: object
-      status: {}
+      served: true
+      storage: true
+      subresources:
+        status: {}

frameworks/backup-server/config/cluster/crds/sys.bytetrade.io_restores.yaml

@@ -0,0 +1,95 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.11.3
+  creationTimestamp: null
+  name: restores.sys.bytetrade.io
+spec:
+  group: sys.bytetrade.io
+  names:
+    categories:
+      - all
+    kind: Restore
+    listKind: RestoreList
+    plural: restores
+    singular: restore
+  scope: Namespaced
+  versions:
+    - additionalPrinterColumns:
+        - jsonPath: .spec.phase
+          name: phase
+          type: string
+        - jsonPath: .metadata.creationTimestamp
+          name: creation
+          type: date
+      name: v1
+      schema:
+        openAPIV3Schema:
+          description: Restore is the Schema for the restores API
+          properties:
+            apiVersion:
+              description:
+                "APIVersion defines the versioned schema of this representation
+                of an object. Servers should convert recognized schemas to the latest
+                internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
+              type: string
+            kind:
+              description:
+                "Kind is a string value representing the REST resource this
+                object represents. Servers may infer this from the endpoint the client
+                submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: RestoreSpec defines the desired state of Restore
+              properties:
+                createAt:
+                  format: date-time
+                  type: string
+                endAt:
+                  format: date-time
+                  type: string
+                extra:
+                  additionalProperties:
+                    type: string
+                  type: object
+                message:
+                  type: string
+                owner:
+                  type: string
+                phase:
+                  type: string
+                progress:
+                  type: integer
+                resticMessage:
+                  type: string
+                resticPhase:
+                  type: string
+                restoreType:
+                  additionalProperties:
+                    type: string
+                  type: object
+                size:
+                  format: int64
+                  type: integer
+                startAt:
+                  format: date-time
+                  type: string
+              required:
+                - createAt
+                - owner
+                - phase
+                - restoreType
+                - startAt
+              type: object
+            status:
+              description: RestoreStatus defines the observed state of Restore
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}

frameworks/backup-server/config/cluster/crds/sys.bytetrade.io_snapshots.yaml

@@ -0,0 +1,104 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.11.3
+  creationTimestamp: null
+  name: snapshots.sys.bytetrade.io
+spec:
+  group: sys.bytetrade.io
+  names:
+    categories:
+      - all
+    kind: Snapshot
+    listKind: SnapshotList
+    plural: snapshots
+    singular: snapshot
+  scope: Namespaced
+  versions:
+    - additionalPrinterColumns:
+        - jsonPath: .spec.location
+          name: location
+          type: string
+        - jsonPath: .spec.snapshotType
+          name: snapshotType
+          type: string
+        - jsonPath: .spec.phase
+          name: phase
+          type: string
+        - jsonPath: .metadata.creationTimestamp
+          name: creation
+          type: date
+      name: v1
+      schema:
+        openAPIV3Schema:
+          description: Snapshot is the Schema for the snapshots API.
+          properties:
+            apiVersion:
+              description:
+                "APIVersion defines the versioned schema of this representation
+                of an object. Servers should convert recognized schemas to the latest
+                internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
+              type: string
+            kind:
+              description:
+                "Kind is a string value representing the REST resource this
+                object represents. Servers may infer this from the endpoint the client
+                submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: SnapshotSpec defines the desired state of Snapshot.
+              properties:
+                backupId:
+                  type: string
+                createAt:
+                  format: date-time
+                  type: string
+                endAt:
+                  format: date-time
+                  type: string
+                extra:
+                  additionalProperties:
+                    type: string
+                  type: object
+                location:
+                  type: string
+                message:
+                  type: string
+                phase:
+                  type: string
+                progress:
+                  type: integer
+                resticMessage:
+                  type: string
+                resticPhase:
+                  type: string
+                size:
+                  format: int64
+                  type: integer
+                snapshotId:
+                  type: string
+                snapshotType:
+                  type: integer
+                startAt:
+                  format: date-time
+                  type: string
+              required:
+                - backupId
+                - createAt
+                - location
+                - phase
+                - snapshotType
+                - startAt
+              type: object
+            status:
+              description: SnapshotStatus defines the observed state of Snapshot.
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}

frameworks/backup-server/config/cluster/deploy/backup_server.yaml

@@ -1,6 +1,6 @@
 
 
-{{ $backupVersion := "0.3.8" }}
+{{ $backupVersion := "0.3.13" }}
 {{ $backup_server_rootpath := printf "%s%s" .Values.rootPath "/rootfs/backup-server" }}
 
