gpu: fix gpu scheduler bugs

fix: fix resources conflict for search3monitor (#1406 )
Co-authored-by: Ubuntu <ubuntu@localhost.localdomain>
2025-06-05 23:02:43 +08:00 · 2025-06-05 22:59:00 +08:00 · 2025-06-05 14:32:54 +08:00 · 2025-06-05 14:32:20 +08:00 · 2025-06-05 14:31:50 +08:00 · 2025-06-05 11:54:37 +08:00
60 changed files with 789 additions and 760 deletions
--- a/.github/workflows/check.yaml
+++ b/.github/workflows/check.yaml
@@ -64,6 +64,7 @@ jobs:
    secrets: inherit
    with:
      version: ${{ needs.test-version.outputs.version }}
+      ref: ${{ github.event.pull_request.head.ref }}

  upload-daemon:
    needs: test-version
@@ -71,6 +72,7 @@ jobs:
    secrets: inherit
    with:
      version: ${{ needs.test-version.outputs.version }}
+      ref: ${{ github.event.pull_request.head.ref }}

  push-image:
    runs-on: ubuntu-latest
--- a/.github/workflows/release-cli.yaml
+++ b/.github/workflows/release-cli.yaml
@@ -6,6 +6,8 @@ on:
      version:
        type: string
        required: true
+      ref:
+        type: string
  workflow_dispatch:
 jobs:
  goreleaser:
@@ -15,6 +17,7 @@ jobs:
        uses: actions/checkout@v3
        with:
          fetch-depth: 1
+          ref: ${{ inputs.ref }}

      - name: Add Local Git Tag For GoReleaser
        run: git tag ${{ inputs.version }}
--- a/.github/workflows/release-daemon.yaml
+++ b/.github/workflows/release-daemon.yaml
@@ -6,6 +6,8 @@ on:
      version:
        type: string
        required: true
+      ref:
+        type: string
  workflow_dispatch:

 jobs:
@@ -16,6 +18,7 @@ jobs:
        uses: actions/checkout@v3
        with:
          fetch-depth: 1
+          ref: ${{ inputs.ref }}

      - name: Add Local Git Tag For GoReleaser
        run: git tag ${{ inputs.version }}
--- a/.github/workflows/release-daily.yaml
+++ b/.github/workflows/release-daily.yaml
@@ -28,10 +28,11 @@ jobs:
      version: ${{ needs.daily-version.outputs.version }}

  release-daemon:
+    needs: daily-version
    uses: ./.github/workflows/release-daemon.yaml
    secrets: inherit
    with:
-      version: ${{ github.event.inputs.tags }}
+      version: ${{ needs.daily-version.outputs.version }}

  push-images:
    runs-on: ubuntu-22.04
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -15,12 +15,14 @@ jobs:
    secrets: inherit
    with:
      version: ${{ github.event.inputs.tags }}
+      ref: ${{ github.event.inputs.tags }}

  release-daemon:
    uses: ./.github/workflows/release-daemon.yaml
    secrets: inherit
    with:
      version: ${{ github.event.inputs.tags }}
+      ref: ${{ github.event.inputs.tags }}

  push:
    runs-on: ubuntu-22.04
--- a/apps/.olares/config/user/helm-charts/market/templates/market_deploy.yaml
+++ b/apps/.olares/config/user/helm-charts/market/templates/market_deploy.yaml
@@ -7,6 +7,24 @@
 {{ $redis_password = randAlphaNum 16 | b64enc }}
 {{- end -}}

+{{- $market_backend_nats_secret := (lookup "v1" "Secret" .Release.Namespace "market-backend-nats-secret") -}}
+{{- $nats_password := "" -}}
+{{ if $market_backend_nats_secret -}}
+{{ $nats_password = (index $market_backend_nats_secret "data" "nats_password") }}
+{{ else -}}
+{{ $nats_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: market-backend-nats-secret
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  nats_password: {{ $nats_password }}
+---
 apiVersion: v1
 kind: Secret
 metadata:
@@ -118,7 +136,19 @@ spec:
            valueFrom:
              fieldRef:
                fieldPath: status.podIP
-
+          - name: NATS_HOST
+            value: nats.user-system-{{ .Values.bfl.username }}
+          - name: NATS_PORT
+            value: '4222'
+          - name: NATS_USERNAME
+            value: market-backend-{{ .Values.bfl.username}}
+          - name: NATS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: market-backend-nats-secret
+                key: nats_password
+          - name: NATS_SUBJECT_USER_APPLICATION
+            value: terminus.user.application.{{ .Values.bfl.username}}
        volumeMounts:
          - name: opt-data
            mountPath: /opt/app/data
@@ -289,3 +319,35 @@ spec:
      protocol: TCP
      port: 40010
      targetPort: 40010
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: market-backend-nats
+  namespace: {{ .Release.Namespace }}
+spec:
+  app: market-backend
+  appNamespace: user
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: nats_password
+          name: market-backend-nats-secret
+    refs:
+      - appName: user-service
+        appNamespace: user
+        subjects:
+          - name: "application.*"
+            perm:
+              - pub
+              - sub
+      - appName: user-service
+        appNamespace: user
+        subjects:
+          - name: "market.*"
+            perm:
+              - pub
+              - sub
+    user: market-backend-{{ .Values.bfl.username}}
--- a/apps/.olares/config/user/helm-charts/system-apps/.helmignore
+++ b/apps/.olares/config/user/helm-charts/system-apps/.helmignore
--- a/apps/.olares/config/user/helm-charts/system-apps/Chart.yaml
+++ b/apps/.olares/config/user/helm-charts/system-apps/Chart.yaml
--- a/apps/.olares/config/user/helm-charts/system-apps/templates/NOTES.txt
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/NOTES.txt
--- a/apps/.olares/config/user/helm-charts/system-apps/templates/_helpers.tpl
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/_helpers.tpl
--- a/apps/.olares/config/user/helm-charts/system-apps/templates/system-frontend.yaml
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/system-frontend.yaml
@@ -42,6 +42,25 @@
 {{ $user_service_pg_password = randAlphaNum 16 | b64enc }}
 {{- end -}}

+{{- $user_service_nats_secret := (lookup "v1" "Secret" $namespace "user-service-nats-secret") -}}
+{{- $nats_password := "" -}}
+{{ if $user_service_nats_secret -}}
+{{ $nats_password = (index $user_service_nats_secret "data" "nats_password") }}
+{{ else -}}
+{{ $nats_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: user-service-nats-secret
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  nats_password: {{ $nats_password }}
+
 ---
 apiVersion: v1
 kind: Service
@@ -357,7 +376,7 @@ spec:
            - mountPath: /www
              name: www-dir
        - name: settings-init
-          image: beclab/settings:v1.3.64
+          image: beclab/settings:v1.3.69
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
@@ -416,7 +435,7 @@ spec:
            - name: PGDB
              value: user_space_{{ .Values.bfl.username }}_cloud_drive_integration
        - name: files-frontend-init
-          image: beclab/files-frontend:v1.3.66
+          image: beclab/files-frontend:v1.3.68
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
@@ -440,7 +459,7 @@ spec:
            - mountPath: /www
              name: www-dir
        - name: market-frontend-init
-          image: beclab/market-frontend:v1.3.67
+          image: beclab/market-frontend:v1.3.69
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
@@ -584,6 +603,15 @@ spec:
              value: terminus.os-system.files-notify
            - name: apiServerURL
              value: http://bfl.{{ .Release.Namespace }}:8080
+            - name: NATS_USERNAME_USERSERVICE
+              value: user-service-{{ .Values.bfl.username }}
+            - name: NATS_PASSWORD_USERSESRVICE
+              valueFrom:
+                secretKeyRef:
+                  key: nats_password
+                  name: user-service-nats-secret
+            - name: NATS_SUBJECT_USER_APPS
+              value: terminus.user.*.{{ .Values.bfl.username}}
        - name: terminus-ws-sidecar
          image: 'beclab/ws-gateway:v1.0.5'
          imagePullPolicy: IfNotPresent
@@ -598,7 +626,7 @@ spec:
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
        - name: user-service
-          image: beclab/user-service:v0.0.5
+          image: beclab/user-service:v0.0.8
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 3000
@@ -695,7 +723,7 @@ spec:
            path: '{{ .Values.userspace.userData }}'
        - name: terminus-sidecar-config
          configMap:
-            name: sidecar-configs
+            name: sidecar-ws-configs
            items:
              - key: envoy.yaml
                path: envoy.yaml
@@ -2076,6 +2104,7 @@ data:

      location /hami/ {
        proxy_pass http://HamiServer/;
+        rewrite ^/hami(.*)$ $1 break;
      }

