feat(settings-server): upgrade docker node version to 24.0.2 & upgrade nestjs version to 11.1.1

otel: bump the go auto-instrumentation image version (#1328 )
otel: change the go auto-instrumentation image version
2025-05-19 21:29:50 +08:00 · 2025-05-19 19:30:36 +08:00 · 2025-05-17 01:20:19 +08:00 · 2025-05-16 23:57:26 +08:00 · 2025-05-16 21:00:41 +08:00 · 2025-05-16 00:19:35 +08:00
150 changed files with 4315 additions and 4073 deletions
--- a/.github/workflows/check.yaml
+++ b/.github/workflows/check.yaml
@@ -37,17 +37,8 @@ jobs:
        run: |
          bash scripts/package.sh
      - name: Run chart-testing (list-changed)
        id: list-changed
        run: |
          changed=$(ct list-changed --chart-dirs build/installer/wizard/config --target-branch ${{ github.event.repository.default_branch }})
          if [[ -n "$changed" ]]; then
            echo "changed=true" >> "$GITHUB_OUTPUT"
          fi
      - name: Run chart-testing (lint)
-        if: steps.list-changed.outputs.changed == 'true'
+        run: ct lint --chart-dirs build/installer/wizard/config,build/installer/wizard/config/apps,build/installer/wizard/config/gpu --check-version-increment=false --all
        run: ct lint --chart-dirs build/installer/wizard/config --check-version-increment=false --target-branch ${{ github.event.repository.default_branch }}
      # - name: Create kind cluster
      #   if: steps.list-changed.outputs.changed == 'true'
--- a/.github/workflows/daily-lint-check.yaml
+++ b/.github/workflows/daily-lint-check.yaml
@@ -0,0 +1,37 @@
 name: Lint Check Charts
 on:
  schedule:
    # This is a UTC time
    - cron: "30 1 * * *"
  workflow_dispatch:
 jobs:
  lint-test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Set up Helm
        uses: azure/setup-helm@v3
        with:
          version: v3.12.1
      - uses: actions/setup-python@v4
        with:
          python-version: '3.9'
          check-latest: true
      - name: Set up chart-testing
        uses: helm/chart-testing-action@v2.6.0
      - name: Pre package
        run: |
          bash scripts/package.sh
      - name: Run chart-testing (lint)
        run: |
          ct lint --chart-dirs build/installer/wizard/config,build/installer/wizard/config/apps,build/installer/wizard/config/gpu --check-version-increment=false --all
--- a/README.md
+++ b/README.md
@@ -65,19 +65,14 @@ Here is why and where you can count on Olares for private, powerful, and secure
 ## Getting started
 ### System compatibility
 Olares has been tested and verified on the following platforms:
-| Platform            | Operating system                     | Notes                                                 |
+Olares has been tested and verified on the following Linux platforms:
 |---------------------|--------------------------------------|-------------------------------------------------------|
 | Linux               | Ubuntu 20.04 LTS or later <br/> Debian 11 or later |                                          |
 | Raspberry Pi        | RaspbianOS                           | Verified on Raspberry Pi 4 Model B and Raspberry Pi 5 |
 | Windows             | Windows 11 23H2 or later <br/>Windows 10 22H2 or later<br/> WSL2 |                                     |
 | Mac                 | Monterey (12) or later              |                                                        |
 | Proxmox VE (PVE)    | Proxmox Virtual Environment 8.0      |                                                       |
-> **Note**
+- Ubuntu 20.04 LTS or later 
-> 
+- Debian 11 or later
-> If you successfully install Olares on an operating system that is not listed in the compatibility table, please let us know! You can [open an issue](https://github.com/beclab/Olares/issues/new) or submit a pull request on our GitHub repository.
+
 > **Other installation options**
 > Olares can also be installed on other platforms like macOS, Windows, PVE, and Raspberry Pi, or installed via docker compose on Linux. However, these are only for **testing and development purposes**. For detailed instructions, visit [Additional installation options](https://docs.olares.xyz/developer/install/additional-installations.html).
 ### Set up Olares
 To get started with Olares on your own device, follow the [Getting Started Guide](https://docs.olares.xyz/manual/get-started/) for step-by-step instructions.
--- a/README_CN.md
+++ b/README_CN.md
@@ -62,25 +62,18 @@ Olares 是为本地端侧 AI 打造的开源私有云操作系统，可轻松将
 ## 快速开始
 ### 系统兼容性
 Olares 已在以下平台完成测试验证：
-| 平台            | 操作系统                     | 备注                                                 |
+Olares 已在以下 Linux 平台完成测试与验证：
 |---------------------|--------------------------------------|-------------------------------------------------------|
 | Linux               | Ubuntu 20.04 LTS 及以上 <br/> Debian 11 及以上  |                                               |
 | Raspberry Pi        | RaspbianOS                           | 已在 Raspberry Pi 4 Model B 和 Raspberry Pi 5 上验证    |
 | Windows             | Windows 11 23H2 及以上 <br/>Windows 10 22H2 及以上 <br/>WSL2 |                                           |
 | Mac                  | macOS Monterey (12) 及以上             |                                                         |
 | Proxmox VE (PVE)    | Proxmox Virtual Environment 8.0      |                                                         |
-> **注意**
+- Ubuntu 20.04 LTS 及以上版本
-> 
+- Debian 11 及以上版本
-> 如果你在未列出的系统版本上成功安装了 Olares，请告诉我们！你可以在 GitHub 仓库中[提交 Issue](https://github.com/beclab/Olares/issues/new) 或发起 Pull Request。
+
 > **其他安装方式**
 > Olares 也支持在 macOS、Windows、PVE、树莓派等平台上运行，或通过 Docker Compose 在 Linux 上部署。但请注意，这些方式**仅适用于开发和测试环境**。详细安装指南请参阅[其他安装方式](https://docs.joinolares.cn/zh/developer/install/additional-installations.html)。
 ### 安装 Olares
 > 当前文档仅有英文版本。
-参考[快速上手指南](https://docs.olares.xyz/manual/get-started/)安装并激活 Olares。
+参考[快速上手指南](https://docs.joinolares.cn/zh/manual/get-started/)安装并激活 Olares。
 ## 系统架构
 Olares 的架构设计遵循两个核心原则：
--- a/README_JP.md
+++ b/README_JP.md
@@ -63,19 +63,14 @@ Olaresを使用して、ハードウェアをAIホームサーバーに変換し
 ## はじめに
 ### システム互換性
 Olaresは以下のプラットフォームでテストおよび検証されています：
-| プラットフォーム            | オペレーティングシステム                     | 備考                                                 |
+Olaresは以下のLinuxプラットフォームで動作検証を完了しています：
 |---------------------|--------------------------------------|-------------------------------------------------------|
 | Linux               | Ubuntu 20.04 LTS以降 <br/> Debian 11以降 |                                          |
 | Raspberry Pi        | RaspbianOS                           | Raspberry Pi 4 Model BおよびRaspberry Pi 5で検証済み |
 | Windows             | Windows 11 23H2以降 <br/>Windows 10 22H2以降<br/> WSL2 |                                     |
 | Mac                 | Monterey (12)以降              |                                                        |
 | Proxmox VE (PVE)    | Proxmox Virtual Environment 8.0      |                                                       |
-> **注意**
+- Ubuntu 20.04 LTS 以降
-> 
+- Debian 11 以降
-> 互換性テーブルに記載されていないオペレーティングシステムでOlaresを正常にインストールした場合は、お知らせください！GitHubリポジトリで[問題を開く](https://github.com/beclab/Olares/issues/new)か、プルリクエストを送信できます。
+
 > **追加インストール手順**
 > Olares は macOS、Windows、PVE、Raspberry Pi などのプラットフォームや、Linux 上での Docker Compose を用いたインストールにも対応しています。>ただし、これらの方法は開発およびテスト環境専用です。詳しくは[追加インストール手順](https://docs.olares.xyz/developer/install/additional-installations.html)をご参照ください。
 ### Olaresのセットアップ
 自分のデバイスでOlaresを始めるには、[はじめにガイド](https://docs.olares.xyz/manual/get-started/)に従ってステップバイステップの手順を確認してください。
--- a/apps/argo/config/cluster/deploy/argo-task.yaml
+++ b/apps/argo/config/cluster/deploy/argo-task.yaml
@@ -0,0 +1,67 @@
 {{- $namespace := printf "%s" "os-system" -}}
 {{- $rss_secret := (lookup "v1" "Secret" $namespace "rss-secrets") -}}
 {{- $password := "" -}}
 {{ if $rss_secret -}}
 {{ $password = (index $rss_secret "data" "pg_password") }}
 {{ else -}}
 {{ $password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 {{- $redis_password := "" -}}
 {{ if $rss_secret -}}
 {{ $redis_password = (index $rss_secret "data" "redis_password") }}
 {{ else -}}
 {{ $redis_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 {{- $redis_password_data := "" -}}
 {{ $redis_password_data = $redis_password | b64dec }}
 {{- $pg_password_data := "" -}}
 {{ $pg_password_data = $password | b64dec }}
 {{- $pg_user :=  printf "%s" "argo_os_system" -}}
 {{- $pg_user = $pg_user | b64enc -}}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: rss-secrets
  namespace: os-system
 type: Opaque
 data:
  pg_user: {{ $pg_user }}
  pg_password: {{ $password }}
  redis_password: {{ $redis_password }}
 ---
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
 metadata:
  name: rss-pg
  namespace: os-system
 spec:
  app: rss
  appNamespace: os-system
  middleware: postgres
  postgreSQL:
    user: argo_os_system
    password: 
      valueFrom:
        secretKeyRef:
          key: pg_password
          name: rss-secrets
    databases:
    - name: rss
    - name: rss_v1
    - name: argo
--- a/apps/argo/config/cluster/deploy/server-crb.yaml
+++ b/apps/argo/config/cluster/deploy/server-crb.yaml
@@ -0,0 +1,26 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: os-system:argoworkflows
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: argoworkflows
 subjects:
  - kind: ServiceAccount
    name: argoworkflows
    namespace: os-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: os-system:argoworkflows-cluster-template
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: argoworkflows-cluster-template
 subjects:
  - kind: ServiceAccount
    name: argoworkflows
    namespace: os-system
--- a/apps/argo/config/cluster/deploy/server-deployment.yaml
+++ b/apps/argo/config/cluster/deploy/server-deployment.yaml
@@ -0,0 +1,85 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: argoworkflows
  namespace: os-system
  labels:
    app: argoworkflows
    app.kubernetes.io/managed-by: Helm
  annotations:
    applications.app.bytetrade.io/icon: https://argoproj.github.io/argo-workflows/assets/logo.png
    applications.app.bytetrade.io/title: argoworkflows
    applications.app.bytetrade.io/version: '0.35.0'
 spec:
  selector:
    matchLabels:
      app: argoworkflows
  template:
    metadata:
      labels:
        app: argoworkflows
    spec:
      serviceAccountName: argoworkflows
      containers:
        - name: argo-server
          image: quay.io/argoproj/argocli:v3.5.0
          imagePullPolicy: IfNotPresent
          securityContext:
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
          args:
            - server
            - --configmap=argoworkflow-workflow-controller-configmap
            - "--auth-mode=server"
            - "--secure=false"
            - "--x-frame-options="
            - "--loglevel"
            - "debug"
            - "--gloglevel"
            - "0"
            - "--log-format"
            - "text"
          ports:
            - name: web
              containerPort: 2746
          readinessProbe:
            httpGet:
              path: /
              port: 2746
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 20
          env:
            - name: IN_CLUSTER
              value: "true"
            - name: ARGO_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
            - name: BASE_HREF
              value: /
          volumeMounts:
            - name: tmp
              mountPath: /tmp
      volumes:
        - name: tmp
          emptyDir: {}
      nodeSelector:
        kubernetes.io/os: linux
      tolerations:
        - key: node.kubernetes.io/not-ready
          operator: Exists
          effect: NoExecute
          tolerationSeconds: 300
        - key: node.kubernetes.io/unreachable
          operator: Exists
          effect: NoExecute
          tolerationSeconds: 300
--- a/apps/argo/config/cluster/deploy/server-sa.yaml
+++ b/apps/argo/config/cluster/deploy/server-sa.yaml
@@ -0,0 +1,6 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: argoworkflows
  namespace: os-system
--- a/apps/argo/config/cluster/deploy/server-service.yaml
+++ b/apps/argo/config/cluster/deploy/server-service.yaml
@@ -0,0 +1,16 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: argoworkflows-svc
  namespace: os-system
 spec:
  ports:
  - port: 2746
    name: http
    protocol: TCP
    targetPort: 2746
  selector:
    app: argoworkflows
  sessionAffinity: None
  type: ClusterIP
--- a/apps/argo/config/cluster/deploy/workflow-controller-config-map.yaml
+++ b/apps/argo/config/cluster/deploy/workflow-controller-config-map.yaml
@@ -0,0 +1,40 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: argoworkflow-workflow-controller-configmap
  namespace: os-system
 data:
  config: |
    instanceID: os-system
    artifactRepository:
      archiveLogs: true
      s3:
        accessKeySecret:
          key: AWS_ACCESS_KEY_ID
          name: argo-workflow-log-fakes3
        secretKeySecret:
          key: AWS_SECRET_ACCESS_KEY
          name: argo-workflow-log-fakes3
        bucket: mongo-backup
        endpoint: tapr-s3-svc:4568
        insecure: true
    persistence:
      connectionPool:
        maxIdleConns: 5
        maxOpenConns: 0
      archive: true
      archiveTTL: 5d
      postgresql:
        host: citus-headless.os-system
        port: 5432
        database: os_system_argo
        tableName: argo_workflows
        userNameSecret:
          name: rss-secrets
          key: pg_user
        passwordSecret:
          name: rss-secrets
          key: pg_password
    nodeEvents:
      enabled: true
--- a/apps/argo/config/cluster/deploy/workflow-controller-crb.yaml
+++ b/apps/argo/config/cluster/deploy/workflow-controller-crb.yaml
@@ -0,0 +1,27 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: os-system:argoworkflow-workflow-controller
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: argoworkflow-workflow-controller
 subjects:
  - kind: ServiceAccount
    name: argoworkflow-workflow-controller
    namespace: os-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: os-system:argoworkflow-workflow-controller-cluster-template
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: argoworkflow-workflow-controller-cluster-template
 subjects:
  - kind: ServiceAccount
    name: argoworkflow-workflow-controller
    namespace: os-system
--- a/apps/argo/config/cluster/deploy/workflow-controller-deployment.yaml
+++ b/apps/argo/config/cluster/deploy/workflow-controller-deployment.yaml
@@ -0,0 +1,89 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: argoworkflow-workflow-controller
  namespace: os-system
  labels:
    app.kubernetes.io/component: workflow-controller
    app.kubernetes.io/instance: argo
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: argoworkflows-workflow-controller
    app.kubernetes.io/part-of: argo-workflows
    app.kubernetes.io/version: v3.5.0
    helm.sh/chart: argoworkflows-0.35.0
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/instance: argo
      app.kubernetes.io/name: argoworkflows-workflow-controller
  template:
    metadata:
      labels:
        app.kubernetes.io/component: workflow-controller
        app.kubernetes.io/instance: argo
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: argoworkflows-workflow-controller
        app.kubernetes.io/part-of: argo-workflows
        app.kubernetes.io/version: v3.5.0
        helm.sh/chart: argoworkflows-0.35.0
    spec:
      serviceAccountName: argoworkflow-workflow-controller
      serviceAccount: argoworkflow-workflow-controller
      schedulerName: default-scheduler
      containers:
        - name: controller
          image: quay.io/argoproj/workflow-controller:v3.5.0
          imagePullPolicy: IfNotPresent
          command: [ "workflow-controller" ]
          args:
          - "--configmap"
          - "argoworkflow-workflow-controller-configmap"
          - "--executor-image"
          - "quay.io/argoproj/argoexec:v3.5.0"
          - "--loglevel"
          - "debug"
          - "--gloglevel"
          - "0"
          - "--log-format"
          - "text"
          securityContext:
            capabilities:
              drop:
                - ALL
            runAsNonRoot: true
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
          env:
            - name: ARGO_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
            - name: LEADER_ELECTION_IDENTITY
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.name
          ports:
            - name: metrics
              containerPort: 9090
              protocol: TCP
            - containerPort: 6060
              protocol: TCP
          livenessProbe: 
            httpGet:
              path: /healthz
              port: 6060
              scheme: HTTP
            initialDelaySeconds: 90
            timeoutSeconds: 30
            periodSeconds: 60
            successThreshold: 1
            failureThreshold: 3
      nodeSelector:
        kubernetes.io/os: linux
--- a/apps/argo/config/cluster/deploy/workflow-controller-sa.yaml
+++ b/apps/argo/config/cluster/deploy/workflow-controller-sa.yaml
@@ -0,0 +1,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: argoworkflow-workflow-controller
  namespace: os-system
--- a/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/controller/workflow-controller-secrets.yaml
+++ b/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/controller/workflow-controller-secrets.yaml
@@ -5,7 +5,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: argo-workflow-log-fakes3
-  namespace: {{ .Release.Namespace }}
+  namespace: os-system
 type: Opaque
 stringData:
  AWS_ACCESS_KEY_ID: S3RVER
@@ -16,7 +16,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: workflow-role
-  namespace: {{ .Release.Namespace }}
+  namespace: os-system
 rules:
 - apiGroups:
  - "*"
@@ -30,10 +30,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: workflow-rolebinding
-  namespace: {{ .Release.Namespace }}
+  namespace: os-system
 subjects:
  - kind: ServiceAccount
-    namespace: {{ .Release.Namespace }}
+    namespace: os-system
    name: default
 roleRef:
  kind: Role
--- a/apps/argo/config/cluster/deploy/workflow-rb.yaml
+++ b/apps/argo/config/cluster/deploy/workflow-rb.yaml
@@ -0,0 +1,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: argoworkflow-workflow
  namespace: os-system
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: argoworkflow-workflow
 subjects:
  - kind: ServiceAccount
    name: argo-workflow
    namespace: os-system
--- a/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/controller/workflow-role.yaml
+++ b/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/controller/workflow-role.yaml
@@ -1,10 +1,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ template "argo-workflows.fullname" $ }}-workflow
+  name: argoworkflow-workflow
-  labels:
+  namespace: os-system
    {{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $.Values.controller.name) | nindent 4 }}
  namespace: {{ $.Release.Namespace}}
 rules:
  - apiGroups:
      - ""
--- a/apps/argo/config/user/helm-charts/argo/Chart.yaml
+++ b/apps/argo/config/user/helm-charts/argo/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-name: rss
+name: argo
 description: A Helm chart for Kubernetes
 maintainers:
 - name: bytetrade
--- a/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/Chart.yaml
+++ b/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/Chart.yaml
@@ -1,39 +0,0 @@
 apiVersion: v2
 name: argoworkflows
 description: A Helm chart for Argo Workflows
 # A chart can be either an 'application' or a 'library' chart.
 #
 # Application charts are a collection of templates that can be packaged into versioned archives
 # to be deployed.
 #
 # Library charts provide useful utilities or functions for the chart developer. They're included as
 # a dependency of application charts to inject those utilities and functions into the rendering
 # pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 version: 0.35.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 appVersion: "v3.5.0"
 icon: https://argoproj.github.io/argo-workflows/assets/logo.png
 home: https://github.com/argoproj/argo-helm
 sources:
  - https://github.com/argoproj/argo-workflows
 maintainers:
  - name: argoproj
    url: https://argoproj.github.io/
 annotations:
  artifacthub.io/signKey: |
    fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
    url: https://argoproj.github.io/argo-helm/pgp_keys.asc
  artifacthub.io/changes: |
    - kind: changed
      description: Upgrade to Argo Workflows v3.4.10
--- a/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/NOTES.txt
+++ b/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/NOTES.txt
@@ -1,7 +0,0 @@
 1. Get Argo Server external IP/domain by running:
 kubectl --namespace {{ .Release.Namespace }} get services -o wide | grep {{ template "argo-workflows.server.fullname" . }}
 2. Submit the hello-world workflow by running:
 argo submit https://raw.githubusercontent.com/argoproj/argo-workflows/master/examples/hello-world.yaml --watch
--- a/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/_helpers.tpl
+++ b/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/_helpers.tpl
@@ -1,189 +0,0 @@
 {{/* vim: set filetype=mustache: */}}
 {{/*
 Create argo workflows server name and version as used by the chart label.
 */}}
 {{- define "argo-workflows.server.fullname-bak" -}}
 {{- printf "%s-%s" (include "argo-workflows.fullname" .) .Values.server.name | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{- define "argo-workflows.server.fullname" -}}
 argoworkflows
 {{- end -}}
 {{/*
 Create controller name and version as used by the chart label.
 */}}
 {{- define "argo-workflows.controller.fullname" -}}
 {{- printf "%s-%s" (include "argo-workflows.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{/*
 Expand the name of the chart.