 ---
@@ -43,16 +43,6 @@ spec:
         command:
         - /backup-server
         - apiserver
-        - --velero-namespace
-        - os-system
-        - --velero-service-account
-        - os-internal
-        {{ if and .Values.backup.bucket .Values.backup.key_prefix }}
-        - --backup-bucket
-        - {{ .Values.backup.bucket }}
-        - --backup-key-prefix
-        - {{ .Values.backup.key_prefix }}
-        {{ end }}
         resources:
           requests:
             cpu: 20m
@@ -83,18 +73,6 @@ spec:
         command:
         - /backup-server
         - controller
-        - --velero-namespace
-        - os-system
-        - --velero-service-account
-        - os-internal
-        {{ if and .Values.backup.bucket .Values.backup.key_prefix }}
-        - --backup-bucket
-        - {{ .Values.backup.bucket }}
-        - --backup-key-prefix
-        - {{ .Values.backup.key_prefix }}
-        {{ end }}
-        - --backup-retain-days
-        - "30"
         resources:
           requests:
             cpu: 20m
@@ -116,54 +94,6 @@ spec:
         volumeMounts:
         - mountPath: /rootfs
           name: rootfs
-      - name: vcontroller
-        image: beclab/backup-server:v{{ $backupVersion }}
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          runAsUser: 0
-        env:
-        {{- range $key, $val := .Values.terminusGlobalEnvs }}
-        - name: {{ $key }}
-          value: {{ $val | quote }}
-        {{- end }}
-        command:
-        - /backup-server
-        - vcontroller
-        - --velero-namespace
-        - os-system
-        - --velero-service-account
-        - os-internal
-        resources:
-          requests:
-            cpu: 20m
-            memory: 50Mi
-          limits:
-            cpu: 2
-            memory: 1500Mi
-        volumeMounts:
-        - mountPath: /rootfs
-          name: rootfs
-      - name: sidecar-backup-sync
-        image: beclab/sidecar-backup-sync:v0.0.12
-        imagePullPolicy: IfNotPresent
-        command:
-        - /backup_sync
-        - --log-level
-        - debug
-        - --sync-interval
-        - "10"
-        volumeMounts:
-        - mountPath: /data
-          name: dbdata
-        env:
-        {{- range $key, $val := .Values.terminusGlobalEnvs }}
-        - name: {{ $key }}
-          value: {{ $val | quote }}
-        {{- end }}
-        - name: BACKUP_SERVER
-          value: http://127.0.0.1:8082
-        - name: BACKUP_SECRET
-          value: {{ .Values.backup.sync_secret | quote }}
 
 ---
 apiVersion: v1

frameworks/bfl/config/launcher/templates/bfl_deploy.yaml

@@ -249,7 +249,7 @@ spec:
 
       containers:
       - name: api
-        image: beclab/bfl:v0.4.2
+        image: beclab/bfl:v0.4.3
         imagePullPolicy: IfNotPresent
         securityContext:
           runAsUser: 1000
@@ -293,16 +293,20 @@ spec:
         - name: BACKUP_SERVER
           value: backup-server.os-system:8082
         - name: L4_PROXY_IMAGE_VERSION
-          value: v0.2.8
+          value: v0.3.0
         - name: REVERSE_PROXY_AGENT_IMAGE_VERSION
-          value: v0.1.7
+          value: v0.1.8
         - name: TERMINUS_CERT_SERVICE_API
           value: {{ .Values.bfl.terminus_cert_service_api }}
         - name: TERMINUS_DNS_SERVICE_API
           value: {{ .Values.bfl.terminus_dns_service_api }}
-
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
       - name: ingress
-        image: beclab/bfl-ingress:v0.3.1
+        image: beclab/bfl-ingress:v0.3.2
         imagePullPolicy: IfNotPresent
         volumeMounts:
         - name: ngxlog