    
@@ -3169,6 +3198,13 @@ data:

            add_header X-Frame-Options SAMEORIGIN;
        }
+        location /ws {
+            proxy_pass http://127.0.0.1:40010;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_set_header Host $host;
+        }
        location ~.*\.(js|css|png|jpg|svg|woff|woff2|wasm)$
        {
            add_header Cache-Control "public, max-age=2678400";
@@ -3347,124 +3383,86 @@ data:
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
 metadata:
-  name: user-files-nats
-  namespace: user-system-{{ .Values.bfl.username }}
+  name: user-service-nats
+  namespace: user-space-{{ .Values.bfl.username }}
 spec:
-  app: user-files
-  appNamespace: "user.{{ .Values.bfl.username }}"
+  app: user-service
+  appNamespace: user
  middleware: nats
  nats:
    password:
      valueFrom:
        secretKeyRef:
-          key: vault_nats_password
-          name: vault-nats-secrets
+          key: nats_password
+          name: user-service-nats-secret
    refs: []
    subjects:
      - export:
-          - appName: files-frontend
+          - appName: files-server
            sub: allow
            pub: allow
-        name: files
+        name: "files.*"
        permission:
          pub: allow
          sub: allow
-    user: user-{{ .Values.bfl.username }}-files
-
---
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
-metadata:
-  name: user-notification-nats
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: user-notifications
-  appNamespace: "user.{{ .Values.bfl.username }}"
-  middleware: nats
-  nats:
-    password:
-      valueFrom:
-        secretKeyRef:
-          key: vault_nats_password
-          name: vault-nats-secrets
-    refs: []
-    subjects:
-      - name: notification
-        permission:
-          pub: allow
-          sub: allow
-    user: user-{{ .Values.bfl.username }}-notification
---
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
-metadata:
-  name: user-search-nats
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: user-search
-  appNamespace: "user.{{ .Values.bfl.username }}"
-  middleware: nats
-  nats:
-    password:
-      valueFrom:
-        secretKeyRef:
-          key: vault_nats_password
-          name: vault-nats-secrets
-    refs: []
-    subjects:
-      - name: search
-        permission:
-          pub: allow
-          sub: allow
-    user: user-{{ .Values.bfl.username }}-search
---
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
-metadata:
-  name: user-seafile-nats
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: user-seafile
-  appNamespace: "user.{{ .Values.bfl.username }}"
-  middleware: nats
-  nats:
-    password:
-      valueFrom:
-        secretKeyRef:
-          key: vault_nats_password
-          name: vault-nats-secrets
-    refs: []
-    subjects:
-      - name: seafile
-        permission:
-          pub: allow
-          sub: allow
-    user: user-{{ .Values.bfl.username }}-seafile
-
---
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
-metadata:
-  name: user-vault-nats
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: user-vault
-  appNamespace: "user.{{ .Values.bfl.username }}"
-  middleware: nats
-  nats:
-    password:
-      valueFrom:
-        secretKeyRef:
-          key: vault_nats_password
-          name: vault-nats-secrets
-    refs: []
-    subjects:
      - export:
-          - appName: vault
+          - appName: notifications
            sub: allow
            pub: allow
-        name: vault
+        name: "notification.*"
        permission:
          pub: allow
          sub: allow
-    user: user-{{ .Values.bfl.username }}-vault
+      - export:
+          - appName: search-server
+            sub: allow
+            pub: allow
+        name: "search.*"
+        permission:
+          pub: allow
+          sub: allow
+      - export:
+          - appName: seahub-server
+            sub: allow
+            pub: allow
+        name: "seahub.*"
+        permission:
+          sub: allow
+          pub: allow
+      - export:
+          - appName: vault-server
+            sub: allow
+            pub: allow
+        name: "vault.*"
+        permission:
+          sub: allow
+          pub: allow
+      - export:
+          - appName: market-backend
+            sub: allow
+            pub: allow
+          - appName: app-service
+            sub: allow
+            pub: allow
+        name: "application.*"
+        permission:
+          sub: allow
+          pub: allow
+      - export:
+          - appName: knowledge
+            sub: allow
+            pub: allow
+        name: "knowledge.*"
+        permission:
+          sub: allow
+          pub: allow
+      - export:
+          - appName: market-backend
+            sub: allow
+            pub: allow
+        name: "market.*"
+        permission:
+          sub: allow
+          pub: allow
+
+    user: user-service-{{ .Values.bfl.username }}
--- a/apps/.olares/config/user/helm-charts/system-apps/values.yaml
+++ b/apps/.olares/config/user/helm-charts/system-apps/values.yaml
--- a/build/base-package/deploy/nvshare-system-quotas.yaml
+++ b/build/base-package/deploy/nvshare-system-quotas.yaml
@@ -1,42 +0,0 @@
-# Copyright (c) 2023 Georgios Alexopoulos
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# We must create the `ResourceQuota` object for the namespace in order for the
-# K8s API server to allow creation of resources with the `system-node-critical`
-# and `system-cluster-critical` PriorityClasses in this namespace.
-
-apiVersion: v1
-kind: ResourceQuota
-metadata:
-  name: pods-system-cluster-critical
-  namespace: nvshare-system
-spec:
-  scopeSelector:
-    matchExpressions:
-      - operator : In
-        scopeName: PriorityClass
-        values: ["system-cluster-critical"]
---
-apiVersion: v1
-kind: ResourceQuota
-metadata:
-  name: pods-system-node-critical
-  namespace: nvshare-system
-spec:
-  scopeSelector:
-    matchExpressions:
-      - operator : In
-        scopeName: PriorityClass
-        values: ["system-node-critical"]
-
--- a/build/base-package/deploy/nvshare-system.yaml
+++ b/build/base-package/deploy/nvshare-system.yaml
@@ -1,19 +0,0 @@
-# Copyright (c) 2023 Georgios Alexopoulos
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: nvshare-system
-
--- a/build/base-package/deploy/scheduler.yaml
+++ b/build/base-package/deploy/scheduler.yaml
@@ -1,66 +0,0 @@
-# Copyright (c) 2023 Georgios Alexopoulos
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: nvshare-scheduler
-  namespace: nvshare-system
-spec:
-  selector:
-    matchLabels:
-      name: nvshare-scheduler
-  template:
-    metadata:
-      labels:
-        name: nvshare-scheduler
-    spec:
-      priorityClassName: system-node-critical
-      nodeSelector:
-        gpu.bytetrade.io/cuda-supported: 'true'
-      initContainers:
-      - name: init-dir
-        image: busybox:1.28
-        volumeMounts:
-        - name: nvshare-socket-directory
-          mountPath: /var/run/nvshare
-        command:
-        - sh
-        - -c
-        - "[ -d /var/run/nvshare/scheduler.sock ] && rm -rf /var/run/nvshare/scheduler.sock || true"
-      containers:
-      - name: nvshare-scheduler
-        image: bytetrade/nvshare:nvshare-scheduler
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop: ["ALL"]
-        command:
-        - sh
-        - -c
-        - "test -f /var/run/nvshare/scheduler.sock && rm -rf /var/run/nvshare/scheduler.sock; pid1 nvshare-scheduler"
-        volumeMounts:
-          - name: nvshare-socket-directory
-            mountPath: /var/run/nvshare
-      volumes:
-        - name: nvshare-socket-directory
-          hostPath:
-            path: /var/run/nvshare
-            type: DirectoryOrCreate
-      tolerations:
-      - key: nvidia.com/gpu
-        operator: Exists
-        effect: NoSchedule
-
--- a/cli/pkg/common/common.go
+++ b/cli/pkg/common/common.go
@@ -291,30 +291,29 @@ const (
 	ENV_STORAGE                      = "STORAGE"
 	ENV_S3_BUCKET                    = "S3_BUCKET"
 	ENV_LOCAL_GPU_ENABLE             = "LOCAL_GPU_ENABLE"
-	// ENV_LOCAL_GPU_SHARE             = "LOCAL_GPU_SHARE"
-	ENV_CLOUDFLARE_ENABLE           = "CLOUDFLARE_ENABLE"
-	ENV_FRP_ENABLE                  = "FRP_ENABLE"
-	ENV_FRP_SERVER                  = "FRP_SERVER"
-	ENV_FRP_PORT                    = "FRP_PORT"
-	ENV_FRP_AUTH_METHOD             = "FRP_AUTH_METHOD"
-	ENV_FRP_AUTH_TOKEN              = "FRP_AUTH_TOKEN"
-	ENV_AWS_ACCESS_KEY_ID_SETUP     = "AWS_ACCESS_KEY_ID_SETUP"
-	ENV_AWS_SECRET_ACCESS_KEY_SETUP = "AWS_SECRET_ACCESS_KEY_SETUP"
-	ENV_AWS_SESSION_TOKEN_SETUP     = "AWS_SESSION_TOKEN_SETUP"
-	ENV_BACKUP_KEY_PREFIX           = "BACKUP_KEY_PREFIX"
-	ENV_BACKUP_SECRET               = "BACKUP_SECRET"
-	ENV_CLUSTER_ID                  = "CLUSTER_ID"
-	ENV_BACKUP_CLUSTER_BUCKET       = "BACKUP_CLUSTER_BUCKET"
-	ENV_TOKEN_MAX_AGE               = "TOKEN_MAX_AGE"
-	ENV_MARKET_PROVIDER             = "MARKET_PROVIDER"
-	ENV_TERMINUS_CERT_SERVICE_API   = "TERMINUS_CERT_SERVICE_API"
-	ENV_TERMINUS_DNS_SERVICE_API    = "TERMINUS_DNS_SERVICE_API"
-	ENV_HOST_IP                     = "HOST_IP"
-	ENV_PREINSTALL                  = "PREINSTALL"
-	ENV_DISABLE_HOST_IP_PROMPT      = "DISABLE_HOST_IP_PROMPT"
-	ENV_AUTO_ADD_FIREWALL_RULES     = "AUTO_ADD_FIREWALL_RULES"
-	ENV_TERMINUS_OS_DOMAINNAME      = "TERMINUS_OS_DOMAINNAME"
-	ENV_DEFAULT_WSL_DISTRO_LOCATION = "DEFAULT_WSL_DISTRO_LOCATION" // If set to 1, the default WSL distro storage will be used.
+	ENV_CLOUDFLARE_ENABLE            = "CLOUDFLARE_ENABLE"
+	ENV_FRP_ENABLE                   = "FRP_ENABLE"
+	ENV_FRP_SERVER                   = "FRP_SERVER"
+	ENV_FRP_PORT                     = "FRP_PORT"
+	ENV_FRP_AUTH_METHOD              = "FRP_AUTH_METHOD"
+	ENV_FRP_AUTH_TOKEN               = "FRP_AUTH_TOKEN"
+	ENV_AWS_ACCESS_KEY_ID_SETUP      = "AWS_ACCESS_KEY_ID_SETUP"
+	ENV_AWS_SECRET_ACCESS_KEY_SETUP  = "AWS_SECRET_ACCESS_KEY_SETUP"
+	ENV_AWS_SESSION_TOKEN_SETUP      = "AWS_SESSION_TOKEN_SETUP"
+	ENV_BACKUP_KEY_PREFIX            = "BACKUP_KEY_PREFIX"
+	ENV_BACKUP_SECRET                = "BACKUP_SECRET"
+	ENV_CLUSTER_ID                   = "CLUSTER_ID"
+	ENV_BACKUP_CLUSTER_BUCKET        = "BACKUP_CLUSTER_BUCKET"
+	ENV_TOKEN_MAX_AGE                = "TOKEN_MAX_AGE"
+	ENV_MARKET_PROVIDER              = "MARKET_PROVIDER"
+	ENV_TERMINUS_CERT_SERVICE_API    = "TERMINUS_CERT_SERVICE_API"
+	ENV_TERMINUS_DNS_SERVICE_API     = "TERMINUS_DNS_SERVICE_API"
+	ENV_HOST_IP                      = "HOST_IP"
+	ENV_PREINSTALL                   = "PREINSTALL"
+	ENV_DISABLE_HOST_IP_PROMPT       = "DISABLE_HOST_IP_PROMPT"
+	ENV_AUTO_ADD_FIREWALL_RULES      = "AUTO_ADD_FIREWALL_RULES"
+	ENV_TERMINUS_OS_DOMAINNAME       = "TERMINUS_OS_DOMAINNAME"
+	ENV_DEFAULT_WSL_DISTRO_LOCATION  = "DEFAULT_WSL_DISTRO_LOCATION" // If set to 1, the default WSL distro storage will be used.