 */}}
 {{- define "argo-workflows.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 */}}
 {{/*{{- define "argo-workflows.fullname" -}}*/}}
 {{/*{{- if .Values.fullnameOverride -}}*/}}
 {{/*{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}*/}}
 {{/*{{- else -}}*/}}
 {{/*{{- $name := default .Chart.Name .Values.nameOverride -}}*/}}
 {{/*{{- if contains $name .Release.Name -}}*/}}
 {{/*{{- .Release.Name | trunc 63 | trimSuffix "-" -}}*/}}
 {{/*{{- else -}}*/}}
 {{/*{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}*/}}
 {{/*{{- end -}}*/}}
 {{/*{{- end -}}*/}}
 {{/*{{- end -}}*/}}
 {{- define "argo-workflows.fullname" -}}
 argoworkflow
 {{- end -}}
 {{/*
 Create chart name and version as used by the chart label.
 */}}
 {{- define "argo-workflows.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{/*
 Create kubernetes friendly chart version label for the controller.
 Examples:
 image.tag = v3.4.4
 output    = v3.4.4
 image.tag = v3.4.4@sha256:d06860f1394a94ac3ff8401126ef32ba28915aa6c3c982c7e607ea0b4dadb696
 output    = v3.4.4
 */}}
 {{- define "argo-workflows.controller_chart_version_label" -}}
 {{- regexReplaceAll "[^a-zA-Z0-9-_.]+" (regexReplaceAll "@sha256:[a-f0-9]+" (default (include "argo-workflows.defaultTag" .) .Values.controller.image.tag) "") "" | trunc 63 | quote -}}
 {{- end -}}
 {{/*
 Create kubernetes friendly chart version label for the server.
 Examples:
 image.tag = v3.4.4
 output    = v3.4.4
 image.tag = v3.4.4@sha256:d06860f1394a94ac3ff8401126ef32ba28915aa6c3c982c7e607ea0b4dadb696
 output    = v3.4.4
 */}}
 {{- define "argo-workflows.server_chart_version_label" -}}
 {{- regexReplaceAll "[^a-zA-Z0-9-_.]+" (regexReplaceAll "@sha256:[a-f0-9]+" (default (include "argo-workflows.defaultTag" .) .Values.server.image.tag) "") "" | trunc 63 | quote -}}
 {{- end -}}
 {{/*
 Common labels
 */}}
 {{- define "argo-workflows.labels" -}}
 helm.sh/chart: {{ include "argo-workflows.chart" .context }}
 {{ include "argo-workflows.selectorLabels" (dict "context" .context "component" .component "name" .name) }}
 app.kubernetes.io/managed-by: {{ .context.Release.Service }}
 app.kubernetes.io/part-of: argo-workflows
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "argo-workflows.selectorLabels" -}}
 {{- if .name -}}
 app.kubernetes.io/name: {{ include "argo-workflows.name" .context }}-{{ .name }}
 {{ end -}}
 app.kubernetes.io/instance: {{ .context.Release.Name }}
 {{- if .component }}
 app.kubernetes.io/component: {{ .component }}
 {{- end }}
 {{- end }}
 {{/*
 Create the name of the server service account to use
 */}}
 {{- define "argo-workflows.serverServiceAccountName" -}}
 {{- if .Values.server.serviceAccount.create -}}
    {{ default (include "argo-workflows.server.fullname" .) .Values.server.serviceAccount.name }}
 {{- else -}}
    {{ default "default" .Values.server.serviceAccount.name }}
 {{- end -}}
 {{- end -}}
 {{/*
 Create the name of the controller service account to use
 */}}
 {{- define "argo-workflows.controllerServiceAccountName" -}}
 {{- if .Values.controller.serviceAccount.create -}}
    {{ default (include "argo-workflows.controller.fullname" .) .Values.controller.serviceAccount.name }}
 {{- else -}}
    {{ default "default" .Values.controller.serviceAccount.name }}
 {{- end -}}
 {{- end -}}
 {{/*
 Return the appropriate apiVersion for ingress
 */}}
 {{- define "argo-workflows.ingress.apiVersion" -}}
 {{- if semverCompare "<1.14-0" (include "argo-workflows.kubeVersion" $) -}}
 {{- print "extensions/v1beta1" -}}
 {{- else if semverCompare "<1.19-0" (include "argo-workflows.kubeVersion" $) -}}
 {{- print "networking.k8s.io/v1beta1" -}}
 {{- else -}}
 {{- print "networking.k8s.io/v1" -}}
 {{- end -}}
 {{- end -}}
 {{/*
 Return the target Kubernetes version
 */}}
 {{- define "argo-workflows.kubeVersion" -}}
  {{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride }}
 {{- end -}}
 {{/*
 Return the default Argo Workflows app version
 */}}
 {{- define "argo-workflows.defaultTag" -}}
  {{- default .Chart.AppVersion .Values.images.tag }}
 {{- end -}}
 {{/*
 Return full image name including or excluding registry based on existence
 */}}
 {{- define "argo-workflows.image" -}}
 {{- if and .image.registry .image.repository -}}
  {{ .image.registry }}/{{ .image.repository }}
 {{- else -}}
  {{ .image.repository }}
 {{- end -}}
 {{- end -}}
 {{/*
 Return the appropriate apiVersion for autoscaling
 */}}
 {{- define "argo-workflows.apiVersion.autoscaling" -}}
 {{- if .Values.apiVersionOverrides.autoscaling -}}
 {{- print .Values.apiVersionOverrides.autoscaling -}}
 {{- else if semverCompare "<1.23-0" (include "argo-workflows.kubeVersion" .) -}}
 {{- print "autoscaling/v2beta1" -}}
 {{- else -}}
 {{- print "autoscaling/v2" -}}
 {{- end -}}
 {{- end -}}
 {{/*
 Return the appropriate apiVersion for GKE resources
 */}}
 {{- define "argo-workflows.apiVersions.cloudgoogle" -}}
 {{- if .Values.apiVersionOverrides.cloudgoogle -}}
 {{- print .Values.apiVersionOverrides.cloudgoogle -}}
 {{- else if .Capabilities.APIVersions.Has "cloud.google.com/v1" -}}
 {{- print "cloud.google.com/v1" -}}
 {{- else -}}
 {{- print "cloud.google.com/v1beta1" -}}
 {{- end -}}
 {{- end -}}
--- a/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/controller/workflow-controller-config-map.yaml
+++ b/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/controller/workflow-controller-config-map.yaml
@@ -1,208 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ template "argo-workflows.controller.fullname" . }}-configmap
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" "cm") | nindent 4 }}
 data:
  config: |
    {{- if .Values.controller.instanceID.enabled }}
      {{- if .Values.controller.instanceID.useReleaseName }}
    instanceID: {{ .Release.Namespace }}
      {{- else }}
    instanceID: {{ .Values.controller.instanceID.explicitID }}
      {{- end }}
    {{- end }}
    {{- if .Values.controller.parallelism }}
    parallelism: {{ .Values.controller.parallelism }}
    {{- end }}
    {{- if .Values.controller.resourceRateLimit }}
    resourceRateLimit: {{ toYaml .Values.controller.resourceRateLimit | nindent 6 }}
    {{- end }}
    {{- with .Values.controller.namespaceParallelism }}
    namespaceParallelism: {{ . }}
    {{- end }}
    {{- with .Values.controller.initialDelay }}
    initialDelay: {{ . }}
    {{- end }}
    {{- if or .Values.mainContainer.resources .Values.mainContainer.env .Values.mainContainer.envFrom .Values.mainContainer.securityContext}}
    mainContainer:
      imagePullPolicy: {{ default (.Values.images.pullPolicy) .Values.mainContainer.imagePullPolicy }}
      {{- with .Values.mainContainer.resources }}
      resources: {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.mainContainer.env }}
      env: {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.mainContainer.envFrom }}
      envFrom: {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.mainContainer.securityContext }}
      securityContext: {{- toYaml . | nindent 8 }}
      {{- end }}
    {{- end }}
    {{- if or .Values.executor.resources .Values.executor.env .Values.executor.args .Values.executor.securityContext}}
    executor:
      imagePullPolicy: {{ default (.Values.images.pullPolicy) .Values.executor.image.pullPolicy }}
      {{- with .Values.executor.resources }}
      resources: {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.executor.args }}
      args: {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.executor.env }}
      env: {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.executor.securityContext }}
      securityContext: {{- toYaml . | nindent 8 }}
      {{- end }}
    {{- end }}
    {{- if or .Values.artifactRepository.s3 .Values.artifactRepository.gcs .Values.artifactRepository.azure .Values.customArtifactRepository }}
    artifactRepository:
      {{- if .Values.artifactRepository.archiveLogs }}
      archiveLogs: {{ .Values.artifactRepository.archiveLogs }}
      {{- end }}
      {{- with .Values.artifactRepository.gcs }}
      gcs: {{- tpl (toYaml .) $ | nindent 8 }}
      {{- end }}
      {{- with .Values.artifactRepository.azure }}
      azure: {{- tpl (toYaml .) $ | nindent 8 }}
      {{- end }}
      {{- if .Values.artifactRepository.s3 }}
      s3:
        {{- if .Values.useStaticCredentials }}
        accessKeySecret:
          key: {{ tpl .Values.artifactRepository.s3.accessKeySecret.key . }}
          name: {{ tpl .Values.artifactRepository.s3.accessKeySecret.name . }}
        secretKeySecret:
          key: {{ tpl .Values.artifactRepository.s3.secretKeySecret.key . }}
          name: {{ tpl .Values.artifactRepository.s3.secretKeySecret.name . }}
        {{- end }}
        bucket: {{ tpl (.Values.artifactRepository.s3.bucket | default "") . }}
        endpoint: workflow-archivelog-s3.user-system-{{ .Values.global.bfl.username }}:4568
        insecure: {{ .Values.artifactRepository.s3.insecure }}
        {{- if .Values.artifactRepository.s3.keyFormat }}
        keyFormat: {{ .Values.artifactRepository.s3.keyFormat | quote }}
        {{- end }}
        {{- if .Values.artifactRepository.s3.region }}
        region: {{ tpl .Values.artifactRepository.s3.region $ }}
        {{- end }}
        {{- if .Values.artifactRepository.s3.roleARN }}
        roleARN: {{ .Values.artifactRepository.s3.roleARN }}
        {{- end }}
        {{- if .Values.artifactRepository.s3.useSDKCreds }}
        useSDKCreds: {{ .Values.artifactRepository.s3.useSDKCreds }}
        {{- end }}
        {{- with .Values.artifactRepository.s3.encryptionOptions }}
        encryptionOptions:
          {{- toYaml . | nindent 10 }}
        {{- end }}
      {{- end }}
      {{- if .Values.customArtifactRepository }}
      {{- toYaml .Values.customArtifactRepository | nindent 6 }}
      {{- end }}
    {{- end }}
    {{- if .Values.controller.metricsConfig.enabled }}
    metricsConfig:
      enabled: {{ .Values.controller.metricsConfig.enabled }}
      path: {{ .Values.controller.metricsConfig.path }}
      port: {{ .Values.controller.metricsConfig.port }}
      {{- if .Values.controller.metricsConfig.metricsTTL }}
      metricsTTL: {{ .Values.controller.metricsConfig.metricsTTL }}
      {{- end }}
      ignoreErrors: {{ .Values.controller.metricsConfig.ignoreErrors }}
      secure: {{ .Values.controller.metricsConfig.secure }}
    {{- end }}
    {{- if .Values.controller.telemetryConfig.enabled }}
    telemetryConfig:
      enabled: {{ .Values.controller.telemetryConfig.enabled }}
      path: {{ .Values.controller.telemetryConfig.path }}
      port: {{ .Values.controller.telemetryConfig.port }}
      {{- if .Values.controller.telemetryConfig.metricsTTL }}
      metricsTTL: {{ .Values.controller.telemetryConfig.metricsTTL }}
      {{- end }}
      ignoreErrors: {{ .Values.controller.telemetryConfig.ignoreErrors }}
      secure: {{ .Values.controller.telemetryConfig.secure }}
    {{- end }}
    persistence:
      connectionPool:
        maxIdleConns: 5
        maxOpenConns: 0
      archive: true
      archiveTTL: 5d
      postgresql:
        host: citus-master-svc.user-system-{{ .Values.global.bfl.username }}
        port: 5432
        database: user_space_{{ .Values.global.bfl.username }}_argo
        tableName: argo_workflows
        userNameSecret:
          name: rss-secrets
          key: pg_user
        passwordSecret:
          name: rss-secrets
          key: pg_password
    {{- if .Values.controller.workflowDefaults }}
    workflowDefaults:
 {{ toYaml .Values.controller.workflowDefaults | indent 6 }}{{- end }}
    {{- if .Values.server.sso.enabled }}
    sso:
      issuer: {{ .Values.server.sso.issuer }}
      clientId:
        name: {{ .Values.server.sso.clientId.name }}
        key: {{ .Values.server.sso.clientId.key }}
      clientSecret:
        name: {{ .Values.server.sso.clientSecret.name }}
        key: {{ .Values.server.sso.clientSecret.key }}
      redirectUrl: {{ .Values.server.sso.redirectUrl }}
      rbac:
        enabled: {{ .Values.server.sso.rbac.enabled }}
      {{- with .Values.server.sso.scopes }}
      scopes: {{ toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.server.sso.issuerAlias }}
      issuerAlias: {{ toYaml . }}
      {{- end }}
      {{- with .Values.server.sso.sessionExpiry }}
      sessionExpiry: {{ toYaml . }}
      {{- end }}
      {{- with .Values.server.sso.customGroupClaimName }}
      customGroupClaimName: {{ toYaml . }}
      {{- end }}
      {{- with .Values.server.sso.userInfoPath }}
      userInfoPath: {{ toYaml . }}
      {{- end }}
      {{- with .Values.server.sso.insecureSkipVerify }}
      insecureSkipVerify: {{ toYaml . }}
      {{- end }}
    {{- end }}
    {{- with .Values.controller.workflowRestrictions }}
    workflowRestrictions: {{- toYaml . | nindent 6 }}
    {{- end }}
    {{- with .Values.controller.links }}
    links: {{- toYaml . | nindent 6 }}
    {{- end }}
    {{- with .Values.controller.columns }}
    columns: {{- toYaml . | nindent 6 }}
    {{- end }}
    {{- with .Values.controller.navColor }}
    navColor: {{ . }}
    {{- end }}
    {{- with .Values.controller.retentionPolicy }}
    retentionPolicy: {{- toYaml . | nindent 6 }}
    {{- end }}
    {{- with .Values.emissary.images }}
    images: {{- toYaml . | nindent 6 }}
    {{- end }}
    nodeEvents:
      enabled: {{ .Values.controller.nodeEvents.enabled }}
    {{- with .Values.controller.kubeConfig }}
    kubeConfig: {{- toYaml . | nindent 6 }}
    {{- end }}
    {{- with .Values.controller.podGCGracePeriodSeconds }}
    podGCGracePeriodSeconds: {{ . }}
    {{- end }}
    {{- with .Values.controller.podGCDeleteDelayDuration }}
    podGCDeleteDelayDuration: {{ . }}
    {{- end }}
--- a/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/controller/workflow-controller-crb.yaml
+++ b/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/controller/workflow-controller-crb.yaml
@@ -1,45 +0,0 @@
 {{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 {{- if .Values.singleNamespace }}
 kind: RoleBinding
 {{ else }}
 kind: ClusterRoleBinding
 {{- end }}
 metadata:
  name: {{ .Release.Namespace }}:{{ template "argo-workflows.controller.fullname" . }}
  {{- if .Values.singleNamespace }}
  namespace: {{ .Release.Namespace | quote }}
  {{- end }}
  labels:
    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  {{- if .Values.singleNamespace }}
  kind: Role
  {{ else }}
  kind: ClusterRole
  {{- end }}
  name: {{ template "argo-workflows.controller.fullname" . }}
 subjects:
  - kind: ServiceAccount
    name: {{ template "argo-workflows.controllerServiceAccountName" . }}
    namespace: {{ .Release.Namespace | quote }}
 {{- if .Values.controller.clusterWorkflowTemplates.enabled }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ .Release.Namespace }}:{{ template "argo-workflows.controller.fullname" . }}-cluster-template
  labels:
    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "argo-workflows.controller.fullname" . }}-cluster-template
 subjects:
  - kind: ServiceAccount
    name: {{ template "argo-workflows.controllerServiceAccountName" . }}
    namespace: {{ .Release.Namespace | quote }}
 {{- end }}
 {{- end }}
--- a/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/controller/workflow-controller-deployment.yaml
+++ b/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/controller/workflow-controller-deployment.yaml
@@ -1,129 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ template "argo-workflows.controller.fullname" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
    app.kubernetes.io/version: {{ include "argo-workflows.controller_chart_version_label" . }}
  {{- with .Values.controller.deploymentAnnotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  replicas: {{ .Values.controller.replicas }}
  selector:
    matchLabels:
      {{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }}
  template:
    metadata:
      labels:
        {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 8 }}
        app.kubernetes.io/version: {{ include "argo-workflows.controller_chart_version_label" . }}
        {{- with.Values.controller.podLabels }}
          {{- toYaml . | nindent 8 }}
        {{- end }}
      {{- with .Values.controller.podAnnotations }}
      annotations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
    spec:
      serviceAccountName: {{ template "argo-workflows.controllerServiceAccountName" . }}
      {{- with .Values.controller.podSecurityContext }}
      securityContext:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.controller.extraInitContainers }}
      initContainers:
        {{- tpl (toYaml .) $ | nindent 8 }}
      {{- end }}
      containers:
        - name: controller
          image: "{{- include "argo-workflows.image" (dict "context" . "image" .Values.controller.image) }}:{{ default (include "argo-workflows.defaultTag" .) .Values.controller.image.tag }}"
          imagePullPolicy: {{ .Values.images.pullPolicy }}
          command: [ "workflow-controller" ]
          args:
          - "--configmap"
          - "{{ template "argo-workflows.controller.fullname" . }}-configmap"
          - "--executor-image"
          - "{{- include "argo-workflows.image" (dict "context" . "image" .Values.executor.image) }}:{{ default (include "argo-workflows.defaultTag" .) .Values.executor.image.tag }}"
          - "--loglevel"
          - "{{ .Values.controller.logging.level }}"
          - "--gloglevel"
          - "{{ .Values.controller.logging.globallevel }}"
          - "--log-format"
          - "{{ .Values.controller.logging.format }}"
          {{- if .Values.singleNamespace }}
          - "--namespaced"
          {{- end }}
          {{- with .Values.controller.workflowWorkers }}
          - "--workflow-workers"
          - {{ . | quote }}
          {{- end }}
          {{- with .Values.controller.extraArgs }}
            {{- toYaml . | nindent 10 }}
          {{- end }}
          securityContext:
            {{- toYaml .Values.controller.securityContext | nindent 12 }}
          env:
            - name: ARGO_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
            - name: LEADER_ELECTION_IDENTITY
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.name
          {{- with .Values.controller.extraEnv }}
            {{- toYaml . | nindent 12 }}
          {{- end }}
          resources:
            {{- toYaml .Values.controller.resources | nindent 12 }}
          {{- with .Values.controller.volumeMounts }}
          volumeMounts:
            {{- toYaml . | nindent 10 }}
          {{- end }}
          ports:
            - name: {{ .Values.controller.metricsConfig.portName }}
              containerPort: {{ .Values.controller.metricsConfig.port }}
            - containerPort: 6060
          livenessProbe: {{ .Values.controller.livenessProbe | toYaml | nindent 12 }}
        {{- with .Values.controller.extraContainers }}
          {{- toYaml . | nindent 8 }}
        {{- end }}
      {{- with .Values.images.pullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.controller.volumes }}
      volumes:
        {{- toYaml . | nindent 6 }}
      {{- end }}
      {{- with .Values.controller.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.controller.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.controller.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.controller.topologySpreadConstraints }}
      topologySpreadConstraints:
        {{- range $constraint := . }}
      - {{ toYaml $constraint | nindent 8 | trim }}
        {{- if not $constraint.labelSelector }}
        labelSelector:
          matchLabels:
            {{- include "argo-workflows.selectorLabels" (dict "context" $ "name" $.Values.controller.name) | nindent 12 }}
        {{- end }}
        {{- end }}
      {{- end }}
      {{- with .Values.controller.priorityClassName }}
      priorityClassName: {{ . }}
      {{- end }}
--- a/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/controller/workflow-controller-sa.yaml
+++ b/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/controller/workflow-controller-sa.yaml
@@ -1,16 +0,0 @@
 {{- if .Values.controller.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ template "argo-workflows.controllerServiceAccountName" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
  {{- with .Values.controller.serviceAccount.labels  }}
    {{- toYaml . | nindent 4 }}
  {{- end }}
  {{ with .Values.controller.serviceAccount.annotations }}
  annotations:
    {{- toYaml .| nindent 4 }}
  {{- end }}
 {{- end }}
--- a/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/controller/workflow-rb.yaml
+++ b/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/controller/workflow-rb.yaml
@@ -1,15 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ template "argo-workflows.fullname" $ }}-workflow
  labels:
    {{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $.Values.controller.name) | nindent 4 }}
  namespace: {{ $.Release.Namespace}}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ template "argo-workflows.fullname" $ }}-workflow
 subjects:
  - kind: ServiceAccount
    name: {{ $.Values.workflow.serviceAccount.name }}
    namespace: {{ $.Release.Namespace}}
--- a/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/extra-manifests.yaml
+++ b/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/extra-manifests.yaml
@@ -1,8 +0,0 @@
 {{ range .Values.extraObjects }}
 ---
 {{- if typeIs "string" . }}
    {{- tpl . $ }}
 {{- else }}
    {{- tpl (toYaml .) $ }}
 {{- end }}
 {{ end }}