frameworks/tapr/config/cluster/deploy/ks-component.yaml

@@ -0,0 +1,46 @@
+
+{{- $ks_component_secret := (lookup "v1" "Secret" .Release.Namespace "ks-component-secrets") -}}
+
+{{- $nats_password := "" -}}
+{{ if $ks_component_secret -}}
+{{ $nats_password = (index $ks_component_secret "data" "nats_password") }}
+{{ else -}}
+{{ $nats_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ks-component-secrets
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  nats_password: {{ $nats_password }}
+
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: ks-component-nats
+  namespace: {{ .Release.Namespace }}
+spec:
+  app: ks-component
+  appNamespace: {{ .Release.Namespace }}
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: nats_password
+          name: ks-component-secrets
+    refs:
+    - appName: notifications
+      appNamespace: {{ .Release.Namespace }}
+      subjects:
+      - name: system.notification
+        perm:
+        - pub
+        - sub
+    user: os_system_ks_component

frameworks/tapr/config/cluster/deploy/lldap-deployment.yaml

@@ -12,6 +12,7 @@
 {{ $lldap_ldap_user_pass = randAlpha 64 | b64enc }}
 {{ $lldap_key_seed = randAlpha 64 | b64enc }}
 {{- end -}}
+
 {{- $lldap_pg_secret := (lookup "v1" "Secret" $namespace "lldap-pg-secrets") -}}
 {{- $pg_password := "" -}}
 {{ if $lldap_pg_secret -}}
@@ -20,6 +21,13 @@
 {{ $pg_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 
+{{- $nats_password := "" -}}
+{{ if $lldap_pg_secret -}}
+{{ $nats_password = (index $lldap_pg_secret "data" "nats_password") }}
+{{ else -}}
+{{ $nats_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
 ---
 apiVersion: v1
 kind: Secret
@@ -29,6 +37,8 @@ metadata:
 type: Opaque
 data:
   pg_password: {{ $pg_password }}
+  nats_password: {{ $nats_password }}
+
 ---
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
@@ -48,6 +58,33 @@ spec:
           name: lldap-pg-secrets
     databases:
       - name: lldap
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: lldap-nats
+  namespace: {{ .Release.Namespace }}
+spec:
+  app: lldap
+  appNamespace: {{ .Release.Namespace }}
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: nats_password
+          name: lldap-pg-secrets
+    refs:
+    - appName: notifications
+      appNamespace: {{ .Release.Namespace }}
+      subjects:
+      - name: system.notification
+        perm:
+        - pub
+        - sub
+    user: os-system-lldap
+
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -114,6 +151,20 @@ spec:
               value: "full"
             - name: LLDAP_DATABASE_URL
               value: "postgres://lldap_os_system:{{ $pg_password | b64dec }}@citus-0.citus-headless.os-system:5432/os_system_lldap?sslmode=allow"
+            - name: NATS_HOST
+              value: nats
+            - name: NATS_PORT
+              value: "4222"
+            - name: NATS_USERNAME
+              value: os-system-lldap
+            - name: NATS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: nats_password
+                  name: lldap-pg-secrets
+            - name: NATS_SUBJECT
+              value: "terminus.{{ .Release.Namespace }}.system.notification"
+
           image: beclab/lldap:0.0.1
           imagePullPolicy: IfNotPresent
           name: lldap

frameworks/tapr/config/cluster/deploy/middleware_deploy.yaml

@@ -99,7 +99,7 @@ spec:
         - name: DISABLE_TELEMETRY
           value: "false"
       - name: operator-api
-        image: beclab/middleware-operator:0.2.3
+        image: beclab/middleware-operator:0.2.4
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 9080

frameworks/tapr/config/cluster/deploy/sys_event_deploy.yaml

@@ -26,6 +26,12 @@ rules:
   - backups
   verbs:
   - '*'
+- apiGroups:
+  - '*'
+  resources:
+  - configmaps
+  verbs:
+  - '*'
 