 	ENV_CONTAINER      = "container"
 	ENV_CONTAINER_MODE = "CONTAINER_MODE" // running in docker container
--- a/cli/pkg/common/kube_runtime.go
+++ b/cli/pkg/common/kube_runtime.go
@@ -241,7 +241,6 @@ type Storage struct {

 type GPU struct {
 	Enable bool `json:"gpu_enable"`
-	Share  bool `json:"gpu_share"`
 }

 type Cloudflare struct {
@@ -269,7 +268,6 @@ func NewArgument() *Argument {
 		},
 		GPU: &GPU{
 			Enable: !strings.EqualFold(os.Getenv(ENV_LOCAL_GPU_ENABLE), "0"), // default enable GPU, not set or 1 means enable
-			Share:  !strings.EqualFold(os.Getenv(ENV_LOCAL_GPU_ENABLE), "0"), // default share GPU
 		},
 		Cloudflare:             &Cloudflare{},
 		Frp:                    &Frp{},
@@ -374,12 +372,11 @@ func (a *Argument) SetTokenMaxAge() {
 	a.TokenMaxAge = age
 }

-func (a *Argument) SetGPU(enable bool, share bool) {
+func (a *Argument) SetGPU(enable bool) {
 	if a.GPU == nil {
 		a.GPU = new(GPU)
 	}
 	a.GPU.Enable = enable
-	a.GPU.Share = share
 }

 func (a *Argument) SetOlaresVersion(version string) {
--- a/cli/pkg/daemon/task.go
+++ b/cli/pkg/daemon/task.go
@@ -74,7 +74,6 @@ func (g *GenerateTerminusdServiceEnv) Execute(runtime connector.Runtime) error {
 			"RegistryMirrors":        g.KubeConf.Arg.RegistryMirrors,
 			"BaseDir":                baseDir,
 			"GpuEnable":              utils.FormatBoolToInt(g.KubeConf.Arg.GPU.Enable),
-			"GpuShare":               utils.FormatBoolToInt(g.KubeConf.Arg.GPU.Share),
 			"PubliclyAccessible":     g.KubeConf.Arg.PublicNetworkInfo.PubliclyAccessible,
 			"CloudflareEnable":       g.KubeConf.Arg.Cloudflare.Enable,
 			"FrpEnable":              g.KubeConf.Arg.Frp.Enable,
--- a/cli/pkg/daemon/templates/terminusd_env.go
+++ b/cli/pkg/daemon/templates/terminusd_env.go
@@ -14,7 +14,6 @@ KUBE_TYPE={{ .KubeType }}
 REGISTRY_MIRRORS={{ .RegistryMirrors }}
 BASE_DIR={{ .BaseDir }}
 LOCAL_GPU_ENABLE={{ .GpuEnable }}
-LOCAL_GPU_SHARE={{ .GpuShare }}
 PUBLICLY_ACCESSIBLE={{ .PubliclyAccessible }}
 CLOUDFLARE_ENABLE={{ .CloudflareEnable }}
 FRP_ENABLE={{ .FrpEnable }}
--- a/cli/pkg/gpu/module.go
+++ b/cli/pkg/gpu/module.go
@@ -232,23 +232,10 @@ func (m *InstallPluginModule) Init() {
 		Delay:    10 * time.Second,
 	}

-	installGPUShared := &task.RemoteTask{
-		Name:  "InstallGPUShared",
-		Hosts: m.Runtime.GetHostsByRole(common.Master),
-		Prepare: &prepare.PrepareCollection{
-			new(common.OnlyFirstMaster),
-			new(GPUSharePrepare),
-		},
-		Action:   new(InstallGPUShared),
-		Parallel: false,
-		Retry:    1,
-	}
-
 	m.Tasks = []task.Interface{
 		updateNode,
 		installPlugin,
 		checkGpuState,
-		installGPUShared,
 	}
 }

--- a/cli/pkg/gpu/prepares.go
+++ b/cli/pkg/gpu/prepares.go
@@ -30,14 +30,6 @@ func (p *GPUEnablePrepare) PreCheck(runtime connector.Runtime) (bool, error) {
 	return p.KubeConf.Arg.GPU.Enable, nil
 }

-type GPUSharePrepare struct {
-	common.KubePrepare
-}
-
-func (p *GPUSharePrepare) PreCheck(runtime connector.Runtime) (bool, error) {
-	return p.KubeConf.Arg.GPU.Share || runtime.GetSystemInfo().IsWsl(), nil
-}
-
 type CudaInstalled struct {
 	common.KubePrepare
 	precheck.CudaCheckTask
--- a/cli/pkg/gpu/tasks.go
+++ b/cli/pkg/gpu/tasks.go
@@ -62,7 +62,7 @@ func (t *CheckWslGPU) Execute(runtime *common.KubeRuntime) {
 		return
 	}

-	runtime.Arg.SetGPU(true, true)
+	runtime.Arg.SetGPU(true)
 }

 type InstallCudaDeps struct {
@@ -355,35 +355,6 @@ func (t *CheckGpuStatus) Execute(runtime connector.Runtime) error {
 	return fmt.Errorf("GPU Container State is Pending")
 }

-type InstallGPUShared struct {
-	common.KubeAction
-}
-
-func (t *InstallGPUShared) Execute(runtime connector.Runtime) error {
-	kubectlpath, err := util.GetCommand(common.CommandKubectl)
-	if err != nil {
-		return fmt.Errorf("kubectl not found")
-	}
-
-	var pluginPath = runtime.GetInstallerDir()
-	var fileName = path.Join(pluginPath, "deploy", "nvshare-system.yaml")
-	if _, err := runtime.GetRunner().SudoCmd(fmt.Sprintf("%s apply -f %s", kubectlpath, fileName), false, true); err != nil {
-		return errors.Wrap(errors.WithStack(err), "Failed to apply nvshare-system.yaml")
-	}
-
-	fileName = path.Join(pluginPath, "deploy", "nvshare-system-quotas.yaml")
-	if _, err := runtime.GetRunner().SudoCmd(fmt.Sprintf("%s apply -f %s", kubectlpath, fileName), false, true); err != nil {
-		return errors.Wrap(errors.WithStack(err), "Failed to apply nvshare-system-quotas.yaml")
-	}
-
-	fileName = path.Join(pluginPath, "deploy", "scheduler.yaml")
-	if _, err := runtime.GetRunner().SudoCmd(fmt.Sprintf("%s apply -f %s", kubectlpath, fileName), false, true); err != nil {
-		return errors.Wrap(errors.WithStack(err), "Failed to apply scheduler.yaml")
-	}
-
-	return nil
-}
-
 type GetCudaVersion struct {
 	common.KubeAction
 }
@@ -677,16 +648,16 @@ func (t *PrintPluginsStatus) Execute(runtime connector.Runtime) error {
 		}
 	}

-	nvshareScheduler, err := client.Kubernetes().CoreV1().Pods("nvshare-system").List(context.Background(), metav1.ListOptions{LabelSelector: "name=nvshare-scheduler"})
+	gpuScheduler, err := client.Kubernetes().CoreV1().Pods("kube-system").List(context.Background(), metav1.ListOptions{LabelSelector: "name=gpu-scheduler"})
 	if err != nil {
-		logger.Error("get nvshare scheduler status error, ", err)
+		logger.Error("get gpu-scheduler status error, ", err)
 	}

-	if len(nvshareScheduler.Items) == 0 {
-		logger.Info("nvshare-scheduler not exists")
+	if len(gpuScheduler.Items) == 0 {
+		logger.Info("gpu-scheduler not exists")
 	} else {
-		for _, scheduler := range nvshareScheduler.Items {
-			logger.Infof("nvshare-scheduler status: %s", scheduler.Status.Phase)
+		for _, scheduler := range gpuScheduler.Items {
+			logger.Infof("gpu-scheduler status: %s", scheduler.Status.Phase)
 			break
 		}
 	}
@@ -704,8 +675,8 @@ func (t *RestartPlugin) Execute(runtime connector.Runtime) error {
 		return fmt.Errorf("kubectl not found")
 	}