--- a/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/server/server-crb.yaml
+++ b/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/server/server-crb.yaml
@@ -1,45 +0,0 @@
 {{- if and .Values.server.enabled .Values.server.rbac.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
 {{- if .Values.singleNamespace }}
 kind: RoleBinding
 {{ else }}
 kind: ClusterRoleBinding
 {{- end }}
 metadata:
  name: {{ .Release.Namespace }}:{{ template "argo-workflows.server.fullname" . }}
  {{- if .Values.singleNamespace }}
  namespace: {{ .Release.Namespace | quote }}
  {{- end }}
  labels:
    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  {{- if .Values.singleNamespace }}
  kind: Role
  {{ else }}
  kind: ClusterRole
  {{- end }}
  name: {{ template "argo-workflows.server.fullname" . }}
 subjects:
 - kind: ServiceAccount
  name: {{ template "argo-workflows.serverServiceAccountName" . }}
  namespace: {{ .Release.Namespace | quote }}
 {{- if .Values.server.clusterWorkflowTemplates.enabled }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ .Release.Namespace }}:{{ template "argo-workflows.server.fullname" . }}-cluster-template
  labels:
    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "argo-workflows.server.fullname" . }}-cluster-template
 subjects:
 - kind: ServiceAccount
  name: {{ template "argo-workflows.serverServiceAccountName" . }}
  namespace: {{ .Release.Namespace | quote }}
 {{- end -}}
 {{- end -}}
--- a/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/server/server-deployment.yaml
+++ b/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/server/server-deployment.yaml
@@ -1,142 +0,0 @@
 {{- if .Values.server.enabled -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ template "argo-workflows.server.fullname" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    app: argoworkflows
    app.kubernetes.io/managed-by: Helm
    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
    app.kubernetes.io/version: {{ include "argo-workflows.server_chart_version_label" . }}
  {{- with .Values.server.deploymentAnnotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
    applications.app.bytetrade.io/icon: https://argoproj.github.io/argo-workflows/assets/logo.png
    applications.app.bytetrade.io/title: argoworkflows
    applications.app.bytetrade.io/version: '0.35.0'
  {{- end }}
 spec:
  {{- if not .Values.server.autoscaling.enabled }}
  replicas: {{ .Values.server.replicas }}
  {{- end }}
  selector:
    matchLabels:
      {{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 6 }}
      app: argoworkflows
  template:
    metadata:
      labels:
        app: argoworkflows
        {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 8 }}
        app.kubernetes.io/version: {{ include "argo-workflows.server_chart_version_label" . }}
        {{- with .Values.server.podLabels }}
          {{- toYaml . | nindent 8 }}
        {{- end }}
      {{- with .Values.server.podAnnotations }}
      annotations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
    spec:
      serviceAccountName: {{ template "argo-workflows.serverServiceAccountName" . }}
      {{- with .Values.server.podSecurityContext }}
      securityContext:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.server.extraInitContainers }}
      initContainers:
        {{- tpl (toYaml .) $ | nindent 8 }}
      {{- end }}
      containers:
        - name: argo-server
          image: "{{- include "argo-workflows.image" (dict "context" . "image" .Values.server.image) }}:{{ default (include "argo-workflows.defaultTag" .) .Values.server.image.tag }}"
          imagePullPolicy: {{ .Values.images.pullPolicy }}
          securityContext:
            {{- toYaml .Values.server.securityContext | nindent 12 }}
          args:
            - server
            - --configmap={{ template "argo-workflows.controller.fullname" . }}-configmap
          {{- with .Values.server.extraArgs }}
            {{- toYaml . | nindent 10 }}
          {{- end }}
          {{- if .Values.server.authMode }}
            - "--auth-mode={{ .Values.server.authMode }}"
          {{- end }}
            - "--secure={{ .Values.server.secure }}"
            - "--x-frame-options="
          {{- if .Values.singleNamespace }}
            - "--namespaced"
          {{- end }}
            - "--loglevel"
            - "{{ .Values.server.logging.level }}"
            - "--gloglevel"
            - "{{ .Values.server.logging.globallevel }}"
            - "--log-format"
            - "{{ .Values.server.logging.format }}"
          ports:
            - name: web
              containerPort: 2746
          readinessProbe:
            httpGet:
              path: /
              port: 2746
              {{- if .Values.server.secure }}
              scheme: HTTPS
              {{- else }}
              scheme: HTTP
              {{- end }}
            initialDelaySeconds: 10
            periodSeconds: 20
          env:
            - name: IN_CLUSTER
              value: "true"
            - name: ARGO_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
            - name: BASE_HREF
              value: {{ .Values.server.baseHref | quote }}
          {{- with .Values.server.extraEnv }}
            {{- toYaml . | nindent 12 }}
          {{- end }}
          resources:
            {{- toYaml .Values.server.resources | nindent 12 }}
          volumeMounts:
            - name: tmp
              mountPath: /tmp
      volumes:
        - name: tmp
          emptyDir: {}
      {{- with .Values.server.volumes }}
        {{- toYaml . | nindent 6}}
      {{- end }}
      {{- with .Values.server.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.server.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.server.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.server.topologySpreadConstraints }}
      topologySpreadConstraints:
        {{- range $constraint := . }}
        - {{ toYaml $constraint | nindent 8 | trim }}
        {{- if not $constraint.labelSelector }}
          labelSelector:
            matchLabels:
            {{- include "argo-workflows.selectorLabels" (dict "context" $ "name" $.Values.server.name) | nindent 12 }}
        {{- end }}
        {{- end }}
      {{- end }}
      {{- with .Values.server.priorityClassName }}
      priorityClassName: {{ . }}
      {{- end }}
 {{- end -}}
--- a/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/server/server-sa.yaml
+++ b/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/server/server-sa.yaml
@@ -1,16 +0,0 @@
 {{- if and .Values.server.enabled .Values.server.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ template "argo-workflows.serverServiceAccountName" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
  {{- with .Values.server.serviceAccount.labels  }}
    {{- toYaml . | nindent 4 }}
  {{- end }}
  {{- with .Values.server.serviceAccount.annotations  }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 {{- end -}}
--- a/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/server/server-service.yaml
+++ b/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/server/server-service.yaml
@@ -1,36 +0,0 @@
 {{- if .Values.server.enabled -}}
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ template "argo-workflows.server.fullname" . }}-svc
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
    app.kubernetes.io/version: {{ include "argo-workflows.server_chart_version_label" . }}
  {{- with .Values.server.serviceAnnotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  ports:
  - port: {{ .Values.server.servicePort }}
    {{- with .Values.server.servicePortName }}
    name: {{ . }}
    {{- end }}
    targetPort: 2746
    {{- if and (eq .Values.server.serviceType "NodePort") .Values.server.serviceNodePort }}
    nodePort: {{ .Values.server.serviceNodePort }}
    {{- end }}
  selector:
    app: {{ template "argo-workflows.server.fullname" . }}
    {{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 4 }}
  sessionAffinity: None
  type: {{ .Values.server.serviceType }}
  {{- if and (eq .Values.server.serviceType "LoadBalancer") .Values.server.loadBalancerIP }}
  loadBalancerIP: {{ .Values.server.loadBalancerIP | quote }}
  {{- end }}
  {{- if and (eq .Values.server.serviceType "LoadBalancer") .Values.server.loadBalancerSourceRanges }}
  loadBalancerSourceRanges:
    {{- toYaml .Values.server.loadBalancerSourceRanges | nindent 4 }}
  {{- end }}
 {{- end -}}
--- a/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/values.yaml
+++ b/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/values.yaml
@@ -1,840 +0,0 @@
 images:
  # -- Common tag for Argo Workflows images. Defaults to `.Chart.AppVersion`.
  tag: ""
  # -- imagePullPolicy to apply to all containers
  pullPolicy: IfNotPresent
  # -- Secrets with credentials to pull images from a private registry
  pullSecrets: []
  # - name: argo-pull-secret
 ## Custom resource configuration
 crds:
  # -- Install and upgrade CRDs
  install: true
  # -- Keep CRDs on chart uninstall
  keep: true
  # -- Annotations to be added to all CRDs
  annotations: {}
 # -- Create clusterroles that extend existing clusterroles to interact with argo-cd crds
 ## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
 createAggregateRoles: true
 # -- String to partially override "argo-workflows.fullname" template
 nameOverride:
 # -- String to fully override "argo-workflows.fullname" template
 fullnameOverride:
 # -- Override the Kubernetes version, which is used to evaluate certain manifests
 kubeVersionOverride: ""
 # Override APIVersions
 apiVersionOverrides:
  # -- String to override apiVersion of autoscaling rendered by this helm chart
  autoscaling: "" # autoscaling/v2
  # -- String to override apiVersion of GKE resources rendered by this helm chart
  cloudgoogle: "" # cloud.google.com/v1
 # -- Restrict Argo to operate only in a single namespace (the namespace of the
 # Helm release) by apply Roles and RoleBindings instead of the Cluster
 # equivalents, and start workflow-controller with the --namespaced flag. Use it
 # in clusters with strict access policy.
 singleNamespace: false
 workflow:
  # -- Deprecated; use controller.workflowNamespaces instead.
  namespace:
  serviceAccount:
    # -- Specifies whether a service account should be created
    create: false
    # -- Labels applied to created service account
    labels: {}
    # -- Annotations applied to created service account
    annotations: {}
    # -- Service account which is used to run workflows
    name: "argo-workflow"
    # -- Secrets with credentials to pull images from a private registry. Same format as `.Values.images.pullSecrets`
    pullSecrets: []
  rbac:
    # -- Adds Role and RoleBinding for the above specified service account to be able to run workflows.
    # A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below)
    create: true
 controller:
  image:
    # -- Registry to use for the controller
    registry: quay.io
    # -- Registry to use for the controller
    repository: argoproj/workflow-controller
    # -- Image tag for the workflow controller. Defaults to `.Values.images.tag`.
    tag: ""
  # -- parallelism dictates how many workflows can be running at the same time
  parallelism:
  # -- Globally limits the rate at which pods are created.
  # This is intended to mitigate flooding of the Kubernetes API server by workflows with a large amount of
  # parallel nodes.
  resourceRateLimit: {}
    # limit: 10
  # burst: 1
  rbac:
    # -- Adds Role and RoleBinding for the controller.
    create: true
    # -- Allows controller to get, list, and watch certain k8s secrets
    secretWhitelist: []
    # -- Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty.
    accessAllSecrets: false
    # -- Allows controller to create and update ConfigMaps. Enables memoization feature
    writeConfigMaps: false
  # -- Limits the maximum number of incomplete workflows in a namespace
  namespaceParallelism:
  # -- Resolves ongoing, uncommon AWS EKS bug: https://github.com/argoproj/argo-workflows/pull/4224
  initialDelay:
  # -- deploymentAnnotations is an optional map of annotations to be applied to the controller Deployment
  deploymentAnnotations: {}
  # -- podAnnotations is an optional map of annotations to be applied to the controller Pods
  podAnnotations: {}
  # -- Optional labels to add to the controller pods
  podLabels: {}
  # -- SecurityContext to set on the controller pods
  podSecurityContext: {}
  # podPortName: http
  metricsConfig:
    # -- Enables prometheus metrics server
    enabled: false
    # -- Path is the path where metrics are emitted. Must start with a "/".
    path: /metrics
    # -- Port is the port where metrics are emitted
    port: 9090
    # -- How often custom metrics are cleared from memory
    metricsTTL: ""
    # -- Flag that instructs prometheus to ignore metric emission errors.
    ignoreErrors: false
    # --  Flag that use a self-signed cert for TLS
    secure: false
    # -- Container metrics port name
    portName: metrics
    # -- Service metrics port
    servicePort: 8090
    # -- Service metrics port name
    servicePortName: metrics
    # -- ServiceMonitor relabel configs to apply to samples before scraping
    ## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
    relabelings: []
    # -- ServiceMonitor metric relabel configs to apply to samples before ingestion
    ## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#endpoint
    metricRelabelings: []
    # -- ServiceMonitor will add labels from the service to the Prometheus metric
    ## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitorspec
    targetLabels: []
  # -- the controller container's securityContext
  securityContext:
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
  # -- enable persistence using postgres
  persistence: {}
  # connectionPool:
  #   maxIdleConns: 100
  #   maxOpenConns: 0
  # # save the entire workflow into etcd and DB
  # nodeStatusOffLoad: false
  # # enable archiving of old workflows
  # archive: false
  # postgresql:
  #   host: localhost
  #   port: 5432
  #   database: postgres
  #   tableName: argo_workflows
  #   # the database secrets must be in the same namespace of the controller
  #   userNameSecret:
  #     name: argo-postgres-config
  #     key: username
  #   passwordSecret:
  #     name: argo-postgres-config
  #     key: password
  # -- Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level.
  # Only valid for 2.7+
  ## See more: https://argoproj.github.io/argo-workflows/default-workflow-specs/
  workflowDefaults: {}
  #   spec:
  #     ttlStrategy:
  #       secondsAfterCompletion: 84600
  #     # Ref: https://argoproj.github.io/argo-workflows/artifact-repository-ref/
  #     artifactRepositoryRef:
  #       configMap: my-artifact-repository # default is "artifact-repositories"
  #       key: v2-s3-artifact-repository # default can be set by the `workflows.argoproj.io/default-artifact-repository` annotation in config map.
  # -- Number of workflow workers
  workflowWorkers: # 32
  # -- Restricts the Workflows that the controller will process.
  # Only valid for 2.9+
  workflowRestrictions: {}
  # templateReferencing: Strict|Secure
  # telemetryConfig controls the path and port for prometheus telemetry. Telemetry is enabled and emitted in the same endpoint
  # as metrics by default, but can be overridden using this config.
  telemetryConfig:
    # -- Enables prometheus telemetry server
    enabled: false
    # -- telemetry path
    path: /telemetry
    # -- telemetry container port
    port: 8081
    # -- How often custom metrics are cleared from memory
    metricsTTL: ""
    # -- Flag that instructs prometheus to ignore metric emission errors.
    ignoreErrors: false
    # --  Flag that use a self-signed cert for TLS
    secure: false
    # -- telemetry service port
    servicePort: 8081
    # -- telemetry service port name
    servicePortName: telemetry
  serviceMonitor:
    # -- Enable a prometheus ServiceMonitor
    enabled: false
    # -- Prometheus ServiceMonitor labels
    additionalLabels: {}
    # -- Prometheus ServiceMonitor namespace
    namespace: "" # "monitoring"
  serviceAccount:
    # -- Create a service account for the controller
    create: true
    # -- Service account name
    name: ""
    # -- Labels applied to created service account
    labels: {}
    # -- Annotations applied to created service account
    annotations: {}
  # -- Workflow controller name string
  name: workflow-controller
  # -- Specify all namespaces where this workflow controller instance will manage
  # workflows. This controls where the service account and RBAC resources will
  # be created. Only valid when singleNamespace is false.
  workflowNamespaces:
    - default
  instanceID:
    # -- Configures the controller to filter workflow submissions
    # to only those which have a matching instanceID attribute.
    ## NOTE: If `instanceID.enabled` is set to `true` then either `instanceID.userReleaseName`
    ## or `instanceID.explicitID` must be defined.
    enabled: true
    # -- Use ReleaseName as instanceID
    useReleaseName: true
    # useReleaseName: true
    # -- Use a custom instanceID
    explicitID: ""
    # explicitID: unique-argo-controller-identifier
  logging:
    # -- Set the logging level (one of: `debug`, `info`, `warn`, `error`)
    level: info
    # -- Set the glog logging level
    globallevel: "0"
    # -- Set the logging format (one of: `text`, `json`)
    format: "text"
  # -- Service type of the controller Service
  serviceType: ClusterIP
  # -- Annotations to be applied to the controller Service
  serviceAnnotations: {}
  # -- Optional labels to add to the controller Service
  serviceLabels: {}
  # -- Source ranges to allow access to service from. Only applies to service type `LoadBalancer`
  loadBalancerSourceRanges: []
  # -- Resource limits and requests for the controller
  resources: {}
  # -- Configure liveness [probe] for the controller
  # @default -- See [values.yaml]
  livenessProbe:
    httpGet:
      port: 6060
      path: /healthz
    failureThreshold: 3
    initialDelaySeconds: 90
    periodSeconds: 60
    timeoutSeconds: 30
  # -- Extra environment variables to provide to the controller container
  extraEnv: []
    # - name: FOO
  #   value: "bar"
  # -- Extra arguments to be added to the controller
  extraArgs: []
  # -- Additional volume mounts to the controller main container
  volumeMounts: []
  # -- Additional volumes to the controller pod
  volumes: []
  # -- The number of controller pods to run
  replicas: 1
  pdb:
    # -- Configure [Pod Disruption Budget] for the controller pods
    enabled: false
    # minAvailable: 1
    # maxUnavailable: 1
  # -- [Node selector]
  nodeSelector:
    kubernetes.io/os: linux
  # -- [Tolerations] for use with node taints
  tolerations: []
  # -- Assign custom [affinity] rules
  affinity: {}
  # -- Assign custom [TopologySpreadConstraints] rules to the workflow controller
  ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
  ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
  topologySpreadConstraints: []
  # - maxSkew: 1
  #   topologyKey: topology.kubernetes.io/zone
  #   whenUnsatisfiable: DoNotSchedule
  # -- Leverage a PriorityClass to ensure your pods survive resource shortages.
  ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
  priorityClassName: ""
  # -- Configure Argo Server to show custom [links]
  ## Ref: https://argoproj.github.io/argo-workflows/links/
  links: []
  # -- Configure Argo Server to show custom [columns]
  ## Ref: https://github.com/argoproj/argo-workflows/pull/10693
  columns: []
  # -- Set ui navigation bar background color
  navColor: ""
  clusterWorkflowTemplates:
    # -- Create a ClusterRole and CRB for the controller to access ClusterWorkflowTemplates.
    enabled: true
  # -- Extra containers to be added to the controller deployment
  extraContainers: []
  # -- Enables init containers to be added to the controller deployment
  extraInitContainers: []
  # -- Workflow retention by number of workflows
  retentionPolicy: {}
  #  completed: 10
  #  failed: 3
  #  errored: 3
  nodeEvents:
    # -- Enable to emit events on node completion.
    ## This can take up a lot of space in k8s (typically etcd) resulting in errors when trying to create new events:
    ## "Unable to create audit event: etcdserver: mvcc: database space exceeded"
    enabled: true
  # -- Configure when workflow controller runs in a different k8s cluster with the workflow workloads,
  # or needs to communicate with the k8s apiserver using an out-of-cluster kubeconfig secret.
  # @default -- `{}` (See [values.yaml])
  kubeConfig: {}
    # # name of the kubeconfig secret, may not be empty when kubeConfig specified
    # secretName: kubeconfig-secret
    # # key of the kubeconfig secret, may not be empty when kubeConfig specified
    # secretKey: kubeconfig
    # # mounting path of the kubeconfig secret, default to /kube/config
    # mountPath: /kubeconfig/mount/path
    # # volume name when mounting the secret, default to kubeconfig
  # volumeName: kube-config-volume
  # -- Specifies the duration in seconds before a terminating pod is forcefully killed. A zero value indicates that the pod will be forcefully terminated immediately.
  # @default -- `30` seconds (Kubernetes default)
  podGCGracePeriodSeconds:
  # -- The duration in seconds before the pods in the GC queue get deleted. A zero value indicates that the pods will be deleted immediately.