 ---
 apiVersion: v1
@@ -70,7 +76,7 @@ spec:
         runAsUser: 0
       containers:
       - name: tapr-sysevent
-        image: beclab/sys-event:0.1.15
+        image: beclab/sys-event:0.2.3
         imagePullPolicy: IfNotPresent
         env:
         - name: APP_RANDOM_KEY

third-party/authelia/config/cluster/deploy/auth_backend_deploy.yaml

@@ -8,6 +8,7 @@
 {{- $encryption_key := "" -}}
 {{- $redis_password := "" -}}
 {{- $pg_password := "" -}}
+{{- $nats_password := "" -}}
 {{ if $auth_secret -}}
 {{- $jwt_secret = (index $auth_secret "data" "jwt_secret") -}}
 {{- $session_secret = (index $auth_secret "data" "session_secret") -}}
@@ -15,6 +16,8 @@
 {{- $encryption_key = (index $auth_secret "data" "encryption_key") -}}
 {{- $redis_password = (index $auth_secret "data" "redis_password") -}}
 {{- $pg_password = (index $auth_secret "data" "pg_password") -}}
+{{- $nats_password = (index $auth_secret "data" "nats_password") -}}
+
 {{ else -}}
 {{ $jwt_secret = randAlphaNum 16 | b64enc }}
 {{ $session_secret = randAlphaNum 16 | b64enc }}
@@ -22,6 +25,7 @@
 {{ $encryption_key = randAlphaNum 32 | b64enc }}
 {{ $redis_password = randAlphaNum 16 | b64enc }}
 {{ $pg_password = randAlphaNum 16 | b64enc }}
+{{ $nats_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 
 ---
@@ -38,6 +42,7 @@ data:
   encryption_key: {{ $encryption_key }}
   redis_password: {{ $redis_password }}
   pg_password: {{ $pg_password }}
+  nats_password: {{ $nats_password }}
 
 ---
 apiVersion: apr.bytetrade.io/v1alpha1
@@ -59,6 +64,33 @@ spec:
     databases:
       - name: authelia
 
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: authelia-nats
+  namespace: {{ .Release.Namespace }}
+spec:
+  app: authelia
+  appNamespace: {{ .Release.Namespace }}
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: nats_password
+          name: authelia-secrets
+    refs:
+    - appName: notifications
+      appNamespace: {{ .Release.Namespace }}
+      subjects:
+      - name: system.notification
+        perm:
+        - pub
+        - sub
+    user: os-system-authelia
+
 ---
 apiVersion: v1
 data:
@@ -360,7 +392,7 @@ spec:
 
       containers:      
       - name: authelia
-        image: beclab/auth:0.2.0
+        image: beclab/auth:0.2.4
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 9091
@@ -372,6 +404,20 @@ spec:
             secretKeyRef:
               name: app-key
               key: random-key
+        - name: NATS_HOST
+          value: nats
+        - name: NATS_PORT
+          value: "4222"
+        - name: NATS_USERNAME
+          value: os-system-authelia
+        - name: NATS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: nats_password
+              name: authelia-secrets
+        - name: NATS_SUBJECT
+          value: "terminus.{{ .Release.Namespace }}.system.notification"
+
         volumeMounts:
         - name: config
           mountPath: /app/configuration.yml

third-party/headscale/config/user/helm-charts/headscale/templates/headscale_deploy.yaml

@@ -104,7 +104,7 @@ spec:
         - |
           chown -R 1000:1000 /headscale 
       - name: init
-        image: beclab/headscale-init:v0.1.9
+        image: beclab/headscale-init:v0.1.10
         imagePullPolicy: IfNotPresent
         securityContext:
           privileged: true
@@ -263,6 +263,10 @@ spec:
         - name: tailscale-data
           mountPath: /var/lib/tailscale
         env:
+        {{- range $key, $val := .Values.terminusGlobalEnvs }}
+        - name: {{ $key }}
+          value: {{ $val | quote }}
+        {{- end }}
         - name: TS_DISABLE_TAILDROP
           value: "true"
         - name: NODE_IP
@@ -367,7 +371,8 @@ data:
   acl.json: |
     {
       "acls":[
-        { "action": "accept", "src": ["*"], "proto": "tcp", "dst": ["*:443"] }
+        { "action": "accept", "src": ["*"], "proto": "tcp", "dst": ["*:443"] },
+        { "action": "accept", "src": ["*"], "proto": "udp", "dst": ["*:53"] }
       ],
       "autoApprovers": {
         "routes": {