-	if _, err := runtime.GetRunner().SudoCmd(fmt.Sprintf("%s rollout restart ds nvshare-scheduler -n nvshare-system", kubectlpath), false, true); err != nil {
-		return errors.Wrap(errors.WithStack(err), "Failed to restart nvshare-scheduler")
+	if _, err := runtime.GetRunner().SudoCmd(fmt.Sprintf("%s rollout restart ds gpu-scheduler -n kube-system", kubectlpath), false, true); err != nil {
+		return errors.Wrap(errors.WithStack(err), "Failed to restart gpu-scheduler")
 	}

 	if _, err := runtime.GetRunner().SudoCmd(fmt.Sprintf("%s rollout restart ds hami-device-plugin -n kube-system", kubectlpath), false, true); err != nil {
--- a/cli/pkg/kubesphere/plugins/assets_vfsdata.go
+++ b/cli/pkg/kubesphere/plugins/assets_vfsdata.go
--- a/cli/pkg/kubesphere/plugins/files/build/ks-core/templates/ks-apiserver.yml
+++ b/cli/pkg/kubesphere/plugins/files/build/ks-core/templates/ks-apiserver.yml
@@ -32,7 +32,7 @@ spec:
      - command:
        - ks-apiserver
        - --logtostderr=true
-        image: beclab/ks-apiserver:0.0.14
+        image: beclab/ks-apiserver:0.0.15
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        name: ks-apiserver
        ports:
--- a/cli/pkg/kubesphere/plugins/files/build/ks-core/templates/ks-controller-manager.yaml
+++ b/cli/pkg/kubesphere/plugins/files/build/ks-core/templates/ks-controller-manager.yaml
@@ -35,7 +35,7 @@ spec:
        - controller-manager
        - --logtostderr=true
        - --leader-elect=false
-        image: beclab/ks-controller-manager:0.0.14
+        image: beclab/ks-controller-manager:0.0.15
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        name: ks-controller-manager
        ports:
--- a/cli/pkg/terminus/apps.go
+++ b/cli/pkg/terminus/apps.go
@@ -96,7 +96,7 @@ func (u *PrepareAppValues) Execute(runtime connector.Runtime) error {
 		return err
 	}
 	fsType := getRootFSType()
-	gpuType := getGpuType(u.KubeConf.Arg.GPU.Enable, u.KubeConf.Arg.GPU.Share)
+	gpuType := getGpuType(u.KubeConf.Arg.GPU.Enable)
 	appValues := getAppSecrets(getAppPatches())

 	var values = map[string]interface{}{
--- a/cli/pkg/terminus/ossystem.go
+++ b/cli/pkg/terminus/ossystem.go
@@ -69,7 +69,7 @@ func (t *InstallOsSystem) Execute(runtime connector.Runtime) error {
 			"is_cloud_version": cloudValue(t.KubeConf.Arg.IsCloudInstance),
 			"sync_secret":      t.KubeConf.Arg.Storage.StorageSyncSecret,
 		},
-		"gpu":                                  getGpuType(t.KubeConf.Arg.GPU.Enable, t.KubeConf.Arg.GPU.Share),
+		"gpu":                                  getGpuType(t.KubeConf.Arg.GPU.Enable),
 		"s3_bucket":                            t.KubeConf.Arg.Storage.StorageBucket,
 		"fs_type":                              getRootFSType(),
 		common.HelmValuesKeyTerminusGlobalEnvs: common.TerminusGlobalEnvs,
@@ -268,17 +268,11 @@ func (m *InstallOsSystemModule) Init() {
 	}
 }

-func getGpuType(gpuEnable, gpuShare bool) (gpuType string) {
-	gpuType = "none"
+func getGpuType(gpuEnable bool) (gpuType string) {
 	if gpuEnable {
-		if gpuShare {
-			gpuType = "nvshare"
-		} else {
-			gpuType = "nvidia"
-		}
+		return "nvidia"
 	}
-
-	return gpuType
+	return "none"
 }

 func cloudValue(cloudInstance bool) string {
--- a/daemon/deploy/olaresd.env
+++ b/daemon/deploy/olaresd.env
@@ -2,4 +2,3 @@ INSTALLED_VERSION= # version
 KUBE_TYPE=k3s
 BASE_DIR=/home/ubuntu/.olares
 LOCA_GPU_ENABLE=
-LOCA_GPU_SHARE=
--- a/daemon/pkg/cluster/state/current.go
+++ b/daemon/pkg/cluster/state/current.go
@@ -349,6 +349,7 @@ func CheckCurrentStatus(ctx context.Context) error {

 	// not upgrading, reset upgrading status
 	CurrentState.UpgradingState = ""
+	CurrentState.UpgradingTarget = ""
 	CurrentState.UpgradingRetryNum = 0
 	CurrentState.UpgradingStep = ""
 	CurrentState.UpgradingProgressNum = 0
--- a/daemon/pkg/commands/install/cmd.go
+++ b/daemon/pkg/commands/install/cmd.go
@@ -181,7 +181,6 @@ var (
 		// {"installing k8s and kubesphere", "3%", 3},
 		// {"Generating \"ca\" certificate and key", "3%", 3},
 		// {"PatchKsCoreStatus success", "6%", 6},
-		{"InstallGPUShared", "9%", 9},
 		{"k8s and kubesphere installation is complete", "10%", 10},
 		{"Installing account ...", "15%", 15},
 		{"Installing settings ...", "20%", 20},
--- a/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml
+++ b/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml
@@ -9,6 +9,25 @@
 {{ $usertmpl_sc := "juicefs-localpath-usertmpl" }}
 {{ $usertmpl_storage := "100Mi" }}

+{{- $namespace := printf "%s" "os-system" -}}
+{{- $app_service_nats_secret := (lookup "v1" "Secret" $namespace "app-service-nats-secret") -}}
+{{- $nats_password := "" -}}
+{{ if $app_service_nats_secret -}}
+{{ $nats_password = (index $app_service_nats_secret "data" "nats_password") }}
+{{ else -}}
+{{ $nats_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: app-service-nats-secret
+  namespace: os-system
+type: Opaque
+data:
+  nats_password: {{ $nats_password }}
+

 ---
 apiVersion: v1
@@ -143,7 +162,7 @@ spec:
      priorityClassName: "system-cluster-critical"
      containers:
      - name: app-service
-        image: beclab/app-service:0.3.35
+        image: beclab/app-service:0.3.37
        imagePullPolicy: IfNotPresent
        securityContext:
          runAsUser: 0
@@ -178,6 +197,21 @@ spec:
          value: "90"
        - name: USER_MEMORY_THRESHOLD
          value: "90"
+        - name: NATS_HOST
+          value: nats
+        - name: NATS_PORT
+          value: "4222"
+        - name: NATS_USERNAME
+          value: os-system-app-service
+        - name: NATS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: nats_password
+              name: app-service-nats-secret
+        - name: NATS_SUBJECT_SYSTEM_USERS
+          value: terminus.os-system.system.users
+        - name: NATS_SUBJECT_SYSTEM_GROUPS
+          value: terminus.os-system.system.groups
        - name: APP_RANDOM_KEY
          valueFrom:
            secretKeyRef:
@@ -361,7 +395,7 @@ spec:
      hostNetwork: true
      containers:
        - name: image-service
-          image: beclab/image-service:0.3.34
+          image: beclab/image-service:0.3.36
          imagePullPolicy: IfNotPresent
          securityContext:
            runAsUser: 0
@@ -387,3 +421,41 @@ spec:
          hostPath:
            path: /var/run/containerd
            type: Directory
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: app-service-nats
+  namespace: {{ .Release.Namespace }}
+spec:
+  app: app-service
+  appNamespace: {{ .Release.Namespace }}
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: nats_password
+          name: app-service-nats-secret
+    refs:
+      - appName: user-service
+        appNamespace: user
+        subjects:
+          - name: "application.*"
+            perm:
+              - pub
+              - sub
+    subjects:
+      - name: system.application
+        permission:
+          pub: allow
+          sub: allow
+      - name: system.users
+        permission:
+          pub: allow
+          sub: deny
+      - name: system.groups
+        permission:
+          pub: allow
+          sub: deny
+    user: os-system-app-service
--- a/framework/backup-server/.olares/config/cluster/deploy/backup_server.yaml
+++ b/framework/backup-server/.olares/config/cluster/deploy/backup_server.yaml
@@ -1,6 +1,6 @@


-{{ $backupVersion := "0.3.34" }}
+{{ $backupVersion := "0.3.35" }}
 {{ $backup_server_rootpath := printf "%s%s" .Values.rootPath "/rootfs/backup-server" }}

 ---
@@ -93,6 +93,10 @@ spec:
            cpu: 2
            memory: 1500Mi
        env:
+        {{- range $key, $val := .Values.terminusGlobalEnvs }}
+        - name: {{ $key }}
+          value: {{ $val | quote }}
+        {{- end }}
        - name: APP_RANDOM_KEY
          valueFrom:
            secretKeyRef:
--- a/framework/bfl/.olares/config/launcher/templates/bfl_deploy.yaml
+++ b/framework/bfl/.olares/config/launcher/templates/bfl_deploy.yaml
@@ -261,7 +261,7 @@ spec:

      containers:
      - name: api
-        image: beclab/bfl:v0.4.7
+        image: beclab/bfl:v0.4.9
        imagePullPolicy: IfNotPresent
        securityContext:
          runAsUser: 1000
--- a/framework/files/.olares/config/cluster/deploy/files_deploy.yaml
+++ b/framework/files/.olares/config/cluster/deploy/files_deploy.yaml
@@ -97,7 +97,7 @@ spec:

      containers:
        - name: gateway
-          image: beclab/appdata-gateway:0.1.19
+          image: beclab/appdata-gateway:0.1.20
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: false
@@ -106,7 +106,7 @@ spec:
            - containerPort: 8080
          env:
            - name: FILES_SERVER_TAG
-              value: 'beclab/files-server:v0.2.70'
+              value: 'beclab/files-server:v0.2.71'
            - name: NAMESPACE
              valueFrom:
                fieldRef:
@@ -142,7 +142,7 @@ spec:
 {{ end }}