  # @default -- `5s` (Argo Workflows default)
  podGCDeleteDelayDuration: ""
 # mainContainer adds default config for main container that could be overriden in workflows template
 mainContainer:
  # -- imagePullPolicy to apply to Workflow main container. Defaults to `.Values.images.pullPolicy`.
  imagePullPolicy: ""
  # -- Resource limits and requests for the Workflow main container
  resources: {}
  # -- Adds environment variables for the Workflow main container
  env: []
  # -- Adds reference environment variables for the Workflow main container
  envFrom: []
  # -- sets security context for the Workflow main container
  securityContext: {}
 # executor controls how the init and wait container should be customized
 executor:
  image:
    # -- Registry to use for the Workflow Executors
    registry: quay.io
    # -- Repository to use for the Workflow Executors
    repository: argoproj/argoexec
    # -- Image tag for the workflow executor. Defaults to `.Values.images.tag`.
    tag: ""
    # -- Image PullPolicy to use for the Workflow Executors. Defaults to `.Values.images.pullPolicy`.
    pullPolicy: ""
  # -- Resource limits and requests for the Workflow Executors
  resources: {}
  # -- Passes arguments to the executor processes
  args: []
  # -- Adds environment variables for the executor.
  env: []
  # -- sets security context for the executor container
  securityContext: {}
 server:
  # -- Deploy the Argo Server
  enabled: true
  # -- Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /.
  ## only updates base url of resources on client side,
  ## it's expected that a proxy server rewrites the request URL and gets rid of this prefix
  ## https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190
  baseHref: /
  image:
    # -- Registry to use for the server
    registry: quay.io
    # -- Repository to use for the server
    repository: argoproj/argocli
    # -- Image tag for the Argo Workflows server. Defaults to `.Values.images.tag`.
    tag: ""
  # -- optional map of annotations to be applied to the ui Deployment
  deploymentAnnotations: {}
  # -- optional map of annotations to be applied to the ui Pods
  podAnnotations: {}
  # -- Optional labels to add to the UI pods
  podLabels: {}
  # -- SecurityContext to set on the server pods
  podSecurityContext: {}
  rbac:
    # -- Adds Role and RoleBinding for the server.
    create: true
  # -- Servers container-level security context
  securityContext:
    readOnlyRootFilesystem: false
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
  # -- Server name string
  name: server
  # -- Service type for server pods
  serviceType: ClusterIP
  # -- Service port for server
  servicePort: 2746
  # -- Service node port
  serviceNodePort: # 32746
  # -- Service port name
  servicePortName: "http" # http
  serviceAccount:
    # -- Create a service account for the server
    create: true
    # -- Service account name
    name: ""
    # -- Labels applied to created service account
    labels: {}
    # -- Annotations applied to created service account
    annotations: {}
  # -- Annotations to be applied to the UI Service
  serviceAnnotations: {}
  # -- Optional labels to add to the UI Service
  serviceLabels: {}
  # -- Static IP address to assign to loadBalancer service type `LoadBalancer`
  loadBalancerIP: ""
  # -- Source ranges to allow access to service from. Only applies to service type `LoadBalancer`
  loadBalancerSourceRanges: []
  # -- Resource limits and requests for the server
  resources: {}
  # -- The number of server pods to run
  replicas: 1
  ## Argo Server Horizontal Pod Autoscaler
  autoscaling:
    # -- Enable Horizontal Pod Autoscaler ([HPA]) for the Argo Server
    enabled: false
    # -- Minimum number of replicas for the Argo Server [HPA]
    minReplicas: 1
    # -- Maximum number of replicas for the Argo Server [HPA]
    maxReplicas: 5
    # -- Average CPU utilization percentage for the Argo Server [HPA]
    targetCPUUtilizationPercentage: 50
    # -- Average memory utilization percentage for the Argo Server [HPA]
    targetMemoryUtilizationPercentage: 50
    # -- Configures the scaling behavior of the target in both Up and Down directions.
    # This is only available on HPA apiVersion `autoscaling/v2beta2` and newer
    behavior: {}
      # scaleDown:
      #  stabilizationWindowSeconds: 300
      #  policies:
      #   - type: Pods
      #     value: 1
      #     periodSeconds: 180
      # scaleUp:
      #   stabilizationWindowSeconds: 300
      #   policies:
      #   - type: Pods
    #     value: 2
  pdb:
    # -- Configure [Pod Disruption Budget] for the server pods
    enabled: false
    # minAvailable: 1
    # maxUnavailable: 1
  # -- [Node selector]
  nodeSelector:
    kubernetes.io/os: linux
  # -- [Tolerations] for use with node taints
  tolerations: []
  # -- Assign custom [affinity] rules
  affinity: {}
  # -- Assign custom [TopologySpreadConstraints] rules to the argo server
  ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
  ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
  topologySpreadConstraints: []
  # - maxSkew: 1
  #   topologyKey: topology.kubernetes.io/zone
  #   whenUnsatisfiable: DoNotSchedule
  # -- Leverage a PriorityClass to ensure your pods survive resource shortages
  ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
  priorityClassName: ""
  # -- Run the argo server in "secure" mode. Configure this value instead of `--secure` in extraArgs.
  ## See the following documentation for more details on secure mode:
  ## https://argoproj.github.io/argo-workflows/tls/
  secure: false
  # -- Extra environment variables to provide to the argo-server container
  extraEnv: []
    # - name: FOO
  #   value: "bar"
  # -- Auth Mode is available from `server` , `client` or `sso`. If you chose `sso` , please configure `.Values.server.sso` as well.
  ## Ref: https://argoproj.github.io/argo-workflows/argo-server-auth-mode/
  authMode: "server"
  # -- Extra arguments to provide to the Argo server binary.
  ## Ref: https://argoproj.github.io/argo-workflows/argo-server/#options
  extraArgs: []
  logging:
    # -- Set the logging level (one of: `debug`, `info`, `warn`, `error`)
    level: info
    # -- Set the glog logging level
    globallevel: "0"
    # -- Set the logging format (one of: `text`, `json`)
    format: "text"
  # -- Additional volume mounts to the server main container.
  volumeMounts: []
  # -- Additional volumes to the server pod.
  volumes: []
  ## Ingress configuration.
  # ref: https://kubernetes.io/docs/user-guide/ingress/
  ingress:
    # -- Enable an ingress resource
    enabled: false
    # -- Additional ingress annotations
    annotations: {}
    # -- Additional ingress labels
    labels: {}
    # -- Defines which ingress controller will implement the resource
    ingressClassName: ""
    # -- List of ingress hosts
    ## Hostnames must be provided if Ingress is enabled.
    ## Secrets must be manually created in the namespace
    hosts: []
    # - argoworkflows.example.com
    # -- List of ingress paths
    paths:
      - /
    # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
    pathType: Prefix
    # -- Additional ingress paths
    extraPaths: []
      # - path: /*
      #   backend:
      #     serviceName: ssl-redirect
      #     servicePort: use-annotation
      ## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used)
      # - path: /*
      #   pathType: Prefix
      #   backend:
      #     service
      #       name: ssl-redirect
      #       port:
    #         name: use-annotation
    # -- Ingress TLS configuration
    tls: []
      # - secretName: argoworkflows-example-tls
      #   hosts:
    #     - argoworkflows.example.com
  ## Create a Google Backendconfig  for use with the GKE Ingress Controller
  ## https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_backendconfig_parameters
  GKEbackendConfig:
    # -- Enable BackendConfig custom resource for Google Kubernetes Engine
    enabled: false
    # -- [BackendConfigSpec]
    spec: {}
  #  spec:
  #    iap:
  #      enabled: true
  #      oauthclientCredentials:
  #        secretName: argoworkflows-secret
  ## Create a Google Managed Certificate for use with the GKE Ingress Controller
  ## https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs
  GKEmanagedCertificate:
    # -- Enable ManagedCertificate custom resource for Google Kubernetes Engine.
    enabled: false
    # -- Domains for the Google Managed Certificate
    domains:
      - argoworkflows.example.com
  ## Create a Google FrontendConfig Custom Resource, for use with the GKE Ingress Controller
  ## https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
  GKEfrontendConfig:
    # -- Enable FrontConfig custom resource for Google Kubernetes Engine
    enabled: false
    # -- [FrontendConfigSpec]
    spec: {}
  # spec:
  #   redirectToHttps:
  #     enabled: true
  #     responseCodeName: RESPONSE_CODE
  clusterWorkflowTemplates:
    # -- Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates.
    enabled: true
    # -- Give the server permissions to edit ClusterWorkflowTemplates.
    enableEditing: true
  # SSO configuration when SSO is specified as a server auth mode.
  sso:
    # -- Create SSO configuration. If you set `true` , please also set `.Values.server.authMode` as `sso`.
    enabled: false
    # -- The root URL of the OIDC identity provider
    issuer: https://accounts.google.com
    clientId:
      # -- Name of secret to retrieve the app OIDC client ID
      name: argo-server-sso
      # -- Key of secret to retrieve the app OIDC client ID
      key: client-id
    clientSecret:
      # -- Name of a secret to retrieve the app OIDC client secret
      name: argo-server-sso
      # -- Key of a secret to retrieve the app OIDC client secret
      key: client-secret
    # - The OIDC redirect URL. Should be in the form <argo-root-url>/oauth2/callback.
    redirectUrl: https://argo/oauth2/callback
    rbac:
      # -- Adds ServiceAccount Policy to server (Cluster)Role.
      enabled: true
      # -- Whitelist to allow server to fetch Secrets
      ## When present, restricts secrets the server can read to a given list.
      ## You can use it to restrict the server to only be able to access the
      ## service account token secrets that are associated with service accounts
      ## used for authorization.
      secretWhitelist: []
    # -- Scopes requested from the SSO ID provider
    ## The 'groups' scope requests group membership information, which is usually used for authorization decisions.
    scopes: []
    # - groups
    # -- Define how long your login is valid for (in hours)
    ## If omitted, defaults to 10h.
    sessionExpiry: ""
    # -- Alternate root URLs that can be included for some OIDC providers
    issuerAlias: ""
    # -- Override claim name for OIDC groups
    customGroupClaimName: ""
    # -- Specify the user info endpoint that contains the groups claim
    ## Configure this if your OIDC provider provides groups information only using the user-info endpoint (e.g. Okta)
    userInfoPath: ""
    # -- Skip TLS verification for the HTTP client
    insecureSkipVerify: false
  # -- Extra containers to be added to the server deployment
  extraContainers: []
  # -- Enables init containers to be added to the server deployment
  extraInitContainers: []
 # -- Array of extra K8s manifests to deploy
 extraObjects: []
  # - apiVersion: secrets-store.csi.x-k8s.io/v1
  #   kind: SecretProviderClass
  #   metadata:
  #     name: argo-server-sso
  #   spec:
  #     provider: aws
  #     parameters:
  #       objects: |
  #         - objectName: "argo/server/sso"
  #           objectType: "secretsmanager"
  #           jmesPath:
  #               - path: "client_id"
  #                 objectAlias: "client_id"
  #               - path: "client_secret"
  #                 objectAlias: "client_secret"
  #     secretObjects:
  #     - data:
  #       - key: client_id
  #         objectName: client_id
  #       - key: client_secret
  #         objectName: client_secret
  #       secretName: argo-server-sso-secrets-store
 #       type: Opaque
 # -- Use static credentials for S3 (eg. when not using AWS IRSA)
 useStaticCredentials: true
 artifactRepository:
  # -- Archive the main container logs as an artifact
  archiveLogs: true
  # -- Store artifact in a S3-compliant object store
  # @default -- See [values.yaml]
  s3: 
    # # Note the `key` attribute is not the actual secret, it's the PATH to
    # # the contents in the associated secret, as defined by the `name` attribute.
    accessKeySecret:
      name: argo-workflow-log-fakes3
      key: AWS_ACCESS_KEY_ID
    secretKeySecret:
      name: argo-workflow-log-fakes3
      key: AWS_SECRET_ACCESS_KEY
    # # insecure will disable TLS. Primarily used for minio installs not configured with TLS
    insecure: true
    keyFormat: "{{workflow.namespace}}/{{workflow.name}}/{{pod.name}}"
    bucket: mongo-backup
    # endpoint: workflow-archivelog-s3:4568
    # region:
    # roleARN:
    # useSDKCreds: true
    # encryptionOptions:
  #    enableEncryption: true
  # -- Store artifact in a GCS object store
  # @default -- `{}` (See [values.yaml])
  gcs: {}
  # bucket: <project>-argo
  # keyFormat: "{{ \"{{workflow.namespace}}/{{workflow.name}}/{{pod.name}}\" }}"
  # serviceAccountKeySecret is a secret selector.
  # It references the k8s secret named 'my-gcs-credentials'.
  # This secret is expected to have have the key 'serviceAccountKey',
  # containing the base64 encoded credentials
  # to the bucket.
  #
  # If it's running on GKE and Workload Identity is used,
  # serviceAccountKeySecret is not needed.
  # serviceAccountKeySecret:
  # name: my-gcs-credentials
  # key: serviceAccountKey
  # -- Store artifact in Azure Blob Storage
  # @default -- `{}` (See [values.yaml])
  azure: {}
  # endpoint: https://mystorageaccountname.blob.core.windows.net
  # container: my-container-name
  # blobNameFormat: path/in/container
  ## accountKeySecret is a secret selector.
  ## It references the k8s secret named 'my-azure-storage-credentials'.
  ## This secret is expected to have have the key 'account-access-key',
  ## containing the base64 encoded credentials to the storage account.
  ## If a managed identity has been assigned to the machines running the
  ## workflow (e.g., https://docs.microsoft.com/en-us/azure/aks/use-managed-identity)
  ## then accountKeySecret is not needed, and useSDKCreds should be
  ## set to true instead:
  # useSDKCreds: true
  # accountKeySecret:
  #  name: my-azure-storage-credentials
  #  key: account-access-key
 # -- The section of custom artifact repository.
 # Utilize a custom artifact repository that is not one of the current base ones (s3, gcs, azure)
 customArtifactRepository: {}
 # artifactory:
 #   repoUrl: https://artifactory.example.com/raw
 #   usernameSecret:
 #     name: artifactory-creds
 #     key: username
 #   passwordSecret:
 #     name: artifactory-creds
 #     key: password
 # -- The section of [artifact repository ref](https://argoproj.github.io/argo-workflows/artifact-repository-ref/).
 # Each map key is the name of configmap
 # @default -- `{}` (See [values.yaml])
 artifactRepositoryRef: {}
  # # -- 1st ConfigMap
  # # If you want to use this config map by default, name it "artifact-repositories".
  # # Otherwise, you can provide a reference to a
  # # different config map in `artifactRepositoryRef.configMap`.
  # artifact-repositories:
  #   # -- v3.0 and after - if you want to use a specific key, put that key into this annotation.
  #   annotations:
  #     workflows.argoproj.io/default-artifact-repository: default-v1-s3-artifact-repository
  #   # 1st data of configmap. See above artifactRepository or customArtifactRepository.
  #   default-v1-s3-artifact-repository:
  #     archiveLogs: false
  #     s3:
  #       bucket: my-bucket
  #       endpoint: minio:9000
  #       insecure: true
  #       accessKeySecret:
  #         name: my-minio-cred
  #         key: accesskey
  #       secretKeySecret:
  #         name: my-minio-cred
  #         key: secretkey
  #    # 2nd data
  #    oss-artifact-repository:
  #      archiveLogs: false
  #      oss:
  #        endpoint: http://oss-cn-zhangjiakou-internal.aliyuncs.com
  #        bucket: $mybucket
  #        # accessKeySecret and secretKeySecret are secret selectors.
  #        # It references the k8s secret named 'bucket-workflow-artifect-credentials'.
  #        # This secret is expected to have have the keys 'accessKey'
  #        # and 'secretKey', containing the base64 encoded credentials
  #        # to the bucket.
  #        accessKeySecret:
  #          name: $mybucket-credentials
  #          key: accessKey
  #        secretKeySecret:
  #          name: $mybucket-credentials
  #          key: secretKey
  # # 2nd ConfigMap
  # another-artifact-repositories:
  #   annotations:
  #     workflows.argoproj.io/default-artifact-repository: gcs
  #   gcs:
  #     bucket: my-bucket
  #     keyFormat: prefix/in/bucket/{{workflow.name}}/{{pod.name}}
  #     serviceAccountKeySecret:
  #       name: my-gcs-credentials
 #       key: serviceAccountKey
 emissary:
  # -- The command/args for each image on workflow, needed when the command is not specified and the emissary executor is used.
  ## See more: https://argoproj.github.io/argo-workflows/workflow-executors/#emissary-emissary
  images: []
  #  argoproj/argosay:v2:
  #    cmd: [/argosay]
  #  docker/whalesay:latest:
  #    cmd: [/bin/bash]
--- a/apps/argo/config/user/helm-charts/argo/templates/argo_deployment.yaml
+++ b/apps/argo/config/user/helm-charts/argo/templates/argo_deployment.yaml
@@ -1,174 +1,4 @@
 {{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
 {{- $rss_secret := (lookup "v1" "Secret" $namespace "rss-secrets") -}}
 {{- $password := "" -}}
 {{ if $rss_secret -}}
 {{ $password = (index $rss_secret "data" "pg_password") }}
 {{ else -}}
 {{ $password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 {{- $redis_password := "" -}}
 {{ if $rss_secret -}}
 {{ $redis_password = (index $rss_secret "data" "redis_password") }}
 {{ else -}}
 {{ $redis_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 {{- $redis_password_data := "" -}}
 {{ $redis_password_data = $redis_password | b64dec }}
 {{- $pg_password_data := "" -}}
 {{ $pg_password_data = $password | b64dec }}
 {{- $mongo_secret := (lookup "v1" "Secret" .Release.Namespace "knowledge-mongodb") -}}
 {{- $mongo_password := randAlphaNum 16 | b64enc -}}
 {{- $mongo_password_data := "" -}}
 {{ if $mongo_secret -}}
  {{ $mongo_password_data = (index $mongo_secret "data" "mongodb-passwords" ) | b64dec }}
 {{ else -}}
  {{ $mongo_password_data = $mongo_password | b64dec }}
 {{- end -}}
 {{- $pg_user :=  printf "%s%s" "rss_" .Values.bfl.username -}}
 {{- $pg_user = $pg_user | b64enc -}}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: rss-secrets
  namespace: user-system-{{ .Values.bfl.username }}
 type: Opaque
 data:
  pg_password: {{ $password }}
  redis_password: {{ $redis_password }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: rss-secrets
  namespace: {{ .Release.Namespace }}
 type: Opaque
 data:
  pg_user: {{ $pg_user }}
  pg_password: {{ $password }}
  redis_password: {{ $redis_password }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: knowledge-mongodb
  namespace: {{ .Release.Namespace }}
 type: Opaque
 {{ if $mongo_secret -}}
 data:
  mongodb-passwords: {{ index $mongo_secret "data" "mongodb-passwords" }}
 {{ else -}}
 data:
  mongodb-passwords: {{ $mongo_password }}
 {{ end }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: knowledge-mongodb
  namespace: user-system-{{ .Values.bfl.username }}
 type: Opaque
 {{ if $mongo_secret -}}
 data:
  mongodb-passwords: {{ index $mongo_secret "data" "mongodb-passwords" }}
 {{ else -}}
 data:
  mongodb-passwords: {{ $mongo_password }}
 {{ end }}
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: rss-secrets-auth
  namespace: {{ .Release.Namespace }}
 data:
  redis_password: "{{ $redis_password_data }}"
  redis_addr: redis-cluster-proxy.user-system-{{ .Values.bfl.username }}:6379
  redis_host: redis-cluster-proxy.user-system-{{ .Values.bfl.username }}
  redis_port: '6379'
  pg_url: postgres://rss_{{ .Values.bfl.username }}:{{ $pg_password_data }}@citus-master-svc.user-system-{{ .Values.bfl.username }}/user_space_{{ .Values.bfl.username }}_rss_v1?sslmode=disable
  mongo_url: mongodb://knowledge-{{ .Values.bfl.username }}:{{ $mongo_password_data }}@mongo-cluster-mongos.user-system-{{ .Values.bfl.username }}:27017/{{ .Release.Namespace }}_knowledge
  mongo_db: {{ .Release.Namespace }}_knowledge
  postgres_host: citus-master-svc.user-system-{{ .Values.bfl.username }}
  postgres_user: knowledge_{{ .Values.bfl.username }}
  postgres_password: "{{ $pg_password_data }}"
  postgres_db: user_space_{{ .Values.bfl.username }}_knowledge
  postgres_port: '5432'
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: rss-userspace-data
  namespace: {{ .Release.Namespace }}
 data:
  appData: "{{ .Values.userspace.appData }}"
  appCache: "{{ .Values.userspace.appCache }}"
  username: "{{ .Values.bfl.username }}"
 ---
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
 metadata:
  name: rss-pg
  namespace: user-system-{{ .Values.bfl.username }}
 spec:
  app: rss
  appNamespace: {{ .Release.Namespace }}
  middleware: postgres
  postgreSQL:
    user: rss_{{ .Values.bfl.username }}
    password: 
      valueFrom:
        secretKeyRef:
          key: pg_password
          name: rss-secrets
    databases:
    - name: rss
    - name: rss_v1
    - name: argo
 ---
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
 metadata:
  name: knowledge-redis
  namespace: user-system-{{ .Values.bfl.username }}
 spec:
  app: rss
  appNamespace: {{ .Release.Namespace }}
  middleware: redis
  redis:
    password:
      valueFrom:
        secretKeyRef:
          key: redis_password
          name: rss-secrets
    namespace: knowledge
 ---
 apiVersion: v1
 kind: Service
 metadata:
@@ -183,3 +13,22 @@ spec:
      name: fakes3
      port: 4568
      targetPort: 4568
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: knowledge-base-api
  namespace: user-system-{{ .Values.bfl.username }}
 spec:
  type: ClusterIP
  selector:
    app: systemserver
  ports:
    - protocol: TCP
      name: knowledge-api
      port: 3010
      targetPort: 3010  
--- a/apps/argo/config/user/helm-charts/argo/values.yaml
+++ b/apps/argo/config/user/helm-charts/argo/values.yaml
@@ -1,4 +1,3 @@
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
@@ -40,4 +39,4 @@ os:
    appKey: '${ks[0]}'
    appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""
--- a/apps/argo/config/user/helm-charts/recommend/.helmignore
+++ b/apps/argo/config/user/helm-charts/recommend/.helmignore
@@ -1,23 +0,0 @@
 # Patterns to ignore when building packages.
 # This supports shell glob matching, relative path matching, and
 # negation (prefixed with !). Only one pattern per line.
 .DS_Store
 # Common VCS dirs
 .git/
 .gitignore
 .bzr/
 .bzrignore
 .hg/
 .hgignore
 .svn/
 # Common backup files
 *.swp
 *.bak
 *.tmp
 *.orig
 *~
 # Various IDEs
 .project
 .idea/
 *.tmproj
 .vscode/
--- a/apps/argo/config/user/helm-charts/recommend/Chart.yaml
+++ b/apps/argo/config/user/helm-charts/recommend/Chart.yaml
@@ -1,24 +0,0 @@
 apiVersion: v2
 name: recommend
 description: A Helm chart for Kubernetes
 # A chart can be either an 'application' or a 'library' chart.
 #
 # Application charts are a collection of templates that can be packaged into versioned archives
 # to be deployed.
 #
 # Library charts provide useful utilities or functions for the chart developer. They're included as
 # a dependency of application charts to inject those utilities and functions into the rendering
 # pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 version: 0.0.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 appVersion: "1.16.0"
--- a/apps/argo/config/user/helm-charts/recommend/templates/NOTES.txt
+++ b/apps/argo/config/user/helm-charts/recommend/templates/NOTES.txt
--- a/apps/argo/config/user/helm-charts/recommend/templates/_helpers.tpl
+++ b/apps/argo/config/user/helm-charts/recommend/templates/_helpers.tpl
@@ -1,62 +0,0 @@
 {{/*
 Expand the name of the chart.
 */}}
 {{- define "recommend.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
 {{- define "recommend.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- $name := default .Chart.Name .Values.nameOverride }}
 {{- if contains $name .Release.Name }}
 {{- .Release.Name | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{- end }}
 {{- end }}
 {{/*
 Create chart name and version as used by the chart label.
 */}}
 {{- define "recommend.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Common labels
 */}}
 {{- define "recommend.labels" -}}
 helm.sh/chart: {{ include "recommend.chart" . }}
 {{ include "recommend.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "recommend.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "recommend.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 {{/*
 Create the name of the service account to use
 */}}
 {{- define "recommend.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create }}
 {{- default (include "recommend.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
--- a/apps/argo/config/user/helm-charts/recommend/templates/argo_fe_deploy.yaml
+++ b/apps/argo/config/user/helm-charts/recommend/templates/argo_fe_deploy.yaml
@@ -1,64 +0,0 @@
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: recommend
  namespace: {{ .Release.Namespace }}
 spec:
  type: ExternalName
  externalName: argoworkflows-svc.{{ .Release.Namespace }}.svc.cluster.local
  ports:
    - name: http
      port: 2746
      protocol: TCP
      targetPort: 2746
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: argoworkflows-ui
  namespace: {{ .Release.Namespace }}
 spec:
  ports:
    - port: 80
      protocol: TCP
      targetPort: 8080
  selector:
    app: recommend
  type: ClusterIP
 ---
 apiVersion: v1
 data:
  nginx.conf: |
    # Configuration checksum:
    pid /var/run/nginx.pid;
    worker_processes auto;
    events {
      worker_connections 1024;
    }
    http {
      server {
        listen 8080;
        location / {
          proxy_pass http://recommend:2746;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
      }
    }
 kind: ConfigMap
 metadata:
  name: recommend-nginx-configs
  namespace: {{ .Release.Namespace }}
--- a/apps/argo/config/user/helm-charts/recommend/values.yaml
+++ b/apps/argo/config/user/helm-charts/recommend/values.yaml
--- a/apps/desktop/config/user/helm-charts/desktop/templates/desktop_deploy.yaml
+++ b/apps/desktop/config/user/helm-charts/desktop/templates/desktop_deploy.yaml
@@ -66,7 +66,7 @@ spec:
      containers:
      - name: edge-desktop
-        image: beclab/desktop:v0.2.56
+        image: beclab/desktop:v0.2.59
        imagePullPolicy: IfNotPresent
        securityContext:
          runAsNonRoot: false
@@ -78,7 +78,7 @@ spec:
            value: http://bfl.{{ .Release.Namespace }}:8080
      - name: desktop-server
-        image: beclab/desktop-server:v0.2.56
+        image: beclab/desktop-server:v0.2.59
        imagePullPolicy: IfNotPresent
        securityContext:
          allowPrivilegeEscalation: false
@@ -156,7 +156,7 @@ spec:
      - name: userspace-dir
        hostPath:
          type: Directory
-          path: {{ .Values.userspace.userData }}
+          path: '{{ .Values.userspace.userData }}'
      - name: terminus-sidecar-config
        configMap:
          name: sidecar-ws-configs
@@ -450,6 +450,7 @@ data:
                              - prefix: x-unauth-
                              - exact: x-authorization
                              - exact: x-bfl-user
                              - exact: x-real-ip
                              - exact: terminus-nonce
                          headers_to_add:
                            - key: X-Forwarded-Method
@@ -626,6 +627,7 @@ data:
                              - prefix: x-unauth-
                              - exact: x-authorization
                              - exact: x-bfl-user
                              - exact: x-real-ip
                              - exact: terminus-nonce
                          headers_to_add:
                            - key: X-Forwarded-Method
--- a/apps/desktop/config/user/helm-charts/desktop/values.yaml
+++ b/apps/desktop/config/user/helm-charts/desktop/values.yaml
@@ -1,4 +1,3 @@
 bfl:
  username: 'test'
  url: 'test'
--- a/apps/download/README.md
+++ b/apps/download/README.md
@@ -1,3 +0,0 @@
 # vault
 https://github.com/beclab/analytic
--- a/apps/download/config/user/helm-charts/download/.helmignore
+++ b/apps/download/config/user/helm-charts/download/.helmignore
@@ -1,23 +0,0 @@
 # Patterns to ignore when building packages.
 # This supports shell glob matching, relative path matching, and
 # negation (prefixed with !). Only one pattern per line.
 .DS_Store
 # Common VCS dirs
 .git/
 .gitignore
 .bzr/
 .bzrignore
 .hg/
 .hgignore
 .svn/
 # Common backup files
 *.swp
 *.bak
 *.tmp
 *.orig
 *~
 # Various IDEs
 .project
 .idea/
 *.tmproj
 .vscode/
--- a/apps/download/config/user/helm-charts/download/templates/download_deploy.yaml
+++ b/apps/download/config/user/helm-charts/download/templates/download_deploy.yaml
@@ -1,321 +0,0 @@
 {{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
 {{- $download_secret := (lookup "v1" "Secret" $namespace "rss-secrets") -}}
 {{- $pg_password := "" -}}
 {{ if $download_secret -}}
 {{ $pg_password = (index $download_secret "data" "pg_password") }}
 {{ else -}}
 {{ $pg_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 {{- $redis_password := "" -}}
 {{ if $download_secret -}}
 {{ $redis_password = (index $download_secret "data" "redis_password") }}
 {{ else -}}
 {{ $redis_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 {{- $download_nats_secret := (lookup "v1" "Secret" $namespace "download-secrets") -}}
 {{- $nat_password := "" -}}
 {{ if $download_nats_secret -}}
 {{ $nat_password = (index $download_nats_secret "data" "nat_password") }}
 {{ else -}}
 {{ $nat_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: download-secrets
  namespace: user-system-{{ .Values.bfl.username }}
 type: Opaque
 data:
  pg_password: {{ $pg_password }}
  redis_password: {{ $redis_password }}
  nat_password: {{ $nat_password }}
 ---
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
 metadata:
  name: download-pg
  namespace: user-system-{{ .Values.bfl.username }}
 spec:
  app: download
  appNamespace: {{ .Release.Namespace }}
  middleware: postgres
  postgreSQL:
    user: knowledge_{{ .Values.bfl.username }}
    password:
      valueFrom:
        secretKeyRef:
          key: pg_password
          name: download-secrets
    databases:
    - name: knowledge
 ---
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
 metadata:
  name: download-nat
  namespace: user-system-{{ .Values.bfl.username }}
 spec:
  app: download
  appNamespace: {{ .Release.Namespace }}
  middleware: nats
  nats:
    password:
      valueFrom:
        secretKeyRef:
          key: nat_password
          name: download-secrets
    refs: []
    subjects:
    - name: download_status
      permission:
        pub: allow
        sub: allow
      export:
      - appName: knowledge
        sub: allow
        pub: allow
    user: user-system-{{ .Values.bfl.username }}-download
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: download
  namespace: {{ .Release.Namespace }}
  labels:
    app: download
    applications.app.bytetrade.io/author: bytetrade.io
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: download
  template:
    metadata:
      labels:
        app: download
    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
      initContainers:
      - name: init-data
        image: busybox:1.28
        securityContext:
          privileged: true
          runAsNonRoot: false
          runAsUser: 0
        volumeMounts:
        - name: config-dir
          mountPath: /config
        - name: download-dir
          mountPath: /downloads
        command:
        - sh
        - -c
        - |
          chown -R 1000:1000 /config && \
          chown -R 1000:1000 /downloads
      - name: init-container
        image: 'postgres:16.0-alpine3.18'
        command:
          - sh
          - '-c'
          - >-
            echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
        env:
          - name: PGHOST
            value: citus-master-svc.user-system-{{ .Values.bfl.username }}
          - name: PGPORT
            value: "5432"
          - name: PGUSER
            value: knowledge_{{ .Values.bfl.username }}
          - name: PGPASSWORD
            value: {{ $pg_password | b64dec }}
          - name: PGDB
            value: user_space_{{ .Values.bfl.username }}_knowledge
      containers:
      - name: aria2
        image: "beclab/aria2:v0.0.4"
        imagePullPolicy: IfNotPresent
        securityContext:
          runAsNonRoot: false
          runAsUser: 0
        ports:
        - containerPort: 6800
        - containerPort: 6888
        env:
        - name: RPC_SECRET
          value: kubespider
        - name: PUID
          value: "1000"
        - name: PGID
          value: "1000"
        volumeMounts:
        - name: download-dir
          mountPath: /downloads
        resources:
          requests:
            cpu: 20m
            memory: 50Mi
          limits:
            cpu: "1"
            memory: 300Mi
      - name: yt-dlp
        image: "beclab/yt-dlp:v0.0.21"
        imagePullPolicy: IfNotPresent
        securityContext:
          allowPrivilegeEscalation: false
          runAsUser: 1000
        ports:
        - containerPort: 3082
        env:
        - name: PG_USERNAME
          value: knowledge_{{ .Values.bfl.username }}
        - name: PG_PASSWORD
          value: {{ $pg_password | b64dec }}
        - name: PG_HOST
          value: citus-master-svc.user-system-{{ .Values.bfl.username }}
        - name: PG_PORT
          value: "5432"
        - name: PG_DATABASE
          value: user_space_{{ .Values.bfl.username }}_knowledge
        - name: SETTING_URL
          value: http://system-server.user-system-{{ .Values.bfl.username }}/legacy/v1alpha1/service.settings/v1/api/cookie/retrieve
        - name: REDIS_HOST
          value: redis-cluster-proxy.user-system-{{ .Values.bfl.username }}
        - name: REDIS_PASSWORD
          value: {{ $redis_password | b64dec }}
        - name: NATS_HOST
          value: nats.user-system-{{ .Values.bfl.username }}
        - name: NATS_PORT
          value: "4222"
        - name: NATS_USERNAME
          value: user-system-{{ .Values.bfl.username }}-download
        - name: NATS_PASSWORD
          value: {{ $nat_password | b64dec }}
        - name: NATS_SUBJECT
          value: "terminus.{{ .Release.Namespace }}.download_status"
        volumeMounts:
        - name: config-dir
          mountPath: /app/config
        - name: download-dir
          mountPath: /app/downloads
        resources:
          requests:
            cpu: 20m
            memory: 50Mi
          limits:
            cpu: "1"
            memory: 300Mi
      - name: download-spider
        image: "beclab/download-spider:v0.0.21"
        imagePullPolicy: IfNotPresent
        securityContext:
          allowPrivilegeEscalation: false
          runAsUser: 1000
        env:
        - name: PG_USERNAME
          value: knowledge_{{ .Values.bfl.username }}
        - name: PG_PASSWORD
          value: {{ $pg_password | b64dec }}
        - name: PG_HOST
          value: citus-master-svc.user-system-{{ .Values.bfl.username }}
        - name: PG_PORT
          value: "5432"
        - name: PG_DATABASE
          value: user_space_{{ .Values.bfl.username }}_knowledge
        - name: REDIS_HOST
          value: redis-cluster-proxy.user-system-{{ .Values.bfl.username }}
        - name: REDIS_PASSWORD
          value: {{ $redis_password | b64dec }}
        - name: NATS_HOST
          value: nats.user-system-{{ .Values.bfl.username }}
        - name: NATS_PORT
          value: "4222"
        - name: NATS_USERNAME
          value: user-system-{{ .Values.bfl.username }}-download
        - name: NATS_PASSWORD
          value: {{ $nat_password | b64dec }}
        - name: NATS_SUBJECT
          value: "terminus.{{ .Release.Namespace }}.download_status"
        - name: SETTING_URL
          value: http://system-server.user-system-{{ .Values.bfl.username }}/legacy/v1alpha1/service.settings/v1/api/cookie/retrieve
        volumeMounts:
        - name: download-dir
          mountPath: /downloads
        ports:
        - containerPort: 3080
        resources:
          requests:
            cpu: 20m
            memory: 50Mi
          limits:
            cpu: "1"
            memory: 300Mi
      volumes:
      - name: config-dir
        hostPath: 
          type: DirectoryOrCreate
          path: {{ .Values.userspace.appData}}/Downloads/config
      - name: download-dir
        hostPath:
          type: DirectoryOrCreate
          path: {{ .Values.userspace.userData }}
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: download-svc
  namespace: {{ .Release.Namespace }}
 spec:
  type: ClusterIP
  selector:
    app: download
  ports:
    - name: "download-spider"
      protocol: TCP
      port: 3080
      targetPort: 3080
    - name: "aria2-server"
      protocol: TCP
      port: 6800
      targetPort: 6800
    - name: ytdlp-server
      protocol: TCP
      port: 3082
      targetPort: 3082
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: download-api
  namespace: user-system-{{ .Values.bfl.username }}
 spec:
  type: ClusterIP
  selector:
    app: systemserver
  ports:
    - protocol: TCP
      name: download-api
      port: 3080
      targetPort: 3080  
--- a/apps/files/config/cluster/deploy/files_deploy.yaml
+++ b/apps/files/config/cluster/deploy/files_deploy.yaml
@@ -43,8 +43,8 @@ spec:
      labels:
        app: files
      annotations:
-        # instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
+        instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
-        # instrumentation.opentelemetry.io/inject-nginx-container-names: "nginx"    
+        instrumentation.opentelemetry.io/inject-nginx-container-names: "nginx"    
        instrumentation.opentelemetry.io/inject-go: "olares-instrumentation"
        instrumentation.opentelemetry.io/go-container-names: "gateway,files,uploader"    
        instrumentation.opentelemetry.io/otel-go-auto-target-exe: "/filebrowser"
@@ -73,6 +73,28 @@ spec:
          - -c
          - |
            chown -R 1000:1000 /appdata; chown -R 1000:1000 /appcache; chown -R 1000:1000 /data
        - name: init-container
          image: 'postgres:16.0-alpine3.18'
          command:
            - sh
            - '-c'
            - >-
              echo -e "Checking for the availability of PostgreSQL Server
              deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB1
              -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >>
              PostgreSQL DB Server has started";
          env:
            - name: PGHOST
              value: citus-headless.os-system
            - name: PGPORT
              value: '5432'
            - name: PGUSER
              value: files_os_system
            - name: PGPASSWORD
              value: {{ $files_postgres_password | b64dec }}
            - name: PGDB1
              value: os_system_files
      containers:
        - name: gateway
          image: beclab/appdata-gateway:0.1.18
@@ -84,7 +106,7 @@ spec:
            - containerPort: 8080
          env:
            - name: FILES_SERVER_TAG
-              value: 'beclab/files-server:v0.2.63'
+              value: 'beclab/files-server:v0.2.69'
            - name: NAMESPACE
              valueFrom:
                fieldRef:
@@ -120,7 +142,7 @@ spec:
 {{ end }}
        - name: files
-          image: beclab/files-server:v0.2.63
+          image: beclab/files-server:v0.2.69
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: true
@@ -252,7 +274,7 @@ spec:
            - /filebrowser
            - --noauth
        - name: uploader
-          image: beclab/upload:v1.0.13
+          image: beclab/upload:v1.0.14
          env:
            - name: UPLOAD_FILE_TYPE
              value: '*'
@@ -281,7 +303,7 @@ spec:
            runAsUser: 0
            privileged: true
        - name: nginx
-          image: 'nginx:stable-alpine3.17-slim'
+          image: 'beclab/docker-nginx-headers-more:ubuntu-v0.1.0'
          securityContext:
            runAsNonRoot: false
            runAsUser: 0
@@ -304,14 +326,14 @@ spec:
        - name: userspace-dir
          hostPath:
            type: Directory
-            path: {{ .Values.rootPath }}/rootfs/userspace
+            path: '{{ .Values.rootPath }}/rootfs/userspace'
        - name: fb-data
          hostPath:
            type: DirectoryOrCreate
-            path: {{ .Values.rootPath }}/userdata/Cache/files
+            path: '{{ .Values.rootPath }}/userdata/Cache/files'
        - name: upload-appdata
          hostPath:
-            path: {{ .Values.rootPath }}/userdata/Cache
+            path: '{{ .Values.rootPath }}/userdata/Cache'
            type: DirectoryOrCreate
        - name: files-nginx-config
          configMap:
@@ -324,13 +346,13 @@ spec:
            defaultMode: 420
        - name: user-appdata-dir
          hostPath:
-            path: {{ .Values.rootPath }}/userdata/Cache
+            path: '{{ .Values.rootPath }}/userdata/Cache'
            type: Directory
 {{ if .Values.sharedlib }}        
        - name: shared-lib
          hostPath:
-            path: {{ .Values.sharedlib }}
+            path: "{{ .Values.sharedlib }}"
            type: Directory
 {{ end }}            
@@ -412,7 +434,7 @@ spec:
          name: check-nats
      containers:
        - name: files
-          image: beclab/files-server:v0.2.63
+          image: beclab/files-server:v0.2.69
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: true
@@ -447,11 +469,11 @@ spec:
        - name: user-appdata-dir
          hostPath:
            type: Directory
-            path: {{ .Values.rootPath }}/userdata/Cache
+            path: '{{ .Values.rootPath }}/userdata/Cache'
        - name: fb-data
          hostPath:
            type: DirectoryOrCreate
-            path: {{ .Values.rootPath }}/userdata/Cache/files-appdata
+            path: '{{ .Values.rootPath }}/userdata/Cache/files-appdata'
 ---
 apiVersion: v1
--- a/apps/files/config/user/helm-charts/files/templates/files_fe_deploy.yaml
+++ b/apps/files/config/user/helm-charts/files/templates/files_fe_deploy.yaml
@@ -114,9 +114,11 @@ spec:
        io.bytetrade.app: "true"
      annotations:
        # support nginx 1.24.3 1.25.3
-        # instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
+        instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
-        # instrumentation.opentelemetry.io/inject-nginx-container-names: "files-frontend"    
+        instrumentation.opentelemetry.io/inject-nginx-container-names: "files-frontend"    
-        # instrumentation.opentelemetry.io/otel-go-auto-target-exe: "drive"
+        instrumentation.opentelemetry.io/inject-go: "olares-instrumentation"
        instrumentation.opentelemetry.io/go-container-names: "driver-server"    
        instrumentation.opentelemetry.io/otel-go-auto-target-exe: "drive"
    spec:
      serviceAccountName: bytetrade-controller
      securityContext:
@@ -204,6 +206,20 @@ spec:
            value: "{{ $pg_password | b64dec }}"
          - name: PGDB
            value: user_space_{{ .Values.bfl.username }}_cloud_drive_integration
      - name: files-frontend-init
        image: beclab/files-frontend:v1.3.61
        imagePullPolicy: IfNotPresent
        volumeMounts:
          - name: app
            mountPath: /cp_app
          - name: nginx-confd
            mountPath: /confd
        command:
        - sh
        - -c
        - |
          cp -rf /app/* /cp_app/. && cp -rf /etc/nginx/conf.d/* /confd/.