        - name: files
-          image: beclab/files-server:v0.2.70
+          image: beclab/files-server:v0.2.71
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: true
@@ -237,14 +237,20 @@ spec:
            - name: NATS_PORT
              value: '4222'
            - name: NATS_USERNAME
-              value: admin
+              value: os-system-files-server
            - name: NATS_PASSWORD
              valueFrom:
                secretKeyRef:
-                  name: nats-secrets
-                  key: nats_password
+                  name: files-nats-secrets
+                  key: files_nats_password
            - name: NATS_SUBJECT
              value: terminus.os-system.files-notify
+            - name: NATS_SUBJECT_SYSTEM_FILES
+              value: terminus.os-system.system.files
+            - name: NATS_SUBJECT_SYSTEM_USERS
+              value: terminus.os-system.system.users
+            - name: NATS_SUBJECT_SYSTEM_GROUPS
+              value: terminus.os-system.system.groups
            - name: RESERVED_SPACE
              value: '1000'
            - name: OLARES_VERSION
@@ -437,7 +443,7 @@ spec:
          name: check-nats
      containers:
        - name: files
-          image: beclab/files-server:v0.2.70
+          image: beclab/files-server:v0.2.71
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: true
@@ -570,7 +576,14 @@ spec:
        secretKeyRef:
          key: files_nats_password
          name: files-nats-secrets
-    refs: []
+    refs:
+      - appName: user-service
+        appNamespace: user
+        subjects:
+          - name: "files.*"
+            perm:
+              - pub
+              - sub
    subjects:
      - export:
          - appName: files-frontend
@@ -583,6 +596,18 @@ spec:
        permission:
          pub: allow
          sub: allow
+      - name: system.files
+        permission:
+          pub: allow
+          sub: allow
+      - name: system.users
+        permission:
+          pub: deny
+          sub: allow
+      - name: system.groups
+        permission:
+          pub: deny
+          sub: allow
    user: os-system-files-server

 ---
--- a/framework/files/README.md
+++ b/framework/files/README.md
@@ -0,0 +1 @@
+# Files Backend
--- a/framework/gpu/.olares/config/gpu/hami/templates/gpu-scheduler/daemonset.yaml
+++ b/framework/gpu/.olares/config/gpu/hami/templates/gpu-scheduler/daemonset.yaml
@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: gpu-scheduler
-  namespace: {{ .Release.Namespace }}
+  namespace: gpu-system
 spec:
  selector:
    matchLabels:
@@ -17,7 +17,7 @@ spec:
        gpu.bytetrade.io/cuda-supported: 'true'
      containers:
      - name: gpu-scheduler
-        image: beclab/gpu-scheduler:v0.1.0
+        image: beclab/gpu-scheduler:v0.1.1
        imagePullPolicy: IfNotPresent
        ports:
          - name: ws
--- a/framework/gpu/.olares/config/gpu/hami/templates/gpu-scheduler/namespace.yaml
+++ b/framework/gpu/.olares/config/gpu/hami/templates/gpu-scheduler/namespace.yaml
@@ -0,0 +1,4 @@
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: gpu-system
--- a/framework/gpu/.olares/config/gpu/hami/templates/gpu-scheduler/service.yaml
+++ b/framework/gpu/.olares/config/gpu/hami/templates/gpu-scheduler/service.yaml
@@ -2,7 +2,7 @@ kind: Service
 apiVersion: v1
 metadata:
  name: gpu-scheduler
-  namespace: {{ .Release.Namespace }}
+  namespace: gpu-system
 spec:
  ports:
    - name: ws
--- a/framework/gpu/.olares/config/gpu/hami/values.yaml
+++ b/framework/gpu/.olares/config/gpu/hami/values.yaml
@@ -4,7 +4,7 @@ nameOverride: ""
 fullnameOverride: ""
 namespaceOverride: ""
 imagePullSecrets: []
-version: "v2.5.2-share-01"
+version: "v2.5.2-share-06"

 # Nvidia GPU Parameters
 resourceName: "nvidia.com/gpu"
--- a/framework/knowledge/.olares/config/cluster/deploy/knowledge_deployment.yaml
+++ b/framework/knowledge/.olares/config/cluster/deploy/knowledge_deployment.yaml
@@ -112,6 +112,18 @@ spec:
        perm:
        - pub
        - sub
+    - appName: user-service
+      appNamespace: user
+      subjects:
+        - name: "knowledge.*"
+          perm:
+            - pub
+            - sub
+    subjects:
+      - name: system.knowledge
+        permission:
+          pub: allow
+          sub: allow
    user: os-system-knowledge
 ---

--- a/framework/monitor/.olares/config/cluster/deploy/ks_server_deploy.yaml
+++ b/framework/monitor/.olares/config/cluster/deploy/ks_server_deploy.yaml
--- a/framework/monitor/README.md
+++ b/framework/monitor/README.md
@@ -0,0 +1 @@
+# Monitor Backend
--- a/framework/notifications/.olares/config/cluster/deploy/notification_deploy.yaml
+++ b/framework/notifications/.olares/config/cluster/deploy/notification_deploy.yaml
@@ -98,9 +98,17 @@ spec:
            sub: allow
        name: system.users
        permission:
-          pub: allow
+          pub: deny
          sub: allow
-    user: os-system-notifications
+      - name: system.groups
+        permission:
+          pub: deny
+          sub: allow
+      - name: system.application
+        permission:
+          pub: deny
+          sub: allow
+    user: os-system-notification-server

 ---
 apiVersion: apps/v1
@@ -169,16 +177,18 @@ spec:
        - name: NATS_PORT
          value: "4222"
        - name: NATS_USERNAME
-          value: admin
+          value: os-system-notification-server
        - name: NATS_PASSWORD
          valueFrom:
            secretKeyRef:
              key: nats_password
-              name: nats-secrets
+              name: notifications-secrets
        - name: NATS_SUBJECT
          value: "terminus.{{ .Release.Namespace }}.system.notification"
        - name: NATS_SUBJECT_SYSTEM_USERS
          value: "terminus.{{ .Release.Namespace }}.system.users"
+        - name: NATS_SUBJECT_SYSTEM_GROUPS
+          value: "terminus.{{ .Release.Namespace }}.system.groups"
        - name: NATS_SUBJECT_SYSTEM_APPLICATION
          value: "terminus.{{ .Release.Namespace }}.system.application"
        - name: NATS_SUBJECT_SYSTEM_VAULT
--- a/framework/notifications/.olares/config/user/helm-charts/notification/.helmignore
+++ b/framework/notifications/.olares/config/user/helm-charts/notification/.helmignore
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
--- a/framework/notifications/.olares/config/user/helm-charts/notification/Chart.yaml
+++ b/framework/notifications/.olares/config/user/helm-charts/notification/Chart.yaml
@@ -1,26 +0,0 @@
-apiVersion: v2
-name: notification
-description: A Helm chart for Kubernetes
-maintainers:
- name: bytetrade
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.1
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "1.16.0"
--- a/framework/notifications/.olares/config/user/helm-charts/notification/templates/NOTES.txt
+++ b/framework/notifications/.olares/config/user/helm-charts/notification/templates/NOTES.txt
--- a/framework/notifications/.olares/config/user/helm-charts/notification/templates/_helpers.tpl
+++ b/framework/notifications/.olares/config/user/helm-charts/notification/templates/_helpers.tpl
@@ -1,62 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "notification.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "notification.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "notification.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "notification.labels" -}}
-helm.sh/chart: {{ include "notification.chart" . }}
-{{ include "notification.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "notification.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "notification.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "notification.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "notification.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}
--- a/framework/notifications/.olares/config/user/helm-charts/notification/templates/notification_deploy.yaml
+++ b/framework/notifications/.olares/config/user/helm-charts/notification/templates/notification_deploy.yaml
@@ -1 +0,0 @@
-# TODO: deploy a notification proxy
--- a/framework/notifications/.olares/config/user/helm-charts/notification/values.yaml
+++ b/framework/notifications/.olares/config/user/helm-charts/notification/values.yaml
@@ -1,42 +0,0 @@
-bfl:
-  nodeport: 30883
-  nodeport_ingress_http: 30083
-  nodeport_ingress_https: 30082
-  username: 'test'
-  url: 'test'
-  nodeName: test
-pvc:
-  userspace: test
-userspace:
-  userData: test/Home
-  appData: test/Data
-  appCache: test
-  dbdata: test
-docs:
-  nodeport: 30881
-desktop:
-  nodeport: 30180
-os:
-  portfolio:
-    appKey: '${ks[0]}'
-    appSecret: test
-  vault:
-    appKey: '${ks[0]}'
-    appSecret: test
-  desktop:
-    appKey: '${ks[0]}'
-    appSecret: test
-  message:
-    appKey: '${ks[0]}'
-    appSecret: test
-  rss:
-    appKey: '${ks[0]}'
-    appSecret: test
-  search:
-    appKey: '${ks[0]}'
-    appSecret: test
-  search2:
-    appKey: '${ks[0]}'
-    appSecret: test
-kubesphere:
-  redis_password: ""
--- a/framework/seahub/.olares/config/cluster/deploy/seafile_deploy.yaml
+++ b/framework/seahub/.olares/config/cluster/deploy/seafile_deploy.yaml
@@ -1,40 +1,4 @@

-
-# ---
-# apiVersion: v1
-# kind: ServiceAccount
-# metadata:
-#   name: bytetrade-controller
-#   namespace: {{ .Release.Namespace }}
-
-# ---
-# apiVersion: rbac.authorization.k8s.io/v1
-# kind: ClusterRoleBinding
-# metadata:
-#   name: {{ .Release.Namespace }}:bytetrade-controller
-# roleRef:
-#   apiGroup: rbac.authorization.k8s.io
-#   kind: ClusterRole
-#   name: cluster-admin
-# subjects:
-# - kind: ServiceAccount
-#   name: bytetrade-controller
-#   namespace: {{ .Release.Namespace }}
-
-# ---
-# apiVersion: v1
-# data:
-#   seafdav.conf: |
-#     [WEBDAV]
-#     enabled = true
-#     port = 8080
-#     share_name = /seafdav
-#     workers = 2
-#     timeout = 1200
-# kind: ConfigMap
-# metadata:
-#   name: sync-config
-#   namespace: {{ .Release.Namespace }}
 {{ $seafile_application_rootpath := printf "%s%s" .Values.rootPath "/rootfs/Application/seafile" }}
 {{ $seafile_appcache_rootpath := printf "%s%s" .Values.rootPath "/userdata/Cache/seafile" }}

@@ -47,6 +11,13 @@
 {{ $pg_password = randAlphaNum 16 | b64enc }}
 {{- end -}}

+{{- $seahub_nats_secret := (lookup "v1" "Secret" $namespace "seahub-nats-secrets") -}}
+{{- $nats_password := "" -}}
+{{ if $seahub_nats_secret -}}
+{{ $nats_password = (index $seahub_nats_secret "data" "nats_password") }}
+{{ else -}}
+{{ $nats_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
 ---
 apiVersion: v1
 kind: Secret
@@ -56,7 +27,16 @@ metadata:
 type: Opaque
 data:
  pg_password: {{ $pg_password }}
-
+  nats_password: {{ $pg_password }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: seahub-nats-secrets
+  namespace: os-system
+type: Opaque
+data:
+  nats_password: {{ $nats_password }}
 ---
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
@@ -131,38 +111,6 @@ data:
        include proxy.conf;
      }    
    }
-#  login.lua: |-
-#    local headers = ngx.req.get_headers();
-#    local username = "";
-#
-#    for key, value in pairs(headers) do
-#      ngx.log(ngx.STDERR, key .. ": " .. value);
-#      if key == "x-bfl-user" then
-#        username = value;
-#      end
-#    end
-#
-#    local cookie = ngx.var.cookie_sfsessionid;
-#    ngx.log(ngx.STDERR, cookie);
-#    if username ~= "" and (cookie == nil or cookie == '') then
-#        local orig_ct = ngx.req.get_headers()["Content-Type"];
-#        ngx.req.set_header("Content-Type", "application/x-www-form-urlencoded");
-#        local res = ngx.location.capture("/accounts/login/?next=/", {
-#            method = ngx.HTTP_POST,
-#            body = "login=" .. username .. "@seafile.com&password=abcd123456&next=/"
-#        });
-#        ngx.req.set_header("Content-Type", orig_ct);
-#        if res.status == ngx.HTTP_OK or res.status == ngx.HTTP_MOVED_TEMPORARILY then
-#            ngx.log(ngx.STDERR, "login success " .. res.status);
-#
-#            local new_cookie = res.header["Set-Cookie"];
-#            ngx.log(ngx.STDERR, new_cookie);
-#            ngx.req.set_header("Cookie", string.match(new_cookie, "[^;]+"));
-#            ngx.header["Set-Cookie"] = new_cookie;
-#        else
-#            ngx.header["X-Redirected"] = "/";
-#        end
-#    end
  nginx.conf: |-
    user  nginx;
    worker_processes  4;
@@ -341,143 +289,172 @@ spec:
              value: os_system_seahub

      containers:
-#      - name: sync-mysql
-#        image: lovehunter9/seahub_database_test:v0.0.3
-#        imagePullPolicy: IfNotPresent
-#        ports:
-#        - containerPort: 3306
-#          protocol: TCP
-#        resources:
-#          limits:
-#            cpu: 1
-#            memory: 1024Mi
-#          requests:
-#            cpu: 20m
-#            memory: 100Mi
-#        args:
-#        - --max_connections=1000
-#        - --character-set-server=utf8mb4
-#        - --collation-server=utf8mb4_general_ci
-#        - --default-authentication-plugin=mysql_native_password
-#        volumeMounts:
-#        - name: db-data
-#          mountPath: /var/lib/mysql
-#        livenessProbe:
-#          initialDelaySeconds: 3
-#          tcpSocket:
-#            port: 3306
-#        env:
-#        - name: MYSQL_LOG_CONSOLE
-#          value: "true"
-#        - name: MYSQL_ROOT_PASSWORD
-#          value: "123456"
-#        - name: TZ
-#          value: Asia/Shanghai
-#        lifecycle:
-#          postStart:
-#            exec:
-#              command:
-#              - /bin/bash
-#              - -c
-#              - |
-#                while [ ! -f /var/run/mysqld/mysqld.pid ]; do
-#                  sleep 1
-#                done
+      - name: seahub
+        image: beclab/pg_seahub:v0.0.13
+        imagePullPolicy: IfNotPresent
+        ports:
+          - containerPort: 8000
+            protocol: TCP
+        env:
+          - name: DB_HOST
+            value: citus-headless.os-system
+          - name: DB_PORT
+            value: '5432'
+          - name: DB_NAME1
+            value: os_system_ccnet
+          - name: DB_NAME2
+            value: os_system_seafile
+          - name: DB_NAME3
+            value: os_system_seahub
+          - name: DB_USER
+            value: seafile_os_system
+          - name: DB_PASSWORD
+            value: {{ $pg_password | b64dec }}
+          - name: CCNET_CONF_DIR
+            value: /root/dev/conf
+          - name: SEAFILE_CONF_DIR
+            value: /root/dev/seafile-data
+          - name: SEAFILE_CENTRAL_CONF_DIR
+            value: /root/dev/conf
+          - name: PYTHONPATH
+            value: >-
+              /usr/local/lib/python3.8/site-packages/:/root/dev/source-code/seahub/thirdpart
+          - name: SEAFILE_ADMIN_EMAIL
+            value: admin@bytetrade.io
+          - name: SEAFILE_ADMIN_PASSWORD
+            value: admin
+        volumeMounts:
+          - name: sync-data
+            mountPath: /shared
+          - name: seafile-data
+            mountPath: /root/dev/seafile-data
+          - name: seafile-nginx-conf
+            mountPath: /root/dev/seafile-data/seafile.conf
+            subPath: seafile.conf
+          - name: seafile-nginx-conf
+            mountPath: /root/dev/conf/seahub_settings.py
+            subPath: seahub_settings.py