      containers:
 #      - name: gateway
 #        image: beclab/appdata-gateway:0.1.12
@@ -302,7 +318,7 @@ spec:
 #        - /filebrowser
 #        - --noauth
      - name: files-frontend
-        image: beclab/files-frontend:v1.3.43
+        image: beclab/docker-nginx-headers-more:ubuntu-v0.1.0
        imagePullPolicy: IfNotPresent
        securityContext:
          runAsNonRoot: false
@@ -323,8 +339,12 @@ spec:
        volumeMounts:
        - name: userspace-dir
          mountPath: /data
        - name: app
          mountPath: /app
        - name: nginx-confd
          mountPath: /etc/nginx/conf.d
      - name: drive-server
-        image: beclab/drive:v0.0.65
+        image: beclab/drive:v0.0.72
        imagePullPolicy: IfNotPresent
        env:
        - name: OS_SYSTEM_SERVER
@@ -347,7 +367,7 @@ spec:
        - name: data-dir
          mountPath: /data
      - name: task-executor
-        image: beclab/driveexecutor:v0.0.65
+        image: beclab/driveexecutor:v0.0.72
        imagePullPolicy: IfNotPresent
        env:
        - name: OS_SYSTEM_SERVER
@@ -433,42 +453,46 @@ spec:
      volumes:
      - name: data-dir
        hostPath:
-          path: {{ .Values.rootPath }}/rootfs/userspace
+          path: '{{ .Values.rootPath }}/rootfs/userspace'
          type: Directory
      - name: watch-dir
        hostPath:
          type: Directory
-          path: {{ .Values.userspace.userData }}/Documents
+          path: '{{ .Values.userspace.userData }}/Documents'
      - name: userspace-dir
        hostPath:
          type: Directory
-          path: {{ .Values.userspace.userData }}
+          path: '{{ .Values.userspace.userData }}'
      - name: userspace-app-dir
        hostPath:
          type: Directory
-          path: {{ .Values.userspace.appData }}
+          path: '{{ .Values.userspace.appData }}'
      - name: fb-data
        hostPath:
          type: DirectoryOrCreate
-          path: {{ .Values.userspace.appCache}}/files
+          path: '{{ .Values.userspace.appCache}}/files'
      - name: upload-data
        hostPath:
          type: Directory
-          path: {{ .Values.userspace.userData }}
+          path: '{{ .Values.userspace.userData }}'
      - name: upload-appdata
        hostPath:
          type: Directory
-          path: {{ .Values.userspace.appCache}}
+          path: '{{ .Values.userspace.appCache}}'
      - name: uploads-temp
        hostPath:
          type: DirectoryOrCreate
-          path: {{ .Values.userspace.appCache }}/files/uploadstemp
+          path: '{{ .Values.userspace.appCache }}/files/uploadstemp'
      - name: terminus-sidecar-config
        configMap:
          name: sidecar-upload-configs
          items:
          - key: envoy.yaml
            path: envoy.yaml
      - name: app
        emptyDir: {}
      - name: nginx-confd
        emptyDir: {}
@@ -792,6 +816,7 @@ data:
                                  - prefix: x-unauth-
                                  - exact: x-authorization
                                  - exact: x-bfl-user
                                  - exact: x-real-ip
                                  - exact: terminus-nonce
                              headers_to_add:
                                - key: X-Forwarded-Method
--- a/apps/files/config/user/helm-charts/files/values.yaml
+++ b/apps/files/config/user/helm-charts/files/values.yaml
@@ -1,4 +1,3 @@
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
@@ -46,4 +45,4 @@ os:
    appKey: '${ks[0]}'
    appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""
--- a/apps/knowledge/config/cluster/deploy/knowledge_deployment.yaml
+++ b/apps/knowledge/config/cluster/deploy/knowledge_deployment.yaml
@@ -0,0 +1,646 @@
 {{- $share_secret := (lookup "v1" "Secret" "os-system" "knowledge-share-secrets") -}}
 {{- $redis_password := "" -}}
 {{ if $share_secret -}}
 {{ $redis_password = (index $share_secret "data" "redis_password") }}
 {{ else -}}
 {{ $redis_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 {{- $redis_password_data := "" -}}
 {{ $redis_password_data = $redis_password | b64dec }}
 {{- $pg_password := "" -}}
 {{ if $share_secret -}}
 {{ $pg_password = (index $share_secret "data" "pg_password") }}
 {{ else -}}
 {{ $pg_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 {{- $knowledge_nats_secret := (lookup "v1" "Secret" "os-system" "knowledge-secrets") -}}
 {{- $nat_password := "" -}}
 {{ if $knowledge_nats_secret -}}
 {{ $nat_password = (index $knowledge_nats_secret "data" "nat_password") }}
 {{ else -}}
 {{ $nat_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: knowledge-secrets
  namespace: os-system
 type: Opaque
 data:
  nat_password: {{ $nat_password }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: knowledge-share-secrets
  namespace: os-system
 type: Opaque
 data:
  pg_password: {{ $pg_password }}
  redis_password: {{ $redis_password }}
 ---  
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
 metadata:
  name: knowledge-pg
  namespace: os-system
 spec:
  app: knowledge
  appNamespace: os-system
  middleware: postgres
  postgreSQL:
    user: knowledge_os_system
    password:
      valueFrom:
        secretKeyRef:
          key: pg_password
          name: knowledge-share-secrets
    databases:
    - name: knowledge
      extensions:
      - pg_trgm
      - btree_gin
 ---
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
 metadata:
  name: knowledge-redis
  namespace: os-system
 spec:
  app: rss
  appNamespace: os-system
  middleware: redis
  redis:
    password:
      valueFrom:
        secretKeyRef:
          key: redis_password
          name: knowledge-share-secrets
    namespace: knowledge
 ---
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
 metadata:
  name: knowledge-nat
  namespace: os-system
 spec:
  app: knowledge
  appNamespace: os-system
  middleware: nats
  nats:
    password:
      valueFrom:
        secretKeyRef:
          key: nat_password
          name: knowledge-secrets
    refs:
    - appName: download
      appNamespace: os-system
      subjects:
      - name: download_status
        perm:
        - pub
        - sub
    user: os-system-knowledge
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: knowledge
  namespace: os-system
  labels:
    app: knowledge
    applications.app.bytetrade.io/author: bytetrade.io
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: knowledge
  template:
    metadata:
      labels:
        app: knowledge
    spec:
      serviceAccount: os-internal
      serviceAccountName: os-internal
      securityContext:
        runAsUser: 0
        runAsNonRoot: false
      initContainers:
      - name: init-data
        image: busybox:1.28
        securityContext:
          privileged: true
          runAsNonRoot: false
          runAsUser: 0
        volumeMounts:
        - name: userspace-dir
          mountPath: /data
        - name: cache-dir
          mountPath: /appCache
        command:
        - sh
        - -c
        - |
          chown -R 1000:1000 /data && \
          chown -R 1000:1000 /appCache
      - name: init-container
        image: 'postgres:16.0-alpine3.18'
        command:
          - sh
          - '-c'
          - >-
            echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
        env:
          - name: PGHOST
            value: citus-headless.os-system
          - name: PGPORT
            value: "5432"
          - name: PGUSER
            value: knowledge_os_system
          - name: PGPASSWORD
            value: {{ $pg_password | b64dec }}
          - name: PGDB
            value: os_system_knowledge
      containers:
      - name: knowledge
        image: "beclab/knowledge-base-api:v0.12.5"
        imagePullPolicy: IfNotPresent
        securityContext:
          allowPrivilegeEscalation: false
          runAsUser: 1000
        ports:
        - containerPort: 3010
        env:
        - name: BACKEND_URL
          value: http://127.0.0.1:8080
        - name: RSSHUB_URL
          value: 'http://rss-server.os-system:1200'
        - name: UPLOAD_SAVE_PATH
          value: '/data/'
        - name: SEARCH_URL
          value: 'http://search3.os-system:80'
        - name: REDIS_PASSWORD
          value: {{ $redis_password_data }}
        - name: REDIS_ADDR
          value: redis-cluster-proxy.os-system
        - name: PG_USERNAME
          value: knowledge_os_system
        - name: PG_PASSWORD
          value: {{ $pg_password | b64dec }}
        - name: PG_HOST
          value: citus-headless.os-system
        - name: PG_PORT
          value: "5432"
        - name: PG_DATABASE
          value: os_system_knowledge
        - name: DOWNLOAD_URL
          value: http://download-svc.os-system:3080
        - name: YTDLP_DOWNLOAD_URL
          value: http://download-svc.os-system:3082
        - name: NATS_HOST
          value: nats
        - name: NATS_PORT
          value: "4222"
        - name: NATS_USERNAME
          value: os-system-knowledge
        - name: NATS_PASSWORD
          value: {{ $nat_password | b64dec }}
        - name: NATS_SUBJECT
          value: terminus.os-system.download_status
        - name: SOCKET_URL
          value: 'http://localhost:40010'
        volumeMounts:
          - name: userspace-dir
            mountPath: /data
        resources:
          requests:
            cpu: 20m
            memory: 50Mi
          limits:
            cpu: "1"
            memory: 1Gi
      - name: backend-server
        image: "beclab/recommend-backend:v0.12.0"
        imagePullPolicy: IfNotPresent
        securityContext:
          allowPrivilegeEscalation: false
          runAsUser: 1000
        env:
        - name: LISTEN_ADDR
          value: 127.0.0.1:8080
        - name: REDIS_PASSWORD
          value: {{ $redis_password_data }}
        - name: REDIS_ADDR
          value: redis-cluster-proxy.os-system:6379
        - name: RSS_HUB_URL
          value: 'http://rss-server.os-system:1200/'
        - name: WE_CHAT_REFRESH_FEED_URL
          value: https://recommend-wechat-prd.bttcdn.com/api/wechat/entries
        - name: WECHAT_ENTRY_CONTENT_GET_API_URL
          value: https://recommend-wechat-prd.bttcdn.com/api/wechat/entry/content
        - name: PG_USERNAME
          value: knowledge_os_system
        - name: PG_PASSWORD
          value: {{ $pg_password | b64dec }}
        - name: PG_HOST
          value: citus-headless.os-system
        - name: PG_PORT
          value: "5432"
        - name: PG_DATABASE
          value: os_system_knowledge
        - name: WATCH_DIR
          value: /data/
        - name: YT_DLP_API_URL
          value: http://download-svc.os-system:3082/api/v1/get_metadata
        - name: DOWNLOAD_API_URL
          value: http://download-svc.os-system:3080/api
        volumeMounts:
          - name: userspace-dir
            mountPath: /data
        ports:
        - containerPort: 8080
        resources:
          requests:
            cpu: 20m
            memory: 50Mi
          limits:
            cpu: "800m"
            memory: 400Mi
      - name: sync
        image: "beclab/recommend-sync:v0.12.0"
        securityContext:
          runAsUser: 0
          runAsNonRoot: false
        env:
        - name: USERSPACE_DIRECTORY
          value: /data
        - name: KNOWLEDGE_BASE_API_URL
          value: http://127.0.0.1:3010
        - name: PG_HOST
          value: citus-headless.os-system
        - name: PG_USERNAME
          value: knowledge_os_system
        - name: PG_PASSWORD
          value: {{ $pg_password | b64dec }}
        - name: PG_DATABASE
          value: os_system_knowledge
        - name: PG_PORT
          value: "5432"
        - name: TERMINUS_RECOMMEND_REDIS_ADDR
          value: redis-cluster-proxy.os-system:6379
        - name: TERMINUS_RECOMMEND_REDIS_PASSOWRD
          value: {{ $redis_password_data }}
        volumeMounts:
          - name: userspace-dir
            mountPath: /data
      - name: crawler
        image: "beclab/recommend-crawler:v0.12.1"
        securityContext:
          allowPrivilegeEscalation: false
          runAsUser: 1000
        env:
        - name: KNOWLEDGE_BASE_API_URL
          value: http://127.0.0.1:3010
        resources:
          requests:
            cpu: 20m
            memory: 50Mi
          limits:
            cpu: "800m"
            memory: 800Mi
        volumeMounts:
          - name: cache-dir
            mountPath: /appCache
      - name: terminus-ws-sidecar
        image: 'beclab/ws-gateway:v1.0.4'
        imagePullPolicy: IfNotPresent
        command:
          - /ws-gateway
        env:
          - name: WS_PORT
            value: '3010'
          - name: WS_URL
            value: /knowledge/websocket/message
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      volumes:
      - name: userspace-dir
        hostPath:
          type: Directory
          path: '{{ .Values.rootPath }}/rootfs/userspace'
      - name: cache-dir
        hostPath:
          path: '{{ .Values.rootPath }}/userdata/Cache/rss'
          type: DirectoryOrCreate
      - name: terminus-sidecar-config
        configMap:
          name: sidecar-ws-configs
          items:
          - key: envoy.yaml
            path: envoy.yaml
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: rss-svc
  namespace: os-system
 spec:
  type: ClusterIP
  selector:
    app: knowledge
  ports:
    - name: "backend-server"
      protocol: TCP
      port: 8080
      targetPort: 8080
    - name: "knowledge-base-api"
      protocol: TCP
      port: 3010
      targetPort: 3010
    - name: "knowledge-websocket"
      protocol: TCP
      port: 40010
      targetPort: 40010
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: knowledge-base-api
  namespace: os-system
 spec:
  type: ClusterIP
  selector:
    app: systemserver
  ports:
    - protocol: TCP
      name: knowledge-api
      port: 3010
      targetPort: 3010  
 ---
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
 metadata:
  name: download-nat
  namespace: os-system
 spec:
  app: download
  appNamespace: os-system
  middleware: nats
  nats:
    password:
      valueFrom:
        secretKeyRef:
          key: nat_password
          name: knowledge-secrets
    refs: []
    subjects:
    - name: download_status
      permission:
        pub: allow
        sub: allow
      export:
      - appName: knowledge
        sub: allow
        pub: allow
    user: os-system-download
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: download
  namespace: os-system
  labels:
    app: download
    applications.app.bytetrade.io/author: bytetrade.io
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: download
  template:
    metadata:
      labels:
        app: download
    spec:
      serviceAccount: os-internal
      serviceAccountName: os-internal
      securityContext:
        runAsUser: 0
        runAsNonRoot: false
      initContainers:
      - name: init-data
        image: busybox:1.28
        securityContext:
          privileged: true
          runAsNonRoot: false
          runAsUser: 0
        volumeMounts:
        - name: config-dir
          mountPath: /config
        - name: download-dir
          mountPath: /downloads
        command:
        - sh
        - -c
        - |
          chown -R 1000:1000 /config && \
          chown -R 1000:1000 /downloads
      - name: init-container
        image: 'postgres:16.0-alpine3.18'
        command:
          - sh
          - '-c'
          - >-
            echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
        env:
          - name: PGHOST
            value: citus-headless.os-system
          - name: PGPORT
            value: "5432"
          - name: PGUSER
            value: knowledge_os_system
          - name: PGPASSWORD
            value: {{ $pg_password | b64dec }}
          - name: PGDB
            value: os_system_knowledge
      containers:
      - name: aria2
        image: "beclab/aria2:v0.0.4"
        imagePullPolicy: IfNotPresent
        securityContext:
          runAsNonRoot: false
          runAsUser: 0
        ports:
        - containerPort: 6800
        - containerPort: 6888
        env:
        - name: RPC_SECRET
          value: kubespider
        - name: PUID
          value: "1000"
        - name: PGID
          value: "1000"
        volumeMounts:
        - name: download-dir
          mountPath: /downloads
        resources:
          requests:
            cpu: 20m
            memory: 50Mi
          limits:
            cpu: "1"
            memory: 300Mi
      - name: yt-dlp
        image: "beclab/yt-dlp:v0.12.2"
        imagePullPolicy: IfNotPresent
        securityContext:
          allowPrivilegeEscalation: false
          runAsUser: 1000
        ports:
        - containerPort: 3082
        env:
        - name: PG_USERNAME
          value: knowledge_os_system
        - name: PG_PASSWORD
          value: {{ $pg_password | b64dec }}
        - name: PG_HOST
          value: citus-headless.os-system
        - name: PG_PORT
          value: "5432"
        - name: PG_DATABASE
          value: os_system_knowledge
        - name: REDIS_HOST
          value: redis-cluster-proxy.os-system
        - name: REDIS_PASSWORD
          value: {{ $redis_password | b64dec }}
        - name: NATS_HOST
          value: nats
        - name: NATS_PORT
          value: "4222"
        - name: NATS_USERNAME
          value: os-system-download
        - name: NATS_PASSWORD
          value: {{ $nat_password | b64dec }}
        - name: NATS_SUBJECT
          value: terminus.os-system.download_status
        volumeMounts:
        - name: config-dir
          mountPath: /app/config
        - name: download-dir
          mountPath: /app/downloads
        resources:
          requests:
            cpu: 20m
            memory: 50Mi
          limits:
            cpu: "1"
            memory: 300Mi
      - name: download-spider
        image: "beclab/download-spider:v0.12.2"
        imagePullPolicy: IfNotPresent
        securityContext:
          allowPrivilegeEscalation: false
          runAsUser: 1000
        env:
        - name: PG_USERNAME
          value: knowledge_os_system
        - name: PG_PASSWORD
          value: {{ $pg_password | b64dec }}
        - name: PG_HOST
          value: citus-headless.os-system
        - name: PG_PORT
          value: "5432"
        - name: PG_DATABASE
          value: os_system_knowledge
        - name: REDIS_HOST
          value: redis-cluster-proxy.os-system
        - name: REDIS_PASSWORD
          value: {{ $redis_password | b64dec }}
        - name: NATS_HOST
          value: nats
        - name: NATS_PORT
          value: "4222"
        - name: NATS_USERNAME
          value: os-system-download
        - name: NATS_PASSWORD
          value: {{ $nat_password | b64dec }}
        - name: NATS_SUBJECT
          value: terminus.os-system.download_status
        volumeMounts:
        - name: download-dir
          mountPath: /downloads
        ports:
        - containerPort: 3080
        resources:
          requests:
            cpu: 20m
            memory: 50Mi
          limits:
            cpu: "1"
            memory: 300Mi
      volumes:
      - name: config-dir
        hostPath: 
          type: DirectoryOrCreate
          path: '{{ .Values.rootPath }}/userdata/Cache/download'
      - name: download-dir
        hostPath:
          type: DirectoryOrCreate
          path: '{{ .Values.rootPath }}/rootfs/userspace'
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: download-svc
  namespace: os-system
 spec:
  type: ClusterIP
  selector:
    app: download
  ports:
    - name: "download-spider"
      protocol: TCP
      port: 3080
      targetPort: 3080
    - name: "aria2-server"
      protocol: TCP
      port: 6800
      targetPort: 6800
    - name: ytdlp-server
      protocol: TCP
      port: 3082
      targetPort: 3082
--- a/apps/knowledge/config/user/helm-charts/knowledge/.helmignore
+++ b/apps/knowledge/config/user/helm-charts/knowledge/.helmignore
@@ -1,23 +0,0 @@
 # Patterns to ignore when building packages.
 # This supports shell glob matching, relative path matching, and
 # negation (prefixed with !). Only one pattern per line.
 .DS_Store
 # Common VCS dirs
 .git/
 .gitignore
 .bzr/
 .bzrignore
 .hg/
 .hgignore
 .svn/
 # Common backup files
 *.swp
 *.bak
 *.tmp
 *.orig
 *~
 # Various IDEs
 .project
 .idea/
 *.tmproj
 .vscode/
--- a/apps/knowledge/config/user/helm-charts/knowledge/Chart.yaml
+++ b/apps/knowledge/config/user/helm-charts/knowledge/Chart.yaml
@@ -1,26 +0,0 @@
 apiVersion: v2
 name: knowledge
 description: A Helm chart for Kubernetes
 maintainers:
 - name: bytetrade
 # A chart can be either an 'application' or a 'library' chart.
 #
 # Application charts are a collection of templates that can be packaged into versioned archives
 # to be deployed.
 #
 # Library charts provide useful utilities or functions for the chart developer. They're included as
 # a dependency of application charts to inject those utilities and functions into the rendering
 # pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 version: 0.0.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 appVersion: "1.16.0"
--- a/apps/knowledge/config/user/helm-charts/knowledge/templates/NOTES.txt
+++ b/apps/knowledge/config/user/helm-charts/knowledge/templates/NOTES.txt
--- a/apps/knowledge/config/user/helm-charts/knowledge/templates/_helpers.tpl
+++ b/apps/knowledge/config/user/helm-charts/knowledge/templates/_helpers.tpl
@@ -1,62 +0,0 @@
 {{/*
 Expand the name of the chart.
 */}}
 {{- define "knowledge.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
 {{- define "knowledge.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- $name := default .Chart.Name .Values.nameOverride }}
 {{- if contains $name .Release.Name }}
 {{- .Release.Name | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{- end }}
 {{- end }}
 {{/*
 Create chart name and version as used by the chart label.