-      # - name: sync-memcached
-      #   image: memcached:1.6
-      #   imagePullPolicy: IfNotPresent
-      #   ports:
-      #   - containerPort: 11211
-      #     protocol: TCP
-      #   command:
-      #   - "memcached"
-      #   - "-m"
-      #   - "128"
-      #   livenessProbe:
-      #     initialDelaySeconds: 3
-      #     tcpSocket:
-      #       port: 11211
-      
-#      - name: sync-server
-#        image: lovehunter9/seafile_server_test:test_ci
+      - name: seafile-server
+        image: beclab/pg_seafile_server:v0.0.13
+        imagePullPolicy: IfNotPresent
+        ports:
+          - containerPort: 8082
+            protocol: TCP
+        env:
+          - name: DB_HOST
+            value: citus-headless.os-system
+          - name: DB_PORT
+            value: '5432'
+          - name: DB_NAME1
+            value: os_system_ccnet
+          - name: DB_NAME2
+            value: os_system_seafile
+          - name: DB_NAME3
+            value: os_system_seahub
+          - name: DB_USER
+            value: seafile_os_system
+          - name: DB_PASSWORD
+            value: {{ $pg_password | b64dec }}
+          - name: CCNET_CONF_DIR
+            value: /root/dev/conf
+          - name: SEAFILE_CONF_DIR
+            value: /root/dev/seafile-data
+          - name: SEAFILE_CENTRAL_CONF_DIR
+            value: /root/dev/conf
+          - name: SEAFILE_SERVER_LETSENCRYPT
+            value: 'false'
+          - name: NATS_HOST
+            value: nats
+          - name: NATS_PORT
+            value: "4222"
+          - name: NATS_USERNAME
+            value: os-system-seahub-server
+          - name: NATS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                key: nats_password
+                name: seahub-nats-secrets
+          - name: NATS_SUBJECT_SYSTEM_SEAHUB
+            value: terminus.os-system.system.seahub
+          - name: NATS_SUBJECT_SYSTEM_USERS
+            value: terminus.os-system.system.users
+          - name: NATS_SUBJECT_SYSTEM_GROUPS
+            value: terminus.os-system.system.groups
+        volumeMounts:
+          - name: sync-data
+            mountPath: /shared
+          - name: seafile-data
+            mountPath: /root/dev/seafile-data
+          - name: seafile-nginx-conf
+            mountPath: /root/dev/seafile-data/seafile.conf
+            subPath: seafile.conf
+          - name: seafile-nginx-conf
+            mountPath: /root/dev/conf/ccnet.conf
+            subPath: ccnet.conf
+
+#      - name: sync-backend
+#        image: beclab/seahub_pgserver:v0.0.12
 #        imagePullPolicy: IfNotPresent
 #        volumeMounts:
 #        - name: sync-data
 #          mountPath: /shared
+#        - name: seafile-data
+#          mountPath: /root/dev/seafile-data
+#        - name: seafile-nginx-conf
+#          mountPath: /root/dev/seafile-data/seafile.conf
+#          subPath: seafile.conf
+#        - name: seafile-nginx-conf
+#          mountPath: /root/dev/conf/ccnet.conf
+#          subPath: ccnet.conf
+#        - name: seafile-nginx-conf
+#          mountPath: /root/dev/conf/seahub_settings.py
+#          subPath: seahub_settings.py
 #        ports:
+#        - containerPort: 8000
+#          protocol: TCP
 #        - containerPort: 8082
 #          protocol: TCP
-#
-#      - name: sync-frontend
-#        image: lovehunter9/seahub_frontend_test:test_ci
-#        imagePullPolicy: IfNotPresent
-#        ports:
-#        - containerPort: 3000
-#          protocol: TCP
-
-      - name: sync-backend
-        image: beclab/seahub_pgserver:v0.0.12
-        imagePullPolicy: IfNotPresent
-        volumeMounts:
-        - name: sync-data
-          mountPath: /shared
-        - name: seafile-data
-          mountPath: /root/dev/seafile-data
-        - name: seafile-nginx-conf
-          mountPath: /root/dev/seafile-data/seafile.conf
-          subPath: seafile.conf
-        - name: seafile-nginx-conf
-          mountPath: /root/dev/conf/ccnet.conf
-          subPath: ccnet.conf
-        - name: seafile-nginx-conf
-          mountPath: /root/dev/conf/seahub_settings.py
-          subPath: seahub_settings.py
-        ports:
-        - containerPort: 8000
-          protocol: TCP
-        - containerPort: 8082
-          protocol: TCP
-        env:
-        - name: DB_HOST
-          value: citus-headless.os-system
-        - name: DB_PORT
-          value: '5432'
-        - name: DB_NAME1
-          value: os_system_ccnet
-        - name: DB_NAME2
-          value: os_system_seafile
-        - name: DB_NAME3
-          value: os_system_seahub
-        - name: DB_USER
-          value: seafile_os_system
-        - name: DB_PASSWORD
-          value: {{ $pg_password | b64dec }}
-        - name: PYTHONPATH
-          value: /usr/local/lib/python3.8/site-packages/:/root/dev/source-code/seahub/thirdpart
-        - name: CCNET_CONF_DIR
-          value: /root/dev/conf
-        - name: SEAFILE_CONF_DIR
-          value: /root/dev/seafile-data
-        - name: SEAFILE_CENTRAL_CONF_DIR
-          value: /root/dev/conf
-        - name: SEAFILE_ADMIN_EMAIL
-          value: admin@bytetrade.io 
-        - name: SEAFILE_ADMIN_PASSWORD
-          value: admin
-        - name: SEAFILE_SERVER_LETSENCRYPT
-          value: "false"
-        - name: NATS_HOST
-          value: nats
-        - name: NATS_PORT
-          value: "4222"
-        - name: NATS_USERNAME
-          value: admin
-        - name: NATS_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              key: nats_password
-              name: nats-secrets
+#        env:
+#        - name: DB_HOST
+#          value: citus-headless.os-system
+#        - name: DB_PORT
+#          value: '5432'
+#        - name: DB_NAME1
+#          value: os_system_ccnet
+#        - name: DB_NAME2
+#          value: os_system_seafile
+#        - name: DB_NAME3
+#          value: os_system_seahub
+#        - name: DB_USER
+#          value: seafile_os_system
+#        - name: DB_PASSWORD
+#          value: {{ $pg_password | b64dec }}
+#        - name: PYTHONPATH
+#          value: /usr/local/lib/python3.8/site-packages/:/root/dev/source-code/seahub/thirdpart
+#        - name: CCNET_CONF_DIR
+#          value: /root/dev/conf
+#        - name: SEAFILE_CONF_DIR
+#          value: /root/dev/seafile-data
+#        - name: SEAFILE_CENTRAL_CONF_DIR
+#          value: /root/dev/conf
+#        - name: SEAFILE_ADMIN_EMAIL
+#          value: admin@bytetrade.io
+#        - name: SEAFILE_ADMIN_PASSWORD
+#          value: admin
+#        - name: SEAFILE_SERVER_LETSENCRYPT
+#          value: "false"
+#        - name: NATS_HOST
+#          value: nats
+#        - name: NATS_PORT
+#          value: "4222"
+#        - name: NATS_USERNAME
+#          value: admin
+#        - name: NATS_PASSWORD
+#          valueFrom:
+#            secretKeyRef:
+#              key: nats_password
+#              name: nats-secrets

      - name: nginx
        image: 'beclab/nginx-lua:n0.0.4'
@@ -495,9 +472,6 @@ spec:
          - name: seafile-nginx-conf
            mountPath: /etc/nginx/conf.d/default.conf
            subPath: default.conf
-#          - name: seafile-nginx-conf
-#            mountPath: /etc/nginx/login.lua
-#            subPath: login.lua
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        imagePullPolicy: IfNotPresent
@@ -525,8 +499,6 @@ spec:
              path: proxy.conf
            - key: default.conf
              path: default.conf
-#            - key: login.lua
-#              path: login.lua
            - key: seafile.conf
              path: seafile.conf
            - key: ccnet.conf
@@ -534,13 +506,6 @@ spec:
            - key: seahub_settings.py
              path: seahub_settings.py
          defaultMode: 420
-      # - name: sync-config
-      #   configMap:
-      #     defaultMode: 420
-      #     name: sync-config
-      #     items:
-      #     - key: seafdav.conf
-      #       path: seafdav.conf

 ---
 apiVersion: apr.bytetrade.io/v1alpha1
@@ -563,3 +528,41 @@ spec:
  type: subscriber
  event: user.delete
  callback: http://seafile.{{ .Release.Namespace }}:8000/callback/delete
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: seahub-server-nats
+  namespace: {{ .Release.Namespace }}
+spec:
+  app: seahub-server
+  appNamespace: {{ .Release.Namespace }}
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: nats_password
+          name: seahub-nats-secrets
+    refs:
+      - appName: user-service
+        appNamespace: user
+        subjects:
+          - name: "seahub.*"
+            perm:
+              - pub
+              - sub
+    subjects:
+      - name: system.seahub
+        permission:
+          pub: allow
+          sub: allow
+      - name: system.users
+        permission:
+          pub: allow
+          sub: deny
+      - name: system.groups
+        permission:
+          pub: allow
+          sub: deny
+    user: os-system-seahub-server
--- a/framework/search3/.olares/config/cluster/deploy/search3_server_deploy.yaml
+++ b/framework/search3/.olares/config/cluster/deploy/search3_server_deploy.yaml
@@ -8,6 +8,24 @@
 {{ $pg_password = randAlphaNum 16 | b64enc }}
 {{- end -}}

+{{- $search_server_nats_secret := (lookup "v1" "Secret" $namespace "search-server-nats-secret") -}}
+{{- $nats_password := "" -}}
+{{ if $search_server_nats_secret -}}
+{{ $nats_password = (index $search_server_nats_secret "data" "nats_password") }}
+{{ else -}}
+{{ $nats_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: search-server-nats-secret
+  namespace: os-system
+type: Opaque
+data:
+  nats_password: {{ $nats_password }}
+
 ---
 apiVersion: v1
 kind: Secret
@@ -178,6 +196,27 @@ spec:
      labels:
        app: search3
    spec:
+      volumes:
+        - name: userspace-dir
+          hostPath:
+            path: /olares/rootfs/userspace
+            type: Directory
+        - name: fb-data
+          hostPath:
+            path: /olares/userdata/Cache/files
+            type: DirectoryOrCreate
+        - name: upload-appdata
+          hostPath:
+            path: /olares/userdata/Cache
+            type: DirectoryOrCreate
+        - name: user-appdata-dir
+          hostPath:
+            path: /olares/userdata/Cache
+            type: Directory
+        - name: shared-lib
+          hostPath:
+            path: /olares/share
+            type: Directory
      initContainers:
      - name: init-container
        image: 'postgres:16.0-alpine3.18'
@@ -199,7 +238,7 @@ spec:
            value: os_system_search3
      containers:
      - name: search3
-        image: beclab/search3:v0.0.30
+        image: beclab/search3:v0.0.34
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8080
@@ -211,13 +250,38 @@ spec:
        - name: NATS_PORT
          value: "4222"
        - name: NATS_USERNAME
-          value: admin
+          value: os-system-search-server
        - name: NATS_PASSWORD
          valueFrom:
            secretKeyRef:
              key: nats_password
-              name: nats-secrets
-
+              name: search-server-nats-secret
+        - name: NATS_SUBJECT_SYSTEM_SEARCH
+          value: terminus.os-system.system.search
+        - name: NATS_SUBJECT_SYSTEM_USERS
+          value: terminus.os-system.system.users
+        - name: NATS_SUBJECT_SYSTEM_GROUPS
+          value: terminus.os-system.system.groups
+      - name: search3monitor
+        image: beclab/search3monitor:v0.0.34
+        imagePullPolicy: IfNotPresent
+        env:
+        - name: DATABASE_URL
+          value: postgres://search3_os_system:{{ $pg_password | b64dec }}@citus-0.citus-headless.os-system:5432/os_system_search3
+        volumeMounts:
+          - name: fb-data
+            mountPath: /appdata
+          - name: userspace-dir
+            mountPath: /data
+          - name: upload-appdata
+            mountPath: /appcache/
+          - name: shared-lib
+            mountPath: /data/External
+            mountPropagation: Bidirectional
+        securityContext:
+          privileged: true
+          runAsUser: 0
+          allowPrivilegeEscalation: true
 ---
 apiVersion: v1
 kind: Service
@@ -232,4 +296,43 @@ spec:
    - protocol: TCP
      name: search3
      port: 80
-      targetPort: 8080
+      targetPort: 8080
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: search-server-nats
+  namespace: {{ .Release.Namespace }}
+spec:
+  app: search-server
+  appNamespace: {{ .Release.Namespace }}
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: nats_password
+          name: search-server-nats-secret
+    refs:
+      - appName: user-service
+        appNamespace: user
+        subjects:
+        - name: "search.*"
+          perm:
+            - pub
+            - sub
+    subjects:
+      - name: system.search
+        permission:
+          pub: allow
+          sub: allow
+      - name: system.users
+        permission:
+          pub: allow
+          sub: deny
+      - name: system.groups
+        permission:
+          pub: allow
+          sub: deny
+    user: os-system-search-server
--- a/framework/tapr/.olares/config/cluster/deploy/lldap-deployment.yaml
+++ b/framework/tapr/.olares/config/cluster/deploy/lldap-deployment.yaml
@@ -75,21 +75,19 @@ spec:
        secretKeyRef:
          key: nats_password
          name: lldap-pg-secrets
-    refs:
-    - appName: notifications
-      appNamespace: {{ .Release.Namespace }}
-      subjects:
-      - name: system.notification
-        perm:
-        - pub
-        - sub
-    - appName: notifications
-      appNamespace: {{ .Release.Namespace }}
-      subjects:
-      - name: system.users
-        perm:
-        - pub
-        - sub
+    subjects:
+    - name: system.notification
+      permission:
+        pub: allow
+        sub: allow
+    - name: system.users
+      permission:
+        pub: allow
+        sub: allow
+    - name: system.groups
+      permission:
+        pub: allow
+        sub: allow
    user: os-system-lldap

 ---
@@ -173,6 +171,8 @@ spec:
              value: "terminus.{{ .Release.Namespace }}.system.notification"
            - name: NATS_SUBJECT_SYSTEM_USERS
              value: "terminus.{{ .Release.Namespace }}.system.users"
+            - name: NATS_SUBJECT_SYSTEM_GROUPS
+              value: "terminus.{{ .Release.Namespace }}.system.groups"

          image: beclab/lldap:0.0.2
          imagePullPolicy: IfNotPresent
--- a/framework/tapr/.olares/config/cluster/deploy/middleware_deploy.yaml
+++ b/framework/tapr/.olares/config/cluster/deploy/middleware_deploy.yaml
@@ -99,7 +99,7 @@ spec:
        - name: DISABLE_TELEMETRY
          value: "false"
      - name: operator-api
-        image: beclab/middleware-operator:0.2.5
+        image: beclab/middleware-operator:0.2.6
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 9080
--- a/framework/vault/.olares/config/cluster/deploy/vault_server_deploy.yaml
+++ b/framework/vault/.olares/config/cluster/deploy/vault_server_deploy.yaml
@@ -11,6 +11,24 @@
 {{ $pg_password = randAlphaNum 16 | b64enc }}
 {{- end -}}

+{{- $vault_server_nats_secret := (lookup "v1" "Secret" $namespace "vault-server-nats-secret") -}}
+{{- $nats_password := "" -}}
+{{ if $vault_server_nats_secret -}}
+{{ $nats_password = (index $vault_server_nats_secret "data" "nats_password") }}
+{{ else -}}
+{{ $nats_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vault-server-nats-secret
+  namespace: os-system
+type: Opaque
+data:
+  nats_password: {{ $nats_password }}
+
 ---
 apiVersion: v1
 kind: Secret
@@ -113,7 +131,7 @@ spec:
        - name: NATS_PORT
          value: "4222"
        - name: NATS_USERNAME
-          value: admin
+          value: os-system-vault-server
        - name: NATS_PASSWORD
          valueFrom:
            secretKeyRef:
@@ -184,3 +202,43 @@ spec:
  event: user.delete
  callback: http://vault-server.{{ .Release.Namespace }}:3010/callback/delete

+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: vault-server-nats
+  namespace: {{ .Release.Namespace }}
+spec:
+  app: vault-server
+  appNamespace: {{ .Release.Namespace }}
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: nats_password
+          name: vault-server-nats-secret
+
+    refs:
+    - appName: user-service
+      appNamespace: user
+      subjects:
+        - name: "vault.*"
+          perm:
+            - pub
+            - sub
+    subjects:
+      - name: system.vault
+        permission:
+          pub: allow
+          sub: allow
+      - name: system.users
+        permission:
+          pub: allow
+          sub: deny
+      - name: system.groups
+        permission:
+          pub: allow
+          sub: deny
+    user: os-system-vault-server
+
--- a/framework/vault/README.md
+++ b/framework/vault/README.md
@@ -0,0 +1 @@
+# Vault Backend
--- a/infrastructure/cuda/.olares/Olares.yaml
+++ b/infrastructure/cuda/.olares/Olares.yaml
@@ -47,9 +47,6 @@ output:
      name:  libnvidia-container.list
      amd64: https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list
      arm64: https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list
-  containers:
-    - 
-      name: redis:5.0.14-alpine



--- a/infrastructure/kubesphere/.olares/Olares.yaml
+++ b/infrastructure/kubesphere/.olares/Olares.yaml
@@ -3,9 +3,9 @@ target: prebuilt
 output:
  containers:
    - 
-      name: beclab/ks-apiserver:0.0.14
+      name: beclab/ks-apiserver:0.0.15
    - 
-      name: beclab/ks-controller-manager:0.0.14
+      name: beclab/ks-controller-manager:0.0.15
    -
      name: kubesphere/kubectl:v1.22.0

--- a/platform/hami/.olares/Olares.yaml
+++ b/platform/hami/.olares/Olares.yaml
@@ -3,7 +3,7 @@ target: prebuilt
 output:
  containers:
    - 
-      name: beclab/hami:v2.5.2-share-01
+      name: beclab/hami:v2.5.2-share-06
    - 
      name: projecthami/hami-webui-fe-oss:v1.0.5
    - 
--- a/platform/redis/kvrocks/.olares/Olares.yaml
+++ b/platform/redis/kvrocks/.olares/Olares.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+target: prebuilt
+output:
+  containers:
+    - 
+      name: beclab/kvrocks:0.1.0
+
+
+
+      
--- a/platform/redis/kvrocks/README.md
+++ b/platform/redis/kvrocks/README.md
@@ -0,0 +1 @@
+# kvrocks
Author	SHA1	Message	Date
eball	2ffaccf2e0	gpu: fix gpu scheduler bugs	2025-06-05 23:02:43 +08:00
salt	cdf70c5c58	fix: fix resources conflict for search3monitor (#1406 ) Co-authored-by: Ubuntu <ubuntu@localhost.localdomain>	2025-06-05 22:59:00 +08:00
Peng Peng	1c7fa01df8	fix: remove duplicate container in gpu yaml and notification yaml in user space (#1398 )	2025-06-05 14:32:54 +08:00
salt	2b4b590a3a	feat: add file monitor for data, drive, external, cache. (#1397 ) * feat: search3 add monitor * fix: add SecurityContext for monitor * fix: monitor init generate_monitor_folder_path_from_data_root --------- Co-authored-by: Ubuntu <ubuntu@localhost.localdomain>	2025-06-05 14:32:20 +08:00
Peng Peng	2bef0056d3	feat: add kvroks dependency (#1399 )	2025-06-05 14:31:50 +08:00
Peng Peng	da5ad17e7b	refactor: change files, monitor, vault from apps to framework	2025-06-05 11:54:37 +08:00
hysyeah	3b14b95469	app-service,bfl: gpu namespace netpol;refresh token api;nats user perm (#1395 ) * app-service,bfl: gpu namespace netpol;refresh token api;nats user perm * add knowledge, market nats * Update system-frontend.yaml --------- Co-authored-by: eball <liuy102@hotmail.com>	2025-06-05 01:12:52 +08:00
berg	d0a5da4266	market, settings: update version to v1.3.69 (#1396 ) feat: update market and settings to v1.3.69	2025-06-05 00:26:12 +08:00
dkeven	a2efa54140	feat: dedicated namespace for gpu-scheduler (#1394 )	2025-06-05 00:05:15 +08:00
dkeven	f0106180d5	fix(daemon): reset upgrade target when not upgrading (#1390 )	2025-06-04 21:52:57 +08:00
dkeven	9261253126	feat: get rid of nvshare (#1389 )	2025-06-04 21:50:46 +08:00
lovehunter9	16f554ed54	feat: seafile separate image (#1383 )	2025-06-04 20:48:40 +08:00
dkeven	ac212583ea	fix(ci): pass in git ref when calling workflow for submodule (#1392 )	2025-06-04 18:34:28 +08:00
dkeven	186d6dd309	fix(ci): use correct daily release version for daemon (#1388 )	2025-06-04 11:33:00 +08:00
lovehunter9	79f96c94f7	fix: files sync dir rename bug (#1387 )	2025-06-03 23:45:46 +08:00
hysyeah	5bd1bd2ab9	kubesphere,app-service: add disk partion metric; (#1386 ) kubesphere,app-service: add disk partion metric;fix cancel op ctx	2025-06-03 23:45:19 +08:00
wiy	6be4e1ff6e	feat(system-frontend): update user-service support web socket (#1385 ) * feat(system-frontend): update user-service support web socket * feat: rename monitoring to system-apps	2025-06-03 23:44:51 +08:00
aby913	df722bf1cd	backup-server: package name adjustment (#1384 ) backup-server: package rename	2025-06-03 23:44:22 +08:00
eball	d428295fa5	bfl: crash and bulk http clients (#1382 )	2025-06-03 23:43:49 +08:00