 */}}
 {{- define "knowledge.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Common labels
 */}}
 {{- define "knowledge.labels" -}}
 helm.sh/chart: {{ include "knowledge.chart" . }}
 {{ include "knowledge.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "knowledge.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "knowledge.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 {{/*
 Create the name of the service account to use
 */}}
 {{- define "knowledge.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create }}
 {{- default (include "knowledge.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
--- a/apps/knowledge/config/user/helm-charts/knowledge/templates/knowledge_deployment.yaml
+++ b/apps/knowledge/config/user/helm-charts/knowledge/templates/knowledge_deployment.yaml
@@ -1,570 +0,0 @@
 {{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
 {{- $knowledge_secret := (lookup "v1" "Secret" $namespace "rss-secrets") -}}
 {{- $redis_password := "" -}}
 {{ if $knowledge_secret -}}
 {{ $redis_password = (index $knowledge_secret "data" "redis_password") }}
 {{ else -}}
 {{ $redis_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 {{- $redis_password_data := "" -}}
 {{ $redis_password_data = $redis_password | b64dec }}
 {{- $pg_password := "" -}}
 {{ if $knowledge_secret -}}
 {{ $pg_password = (index $knowledge_secret "data" "pg_password") }}
 {{ else -}}
 {{ $pg_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 {{- $knowledge_nats_secret := (lookup "v1" "Secret" $namespace "knowledge-secrets") -}}
 {{- $nat_password := "" -}}
 {{ if $knowledge_nats_secret -}}
 {{ $nat_password = (index $knowledge_nats_secret "data" "nat_password") }}
 {{ else -}}
 {{ $nat_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: knowledge-secrets
  namespace: user-system-{{ .Values.bfl.username }}
 type: Opaque
 data:
  pg_password: {{ $pg_password }}
  nat_password: {{ $nat_password }}
 ---
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
 metadata:
  name: knowledge-pg
  namespace: user-system-{{ .Values.bfl.username }}
 spec:
  app: knowledge
  appNamespace: {{ .Release.Namespace }}
  middleware: postgres
  postgreSQL:
    user: knowledge_{{ .Values.bfl.username }}
    password:
      valueFrom:
        secretKeyRef:
          key: pg_password
          name: knowledge-secrets
    databases:
    - name: knowledge
      extensions:
      - pg_trgm
      - btree_gin
 ---
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
 metadata:
  name: knowledge-nat
  namespace: user-system-{{ .Values.bfl.username }}
 spec:
  app: knowledge
  appNamespace: {{ .Release.Namespace }}
  middleware: nats
  nats:
    password:
      valueFrom:
        secretKeyRef:
          key: nat_password
          name: knowledge-secrets
    refs:
    - appName: download
      appNamespace: {{ .Release.Namespace }}
      subjects:
      - name: download_status
        perm:
        - pub
        - sub
    user: user-system-{{ .Values.bfl.username }}-knowledge
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: knowledge-secrets-auth
  namespace: {{ .Release.Namespace }}
 data:
  redis_password: {{ $redis_password_data }}
  redis_addr: redis-cluster-proxy.user-system-{{ .Values.bfl.username }}:6379
  redis_host: redis-cluster-proxy.user-system-{{ .Values.bfl.username }}
  redis_port: '6379'
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: knowledge-userspace-data
  namespace: {{ .Release.Namespace }}
 data:
  appData: "{{ .Values.userspace.appData }}"
  appCache: "{{ .Values.userspace.appCache }}"
  username: "{{ .Values.bfl.username }}"
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: knowledge
  namespace: {{ .Release.Namespace }}
  labels:
    app: knowledge
    applications.app.bytetrade.io/author: bytetrade.io
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: knowledge
  template:
    metadata:
      labels:
        app: knowledge
    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
      initContainers:
      - name: init-data
        image: busybox:1.28
        securityContext:
          privileged: true
          runAsNonRoot: false
          runAsUser: 0
        volumeMounts:
        - name: juicefs
          mountPath: /juicefs
        command:
        - sh
        - -c
        - |
          chown -R 1000:1000 /juicefs
      - name: init-container
        image: 'postgres:16.0-alpine3.18'
        command:
          - sh
          - '-c'
          - >-
            echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
        env:
          - name: PGHOST
            value: citus-master-svc.user-system-{{ .Values.bfl.username }}
          - name: PGPORT
            value: "5432"
          - name: PGUSER
            value: knowledge_{{ .Values.bfl.username }}
          - name: PGPASSWORD
            value: {{ $pg_password | b64dec }}
          - name: PGDB
            value: user_space_{{ .Values.bfl.username }}_knowledge
      containers:
      - name: knowledge
        image: "beclab/knowledge-base-api:v0.1.67"
        imagePullPolicy: IfNotPresent
        securityContext:
          allowPrivilegeEscalation: false
          runAsUser: 1000
        ports:
        - containerPort: 3010
        env:
        - name: BACKEND_URL
          value: http://127.0.0.1:8080
        - name: RSSHUB_URL
          value: 'http://rss-server.os-system:1200'
        - name: UPLOAD_SAVE_PATH
          value: '/data/Home/Documents/'
        - name: SEARCH_URL
          value: 'http://search3.os-system:80'
        - name: REDIS_PASSWORD
          valueFrom:
            configMapKeyRef:
              name: knowledge-secrets-auth
              key: redis_password
        - name: REDIS_ADDR
          valueFrom:
            configMapKeyRef:
              name: knowledge-secrets-auth
              key: redis_addr
        - name: PDF_SAVE_PATH
          value: /data/Home/Documents/Pdf/
        - name: PG_USERNAME
          value: knowledge_{{ .Values.bfl.username }}
        - name: PG_PASSWORD
          value: {{ $pg_password | b64dec }}
        - name: PG_HOST
          value: citus-master-svc.user-system-{{ .Values.bfl.username }}
        - name: PG_PORT
          value: "5432"
        - name: PG_DATABASE
          value: user_space_{{ .Values.bfl.username }}_knowledge
        - name: DOWNLOAD_URL
          value: http://download-svc.user-space-{{ .Values.bfl.username }}:3080
        - name: BFL_USER_NAME
          value: "{{ .Values.bfl.username }}"
        - name: SETTING_URL
          value: http://system-server.user-system-{{ .Values.bfl.username }}
        - name: NATS_HOST
          value: nats.user-system-{{ .Values.bfl.username }}
        - name: NATS_PORT
          value: "4222"
        - name: NATS_USERNAME
          value: user-system-{{ .Values.bfl.username }}-knowledge
        - name: NATS_PASSWORD
          value: {{ $nat_password | b64dec }}
        - name: NATS_SUBJECT
          value: "terminus.{{ .Release.Namespace }}.download_status"
        - name: SOCKET_URL
          value: 'http://localhost:40010'
        volumeMounts:
        - name: watch-dir
          mountPath: /data/Home/Documents
        resources:
          requests:
            cpu: 20m
            memory: 50Mi
          limits:
            cpu: "1"
            memory: 1Gi
      - name: backend-server
        image: "beclab/recommend-backend:v0.0.29"
        imagePullPolicy: IfNotPresent
        securityContext:
          allowPrivilegeEscalation: false
          runAsUser: 1000
        env:
        - name: LISTEN_ADDR
          value: 127.0.0.1:8080
        - name: REDIS_PASSWORD
          valueFrom:
            configMapKeyRef:
              name: knowledge-secrets-auth
              key: redis_password
        - name: REDIS_ADDR
          valueFrom:
            configMapKeyRef:
              name: knowledge-secrets-auth
              key: redis_addr
        - name: OS_SYSTEM_SERVER
          value: system-server.user-system-{{ .Values.bfl.username }}
        - name: OS_APP_SECRET
          value: '{{ .Values.os.wise.appSecret }}'
        - name: OS_APP_KEY
          value: {{ .Values.os.wise.appKey }}
        - name: RSS_HUB_URL
          value: 'http://rss-server.os-system:1200/'
        - name: WE_CHAT_REFRESH_FEED_URL
          value: https://recommend-wechat-prd.bttcdn.com/api/wechat/entries
        - name: WECHAT_ENTRY_CONTENT_GET_API_URL
          value: https://recommend-wechat-prd.bttcdn.com/api/wechat/entry/content
        - name: PG_USERNAME
          value: knowledge_{{ .Values.bfl.username }}
        - name: PG_PASSWORD
          value: {{ $pg_password | b64dec }}
        - name: PG_HOST
          value: citus-master-svc.user-system-{{ .Values.bfl.username }}
        - name: PG_PORT
          value: "5432"
        - name: PG_DATABASE
          value: user_space_{{ .Values.bfl.username }}_knowledge
        - name: WATCH_DIR
          value: /data/Home/Downloads
        - name: NOTIFY_SERVER
          value: fsnotify-svc.user-system-{{ .Values.bfl.username }}:5079
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        - name: NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        - name: CONTAINER_NAME
          value: backend-server
        - name: YT_DLP_API_URL
          value: http://download-svc.user-space-{{ .Values.bfl.username }}:3082/api/v1/get_metadata
        - name: DOWNLOAD_API_URL
          value: http://download-svc.user-space-{{ .Values.bfl.username }}:3080/api
        - name: SETTING_API_URL
          value: http://system-server.user-system-{{ .Values.bfl.username }}/legacy/v1alpha1/service.settings/v1/api/cookie/retrieve
        volumeMounts:
          - name: watch-dir
            mountPath: /data/Home/Downloads
        ports:
        - containerPort: 8080
        resources:
          requests:
            cpu: 20m
            memory: 50Mi
          limits:
            cpu: "800m"
            memory: 400Mi
      - name: sync
        image: "beclab/recommend-sync:v0.0.15"
        securityContext:
          allowPrivilegeEscalation: false
          runAsUser: 1000
        env:
        - name: TERMIUS_USER_NAME
          value: "{{ .Values.bfl.username }}"
        - name: JUICEFS_ROOT_DIRECTORY
          value: /juicefs
        - name: KNOWLEDGE_BASE_API_URL
          value: http://127.0.0.1:3010
        - name: PG_HOST
          value: citus-master-svc.user-system-{{ .Values.bfl.username }}
        - name: PG_USERNAME
          value: knowledge_{{ .Values.bfl.username }}
        - name: PG_PASSWORD
          value: {{ $pg_password | b64dec }}
        - name: PG_DATABASE
          value: user_space_{{ .Values.bfl.username }}_knowledge
        - name: PG_PORT
          value: "5432"
        - name: TERMINUS_RECOMMEND_REDIS_ADDR
          valueFrom:
            configMapKeyRef:
              name: knowledge-secrets-auth
              key: redis_addr
        - name: TERMINUS_RECOMMEND_REDIS_PASSOWRD
          valueFrom:
            configMapKeyRef:
              name: knowledge-secrets-auth
              key: redis_password
        volumeMounts:
        - name: juicefs
          mountPath: /juicefs
      - name: crawler
        image: "beclab/recommend-crawler:v0.0.14"
        securityContext:
          allowPrivilegeEscalation: false
          runAsUser: 1000
        env:
        - name: TERMIUS_USER_NAME
          value: "{{ .Values.bfl.username }}"
        - name: KNOWLEDGE_BASE_API_URL
          value: http://127.0.0.1:3010
        resources:
          requests:
            cpu: 20m
            memory: 50Mi
          limits:
            cpu: "800m"
            memory: 800Mi
      - name: terminus-ws-sidecar
        image: 'beclab/ws-gateway:v1.0.4'
        imagePullPolicy: IfNotPresent
        command:
          - /ws-gateway
        env:
          - name: WS_PORT
            value: '3010'
          - name: WS_URL
            value: /knowledge/websocket/message
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      - name: recommend-debug
        image: "beclab/recommenddebug:v0.0.25"
        imagePullPolicy: IfNotPresent
        securityContext:
          allowPrivilegeEscalation: false
          runAsUser: 1000
        env:
          - name: KNOWLEDGE_BASE_API_URL
            value: http://127.0.0.1:3010
        volumeMounts:
          - mountPath: /opt/rank_model
            name: model
      volumes:
      - name: watch-dir
        hostPath:
          type: Directory
          path: {{ .Values.userspace.userData }}
      - name: juicefs
        hostPath:
          type: DirectoryOrCreate
          path: {{ .Values.userspace.appData }}/rss/data
      - name: terminus-sidecar-config
        configMap:
          name: sidecar-ws-configs
          items:
          - key: envoy.yaml
            path: envoy.yaml
      - name: model
        hostPath:
          type: DirectoryOrCreate
          path: {{ .Values.userspace.appData }}/rss/model
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: rss-svc
  namespace: {{ .Release.Namespace }}
 spec:
  type: ClusterIP
  selector:
    app: knowledge
  ports:
    - name: "backend-server"
      protocol: TCP
      port: 8080
      targetPort: 8080
    # - name: "rss-sdk"
    #   protocol: TCP
    #   port: 3000
    #   targetPort: 3000
    - name: "knowledge-base-api"
      protocol: TCP
      port: 3010
      targetPort: 3010
    - name: "knowledge-websocket"
      protocol: TCP
      port: 40010
      targetPort: 40010
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: knowledge-base-api
  namespace: user-system-{{ .Values.bfl.username }}
 spec:
  type: ClusterIP
  selector:
    app: systemserver
  ports:
    - protocol: TCP
      name: knowledge-api
      port: 3010
      targetPort: 3010  
 ---
 #apiVersion: v1
 #data:
 #  mappings: |
 #    {
 #      "properties": {
 #        "@timestamp": {
 #          "type": "date",
 #          "index": true,
 #          "store": false,
 #          "sortable": true,
 #          "aggregatable": true,
 #          "highlightable": false
 #        },
 #        "_id": {
 #          "type": "keyword",
 #          "index": true,
 #          "store": false,
 #          "sortable": true,
 #          "aggregatable": true,
 #          "highlightable": false
 #        },
 #        "content": {
 #          "type": "text",
 #          "index": true,
 #          "store": true,
 #          "sortable": false,
 #          "aggregatable": false,
 #          "highlightable": true
 #        },
 #        "created": {
 #          "type": "numeric",
 #          "index": true,
 #          "store": false,
 #          "sortable": true,
 #          "aggregatable": true,
 #          "highlightable": false
 #        },
 #        "format_name": {
 #          "type": "text",
 #          "index": true,
 #          "store": false,
 #          "sortable": false,
 #          "aggregatable": false,
 #          "highlightable": false
 #        },
 #        "md5": {
 #          "type": "text",
 #          "analyzer": "keyword",
 #          "index": true,
 #          "store": false,
 #          "sortable": false,
 #          "aggregatable": false,
 #          "highlightable": false
 #        },
 #        "meta": {
 #          "type": "text",
 #          "index": true,
 #          "store": false,
 #          "sortable": false,
 #          "aggregatable": false,
 #          "highlightable": false
 #        },
 #        "name": {
 #          "type": "text",
 #          "index": true,
 #          "store": false,
 #          "sortable": false,
 #          "aggregatable": false,
 #          "highlightable": false
 #        },
 #        "where": {
 #          "type": "text",
 #          "analyzer": "keyword",
 #          "index": true,
 #          "store": false,
 #          "sortable": false,
 #          "aggregatable": false,
 #          "highlightable": false
 #        }
 #      }
 #    }
 #kind: ConfigMap
 #metadata:
 #  name: zinc-knowledge
 #  namespace: user-system-{{ .Values.bfl.username }}
 #---
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: SysEventRegistry
 metadata:
  name: konwledgebase-recommend-install-cb
  namespace: {{ .Release.Namespace }}
 spec:
  type: subscriber
  event: recommend.install
  callback: http://rss-svc.{{ .Release.Namespace }}:3010/knowledge/algorithm/recommend/install
 ---
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: SysEventRegistry
 metadata:
  name: konwledgebase-recommend-uninstall-cb
  namespace: {{ .Release.Namespace }}
 spec:
  type: subscriber
  event: recommend.uninstall
  callback: http://rss-svc.{{ .Release.Namespace }}:3010/knowledge/algorithm/recommend/uninstall
--- a/apps/knowledge/config/user/helm-charts/knowledge/values.yaml
+++ b/apps/knowledge/config/user/helm-charts/knowledge/values.yaml
@@ -1,43 +0,0 @@
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
  nodeport_ingress_https: 30082
  username: 'test'
  url: 'test'
  nodeName: test
 pvc:
  userspace: test
 userspace:
  userData: test/Home
  appData: test/Data
  appCache: test
  dbdata: test
 docs:
  nodeport: 30881
 desktop:
  nodeport: 30180
 os:
  portfolio:
    appKey: '${ks[0]}'
    appSecret: test
  vault:
    appKey: '${ks[0]}'
    appSecret: test
  desktop:
    appKey: '${ks[0]}'
    appSecret: test
  message:
    appKey: '${ks[0]}'
    appSecret: test
  wise:
    appKey: '${ks[0]}'
    appSecret: test
  search:
    appKey: '${ks[0]}'
    appSecret: test
  search2:
    appKey: '${ks[0]}'
    appSecret: test
 kubesphere:
  redis_password: ""
--- a/apps/market/config/user/helm-charts/market/templates/market_deploy.yaml
+++ b/apps/market/config/user/helm-charts/market/templates/market_deploy.yaml
@@ -43,7 +43,14 @@ spec:
      labels:
        app: appstore
        io.bytetrade.app: "true"
      annotations:
        instrumentation.opentelemetry.io/inject-go: "olares-instrumentation"
        instrumentation.opentelemetry.io/go-container-names: "appstore-backend"    
        instrumentation.opentelemetry.io/otel-go-auto-target-exe: "/opt/app/market"
        instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
        instrumentation.opentelemetry.io/inject-nginx-container-names: "appstore"    
    spec:
      priorityClassName: "system-cluster-critical"
      initContainers:
        - args:
          - -it
@@ -83,14 +90,33 @@ spec:
              fieldRef:
                apiVersion: v1
                fieldPath: status.podIP
        - name: nginx-init
          image: beclab/market-frontend:v0.3.11
          imagePullPolicy: IfNotPresent
          volumeMounts:
            - name: app
              mountPath: /cp_app
            - name: nginx-confd
              mountPath: /confd
          command:
          - sh
          - -c
          - |
            cp -rf /app/* /cp_app/. && cp -rf /etc/nginx/conf.d/* /confd/.            
      containers:
      - name: appstore
-        image: beclab/market-frontend:v0.3.6
+        image: beclab/docker-nginx-headers-more:ubuntu-v0.1.0
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
        volumeMounts:
        - name: app
          mountPath: /app
        - name: nginx-confd
          mountPath: /etc/nginx/conf.d
      - name: appstore-backend
-        image: beclab/market-backend:v0.3.6
+        image: beclab/market-backend:v0.3.11
        imagePullPolicy: IfNotPresent
        ports:
          - containerPort: 81
@@ -191,8 +217,12 @@ spec:
            path: envoy.yaml
      - name: opt-data
        hostPath:
-          path: {{ .Values.userspace.appData}}/appstore/data
+          path: '{{ .Values.userspace.appData}}/appstore/data'
          type: DirectoryOrCreate
      - name: app
        emptyDir: {}
      - name: nginx-confd
        emptyDir: {}
 ---
 apiVersion: v1
--- a/apps/market/config/user/helm-charts/market/values.yaml
+++ b/apps/market/config/user/helm-charts/market/values.yaml
@@ -1,4 +1,3 @@
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
@@ -42,4 +41,4 @@ os:
  appstore:
    marketProvider: ''
 kubesphere:
-  redis_password: ""
+  redis_password: ""
--- a/apps/notifications/config/cluster/deploy/notification_deploy.yaml
+++ b/apps/notifications/config/cluster/deploy/notification_deploy.yaml
@@ -0,0 +1,230 @@
 {{- $namespace := printf "%s" "os-system" -}}
 {{- $notifications_secret := (lookup "v1" "Secret" $namespace "notifications-secrets") -}}
 {{- $pg_password := "" -}}
 {{ if $notifications_secret -}}
 {{ $pg_password = (index $notifications_secret "data" "pg_password") }}
 {{ else -}}
 {{ $pg_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 {{- $nats_password := "" -}}
 {{ if $notifications_secret -}}
 {{ $nats_password = (index $notifications_secret "data" "nats_password") }}
 {{ else -}}
 {{ $nats_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: notifications-secrets
  namespace: {{ .Release.Namespace }}
 type: Opaque
 data:
  pg_password: {{ $pg_password }}
  nats_password: {{ $nats_password }}
 ---
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
 metadata:
  name: notifications-pg
  namespace: {{ .Release.Namespace }}
 spec:
  app: notifications
  appNamespace: {{ .Release.Namespace }}
  middleware: postgres
  postgreSQL:
    user: notifications_os_system
    password:
      valueFrom:
        secretKeyRef:
          key: pg_password
          name: notifications-secrets
    databases:
    - name: notifications   
 ---
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
 metadata:
  name: notifications-nats
  namespace: {{ .Release.Namespace }}
 spec:
  app: notifications
  appNamespace: {{ .Release.Namespace }}
  middleware: nats
  nats:
    password:
      valueFrom:
        secretKeyRef:
          key: nats_password
          name: notifications-secrets
    refs: []   # TODO: refs to notifications-proxy's subject
    subjects:
      - export:
          - appName: notifications-proxy
            pub: allow
            sub: allow
          - appName: lldap
            pub: allow
            sub: allow
          - appName: ks-component
            pub: allow
            sub: allow
          - appName: authelia
            pub: allow
            sub: allow
        name: system.notification
        permission:
          pub: allow
          sub: allow
      - export:
          - appName: lldap
            pub: allow
            sub: allow
          - appName: vault-server
            pub: deny
            sub: allow
          - appName: seahub
            pub: deny
            sub: allow
          - appName: knowledge
            pub: deny
            sub: allow
        name: system.users
        permission:
          pub: allow
          sub: allow
    user: os-system-notifications
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: notifications-server
  namespace: {{ .Release.Namespace }}
  labels:
    app: notifications-server
    applications.app.bytetrade.io/author: bytetrade.io
  annotations:
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: notifications-server
  template:
    metadata:
      labels:
        app: notifications-server
    spec:
      initContainers:
      - name: init-container
        image: 'postgres:16.0-alpine3.18'
        command:
          - sh
          - '-c'
          - >-
            echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
        env:
          - name: PGHOST
            value: citus-headless.os-system
          - name: PGPORT
            value: "5432"
          - name: PGUSER
            value: notifications_os_system
          - name: PGPASSWORD
            valueFrom:
              secretKeyRef:
                key: pg_password
                name: notifications-secrets
          - name: PGDB
            value: os_system_notifications
      containers:
      - name: notifications-api
        image: beclab/notifications-api:v1.12.3
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 3010
          protocol: TCP
        env:
        - name: DATABASE_PASSWORD
          valueFrom:
            secretKeyRef:
              key: pg_password
              name: notifications-secrets
        - name: PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING
          value: '1'
        - name: DATABASE_URL
          value: postgres://notifications_os_system:$(DATABASE_PASSWORD)@citus-headless.os-system/os_system_notifications?sslmode=disable
        - name: NATS_HOST
          value: nats
        - name: NATS_PORT
          value: "4222"
        - name: NATS_USERNAME
          value: os-system-notifications
        - name: NATS_PASSWORD
          valueFrom:
            secretKeyRef:
              key: nats_password
              name: notifications-secrets
        - name: NATS_SUBJECT
          value: "terminus.{{ .Release.Namespace }}.system.notification"
        - name: NATS_SUBJECT_SYSTEM_USERS
          value: "terminus.{{ .Release.Namespace }}.system.users"
        livenessProbe:
          tcpSocket:
            port: 3010
          initialDelaySeconds: 25
          timeoutSeconds: 15
          periodSeconds: 10
          successThreshold: 1
          failureThreshold: 8
        readinessProbe:
          tcpSocket:
            port: 3010
          initialDelaySeconds: 25
          periodSeconds: 10
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: notifications-service
  namespace: {{ .Release.Namespace }}
 spec:
  type: ClusterIP
  selector:
    app: notifications-server
  ports:
  - name: "notifications-server"
    protocol: TCP
    port: 80
    targetPort: 3010
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: notifications-server
  namespace: {{ .Release.Namespace }}
 spec:
  type: ClusterIP
  selector:
    app: notifications-server
  ports:
  - name: "server"
    protocol: TCP
    port: 80
    targetPort: 3010
--- a/apps/notifications/config/user/helm-charts/notification/templates/notification_deploy.yaml
+++ b/apps/notifications/config/user/helm-charts/notification/templates/notification_deploy.yaml
@@ -1,234 +1 @@
-
+# TODO: deploy a notification proxy
 {{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
 {{- $notifications_secret := (lookup "v1" "Secret" $namespace "notifications-secrets") -}}
 {{- $password := "" -}}
 {{ if $notifications_secret -}}
 {{ $password = (index $notifications_secret "data" "pg_password") }}
 {{ else -}}
 {{ $password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: notifications-secrets
  namespace: user-system-{{ .Values.bfl.username }}
 type: Opaque
 data:
  pg_password: {{ $password }}
 ---
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
 metadata:
  name: notifications-pg
  namespace: user-system-{{ .Values.bfl.username }}
 spec:
  app: notifications
  appNamespace: {{ .Release.Namespace }}
  middleware: postgres
  postgreSQL:
    user: notifications_{{ .Values.bfl.username }}
    password:
      valueFrom:
        secretKeyRef:
          key: pg_password
          name: notifications-secrets
    databases:
    - name: notifications   
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: notifications-server
  namespace: {{ .Release.Namespace }}
  labels:
    app: notifications-server
    applications.app.bytetrade.io/author: bytetrade.io
  annotations:
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: notifications-server
  template:
    metadata:
      labels:
        app: notifications-server
    spec:
      initContainers:
      - name: init-container
        image: 'postgres:16.0-alpine3.18'
        command:
          - sh
          - '-c'
          - >-
            echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
        env:
          - name: PGHOST
            value: citus-master-svc.user-system-{{ .Values.bfl.username }}
          - name: PGPORT
            value: "5432"
          - name: PGUSER
            value: notifications_{{ .Values.bfl.username }}
          - name: PGPASSWORD
            value: {{ $password | b64dec }}
          - name: PGDB
            value: user_space_{{ .Values.bfl.username }}_notifications
      containers:
      - name: notifications-api
        image: beclab/notifications-api:v0.1.25
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 3010
          protocol: TCP
        env:
        - name: OS_SYSTEM_SERVER
          value: system-server.user-system-{{ .Values.bfl.username }}
        - name: OS_APP_SECRET
          value: '{{ .Values.os.notification.appSecret }}'
        - name: OS_APP_KEY
          value: {{ .Values.os.notification.appKey }}
        - name: DATABASE_PASSWORD
          value: {{ $password | b64dec }}
        - name: PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING
          value: '1'
        - name: DATABASE_URL
          value: postgres://notifications_{{ .Values.bfl.username }}:$(DATABASE_PASSWORD)@citus-master-svc.user-system-{{ .Values.bfl.username }}/user_space_{{ .Values.bfl.username }}_notifications?sslmode=disable
        livenessProbe:
          tcpSocket:
            port: 3010
          initialDelaySeconds: 25
          timeoutSeconds: 15
          periodSeconds: 10
          successThreshold: 1
          failureThreshold: 8
        readinessProbe:
          tcpSocket:
            port: 3010
          initialDelaySeconds: 25
          periodSeconds: 10
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: notifications-service
  namespace: {{ .Release.Namespace }}
 spec:
  type: ClusterIP
  selector:
    app: notifications-server
  ports:
  - name: "notifications-server"
    protocol: TCP
    port: 80
    targetPort: 3010
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: notifications-server
  namespace: {{ .Release.Namespace }}
 spec:
  type: ClusterIP
  selector:
    app: notifications-server
  ports:
  - name: "server"
    protocol: TCP
    port: 80
    targetPort: 3010
 ---
 apiVersion: sys.bytetrade.io/v1alpha1
 kind: ProviderRegistry
 metadata:
  name: notifications-token-provider
  namespace: user-system-{{ .Values.bfl.username }}
 spec:
  dataType: token
  deployment: notifications-server
  description: notifications provider
  endpoint: notifications-server.{{ .Release.Namespace }}
  group: service.notification
  kind: provider
  namespace: {{ .Release.Namespace }}
  opApis:
  - name: Create
    uri: /termipass/create_token
  version: v1
 status:
  state: active
 ---
 apiVersion: sys.bytetrade.io/v1alpha1
 kind: ProviderRegistry
 metadata:
  name: notifications-message-provider
  namespace: user-system-{{ .Values.bfl.username }}
 spec:
  dataType: message
  deployment: notifications-server
  description: notifications provider
  endpoint: notifications-server.{{ .Release.Namespace }}
  group: service.notification
  kind: provider
  namespace: {{ .Release.Namespace }}
  opApis:
  - name: SendMassage
    uri: /notification/create_job
  - name: SystemMessage
    uri: /notification/system/push
  version: v1
 status:
  state: active
 ---
 apiVersion: sys.bytetrade.io/v1alpha1
 kind: ApplicationPermission
 metadata:
  name: notification-call-vault
  namespace: user-system-{{ .Values.bfl.username }}
 spec:
  app: notifications
  appid: notifications
  key: {{ .Values.os.notification.appKey }}
  secret: {{ .Values.os.notification.appSecret }}
  permissions:
  - dataType: notification
    group: service.vault
    ops:
    - Create
    - Query
    version: v1
  - dataType: notification
    group: service.desktop
    ops:
    - Create
    - Query
    version: v1
  - dataType: secret
    group: secret.infisical
    ops:
    - RetrieveSecret?workspace=notification
    - CreateSecret?workspace=notification
    - DeleteSecret?workspace=notification
    - UpdateSecret?workspace=notification
    - ListSecret?workspace=notification
    version: v1
  - dataType: app
    group: service.bfl
    ops:
    - UserApps
    version: v1
 status:
  state: active
--- a/apps/notifications/config/user/helm-charts/notification/values.yaml
+++ b/apps/notifications/config/user/helm-charts/notification/values.yaml
@@ -1,4 +1,3 @@
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
@@ -40,4 +39,4 @@ os:
    appKey: '${ks[0]}'
    appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""
--- a/apps/search3/config/cluster/deploy/search3_server_deploy.yaml
+++ b/apps/search3/config/cluster/deploy/search3_server_deploy.yaml
@@ -199,7 +199,7 @@ spec:
            value: os_system_search3
      containers:
      - name: search3
-        image: beclab/search3:v0.0.28
+        image: beclab/search3:v0.0.30
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8080
--- a/apps/studio/README.md
+++ b/apps/studio/README.md
@@ -0,0 +1,4 @@
 # devbox
 Terminus App development management tools
 https://github.com/beclab/devbox
--- a/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/.helmignore
+++ b/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/.helmignore
--- a/apps/download/config/user/helm-charts/download/Chart.yaml
+++ b/apps/download/config/user/helm-charts/download/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
-name: download
+name: studio
-description: A Helm chart for Kubernetes
+description: A Terminus app development tool
 maintainers:
 - name: bytetrade
@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.1
+version: 0.1.3
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.0"
+appVersion: "4.9.1"
--- a/apps/studio/config/user/helm-charts/studio/devbox.png
+++ b/apps/studio/config/user/helm-charts/studio/devbox.png
--- a/apps/studio/config/user/helm-charts/studio/templates/deployment.yaml
+++ b/apps/studio/config/user/helm-charts/studio/templates/deployment.yaml
@@ -0,0 +1,549 @@
 {{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
 {{- $studio_secret := (lookup "v1" "Secret" $namespace "studio-secrets") -}}
 {{- $pg_password := "" -}}
 {{ if $studio_secret -}}
 {{ $pg_password = (index $studio_secret "data" "pg_password") }}
 {{ else -}}
 {{ $pg_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: studio-secrets
  namespace: user-system-{{ .Values.bfl.username }}
 type: Opaque
 data:
  pg_password: {{ $pg_password }}
 ---
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
 metadata:
  name: studio-pg
  namespace: user-system-{{ .Values.bfl.username }}
 spec:
  app: studio
  appNamespace: {{ .Release.Namespace }}
  middleware: postgres
  postgreSQL:
    user: studio_{{ .Values.bfl.username }}
    password:
      valueFrom:
        secretKeyRef:
          key: pg_password
          name: studio-secrets
    databases:
      - name: studio
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: studio-server
  namespace: {{ .Release.Namespace }}
 spec:
  selector:
    app: studio-server
  ports:
    - protocol: TCP
      port: 8080
      targetPort: 8088
      name: http
    - protocol: TCP
      port: 8083
      targetPort: 8083
      name: https
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: chartmuseum-studio
  namespace: {{ .Release.Namespace }}
 spec:
  ports:
    - name: http
      protocol: TCP
      port: 8080
      targetPort: 8888
  selector:
    app: studio-server
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: studio-san-cnf
  namespace: {{ .Release.Namespace }}
 data:
  san.cnf: |
    [req]
    distinguished_name = req_distinguished_name
    req_extensions = v3_req
    prompt = no
    [req_distinguished_name]
    countryName = CN
    stateOrProvinceName = Beijing
    localityName = Beijing
    0.organizationName = bytetrade
    commonName = studio-server.{{ .Release.Namespace }}.svc
    [v3_req]
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    subjectAltName = @bytetrade
    [bytetrade]
    DNS.1 = studio-server.{{ .Release.Namespace }}.svc
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: studio-server
  namespace: {{ .Release.Namespace }}
  labels:
    app: studio-server
    applications.app.bytetrade.io/author: bytetrade.io
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: studio-server
  template:
    metadata:
      labels:
        app: studio-server
    spec:
      serviceAccountName: bytetrade-controller
      volumes:
        - name: chart
          hostPath:
            type: DirectoryOrCreate
            path: '{{ .Values.userspace.appData}}/studio/Chart'
        - name: data
          hostPath:
            type: DirectoryOrCreate
            path: '{{ .Values.userspace.appData }}/studio/Data'
        - name: storage-volume
          hostPath:
            path: '{{ .Values.userspace.appData }}/studio/helm-repo-dev'
            type: DirectoryOrCreate
        - name: config-san
          configMap:
            name: studio-san-cnf
            items:
              - key: san.cnf
                path: san.cnf
        - name: sidecar-configs-studio
          configMap:
            name: sidecar-configs-studio
            items:
              - key: envoy.yaml
                path: envoy.yaml
        - name: certs
          emptyDir: {}
      initContainers:
        - name: init-chmod-data
          image: busybox:1.28
          imagePullPolicy: IfNotPresent
          command:
            - sh
            - '-c'
            - |
              chown -R 1000:1000 /home/coder
              chown -R 65532:65532 /charts
              chown -R 65532:65532 /data
          securityContext:
            runAsUser: 0
          resources: { }
          volumeMounts:
            - name: storage-volume
              mountPath: /home/coder
            - name: chart
              mountPath: /charts
            - name: data
              mountPath: /data
        - name: terminus-sidecar-init
          image: aboveos/openservicemesh-init:v1.2.3
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
            - -c
            - |
              iptables-restore --noflush <<EOF
              # sidecar interception rules
              *nat
              :PROXY_IN_REDIRECT - [0:0]
              :PROXY_INBOUND - [0:0]
              :PROXY_OUTBOUND - [0:0]
              :PROXY_OUT_REDIRECT - [0:0]
              -A PREROUTING -p tcp -j PROXY_INBOUND
              -A OUTPUT -p tcp -j PROXY_OUTBOUND
              -A PROXY_INBOUND -p tcp --dport 15000 -j RETURN
              -A PROXY_INBOUND -p tcp --dport 8083 -j RETURN
              -A PROXY_INBOUND -p tcp -j PROXY_IN_REDIRECT
              -A PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15003
              -A PROXY_OUTBOUND -p tcp --dport 5432 -j RETURN
              -A PROXY_OUTBOUND -p tcp --dport 6379 -j RETURN
              -A PROXY_OUTBOUND -p tcp --dport 27017 -j RETURN
              -A PROXY_OUTBOUND -p tcp --dport 443 -j RETURN
              -A PROXY_OUTBOUND -p tcp --dport 8080 -j RETURN
              -A PROXY_OUTBOUND -d ${POD_IP}/32 -j RETURN
              -A PROXY_OUTBOUND -o lo ! -d 127.0.0.1/32 -m owner --uid-owner 1555 -j PROXY_IN_REDIRECT
              -A PROXY_OUTBOUND -o lo -m owner ! --uid-owner 1555 -j RETURN
              -A PROXY_OUTBOUND -m owner --uid-owner 1555 -j RETURN
              -A PROXY_OUTBOUND -d 127.0.0.1/32 -j RETURN
              -A PROXY_OUTBOUND -j PROXY_OUT_REDIRECT
              -A PROXY_OUT_REDIRECT -p tcp -j REDIRECT --to-port 15001
              COMMIT
              EOF
          env:
            - name: POD_IP
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: status.podIP
          securityContext:
            privileged: true
            capabilities:
              add:
                - NET_ADMIN
            runAsNonRoot: false
            runAsUser: 0
        - name: generate-certs
          image: beclab/openssl:v3
          imagePullPolicy: IfNotPresent
          command: [ "/bin/sh", "-c" ]
          args:
            - |
              openssl genrsa -out /etc/certs/ca.key 2048
              openssl req -new -x509 -days 3650 -key /etc/certs/ca.key -out /etc/certs/ca.crt \
                -subj "/CN=bytetrade CA/O=bytetrade/C=CN"
              openssl req -new -newkey rsa:2048 -nodes \
                -keyout /etc/certs/server.key -out /etc/certs/server.csr \
                -config /etc/san/san.cnf
              openssl x509 -req -days 3650 -in /etc/certs/server.csr \
                -CA /etc/certs/ca.crt -CAkey /etc/certs/ca.key \
                -CAcreateserial -out /etc/certs/server.crt \
                -extensions v3_req -extfile /etc/san/san.cnf
              chown -R 65532 /etc/certs/*
          volumeMounts:
            - name: config-san
              mountPath: /etc/san
            - name: certs
              mountPath: /etc/certs
      containers:
        - name: studio
          image: beclab/studio-server:v0.1.50
          imagePullPolicy: IfNotPresent
          args:
            - server
          ports:
            - name: port
              containerPort: 8088
              protocol: TCP
            - name: ssl-port
              containerPort: 8083
              protocol: TCP
          volumeMounts:
            - name: chart
              mountPath: /charts
            - name: data
              mountPath: /data
            - mountPath: /etc/certs
              name: certs
          lifecycle:
            preStop:
              exec:
                command:
                  - "/studio"
                  - "clean"
          env:
            - name: BASE_DIR
              value: /charts
            - name: OS_API_KEY
              value: {{ .Values.os.studio.appKey }}
            - name: OS_API_SECRET
              value: {{ .Values.os.studio.appSecret }}
            - name: OS_SYSTEM_SERVER
              value: system-server.user-system-{{ .Values.bfl.username }}
            - name: NAME_SPACE
              value: {{ .Release.Namespace }}
            - name: OWNER
              value: '{{ .Values.bfl.username }}'
            - name: DB_HOST
              value: citus-master-svc.user-system-{{ .Values.bfl.username }}
            - name: DB_USERNAME
              value: studio_{{ .Values.bfl.username }}
            - name: DB_PASSWORD
              value: "{{ $pg_password | b64dec }}"
            - name: DB_NAME
              value: user_space_{{ .Values.bfl.username }}_studio
            - name: DB_PORT
              value: "5432"
          resources:
            requests:
              cpu: "50m"
              memory: 100Mi
            limits:
              cpu: "0.5"
              memory: 1000Mi
        - name: terminus-envoy-sidecar
          image: bytetrade/envoy:v1.25.11.1
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: false
            runAsUser: 1555
          ports:
            - name: proxy-admin
              containerPort: 15000
            - name: proxy-inbound
              containerPort: 15003
            - name: proxy-outbound
              containerPort: 15001
          resources:
            requests:
              cpu: "50m"
              memory: 100Mi
            limits:
              cpu: "0.5"
              memory: 200Mi
          volumeMounts:
            - name: sidecar-configs-studio
              readOnly: true
              mountPath: /etc/envoy/envoy.yaml
              subPath: envoy.yaml
          command:
            - /usr/local/bin/envoy
            - --log-level
            - debug
            - -c
            - /etc/envoy/envoy.yaml
          env:
            - name: POD_UID
              valueFrom:
                fieldRef:
                  fieldPath: metadata.uid
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: POD_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
            - name: APP_KEY
              value: {{ .Values.os.studio.appKey }}
            - name: APP_SECRET
              value: {{ .Values.os.studio.appSecret }}
        - name: chartmuseum
          image: aboveos/helm-chartmuseum:v0.15.0
          args:
            - '--port=8888'
            - '--storage-local-rootdir=/storage'
          ports:
            - name: http
              containerPort: 8888
              protocol: TCP
          env:
            - name: CHART_POST_FORM_FIELD_NAME
              value: chart
            - name: DISABLE_API
              value: 'false'
            - name: LOG_JSON
              value: 'true'
            - name: PROV_POST_FORM_FIELD_NAME
              value: prov
            - name: STORAGE
              value: local
          resources:
            requests:
              cpu: "50m"
              memory: 100Mi
            limits:
              cpu: 1000m
              memory: 512Mi
          volumeMounts:
            - name: storage-volume
              mountPath: /storage
          livenessProbe:
            httpGet:
              path: /health
              port: http
              scheme: HTTP
            initialDelaySeconds: 5
            timeoutSeconds: 1
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 3
          readinessProbe:
            httpGet:
              path: /health
              port: http
              scheme: HTTP
            initialDelaySeconds: 5
            timeoutSeconds: 1
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 3
 ---
 apiVersion: v1
 data:
  envoy.yaml: |
    admin:
      access_log_path: "/dev/stdout"
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 15000
    static_resources:
      listeners:
        - name: listener_0
          address:
            socket_address:
              address: 0.0.0.0
              port_value: 15003
          listener_filters:
            - name: envoy.filters.listener.original_dst
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst
          filter_chains:
            - filters:
                - name: envoy.filters.network.http_connection_manager
                  typed_config:
                    "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                    stat_prefix: desktop_http
                    upgrade_configs:
                      - upgrade_type: websocket
                      - upgrade_type: tailscale-control-protocol
                    skip_xff_append: false
                    codec_type: AUTO
                    route_config:
                      name: local_route
                      virtual_hosts:
                        - name: service
                          domains: ["*"]
                          routes:
                            - match:
                                prefix: "/"
                              route:
                                cluster: original_dst
                                timeout: 1800s
                    http_protocol_options:
                      accept_http_10: true
                    http_filters:
                      - name: envoy.filters.http.router
                        typed_config:
                          "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
        - name: listener_1
          address:
            socket_address:
              address: 0.0.0.0
              port_value: 15001
          listener_filters:
            - name: envoy.filters.listener.original_dst
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst
          filter_chains:
            - filters:
                - name: envoy.filters.network.http_connection_manager
                  typed_config:
                    "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                    stat_prefix: studio_out_http
                    skip_xff_append: false
                    codec_type: AUTO
                    route_config:
                      name: local_route
                      virtual_hosts:
                        - name: service
                          domains: ["*"]
                          routes:
                            - match:
                                prefix: "/server/intent/send"
                              request_headers_to_add:
                                - header:
                                    key: X-App-Key
                                    value: {{ .Values.os.studio.appKey }}
                              route:
                                cluster: system-server
                                prefix_rewrite: /system-server/v2/legacy_api/api.intent/v2/server/intent/send
                            - match:
                                prefix: "/"
                              route:
                                cluster: original_dst
                                timeout: 1800s
                              typed_per_filter_config:
                                envoy.filters.http.lua:
                                  "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.LuaPerRoute
                                  disabled: true
                    http_protocol_options:
                      accept_http_10: true
                    http_filters:
                      - name: envoy.filters.http.lua
                        typed_config:
                          "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
                          inline_code:
                            local sha = require("lib.sha2")
                            function envoy_on_request(request_handle)
                            local app_key = os.getenv("APP_KEY")
                            local app_secret = os.getenv("APP_SECRET")
                            local current_time = os.time()
                            local minute_level_time = current_time - (current_time % 60)
                            local time_string = tostring(minute_level_time)
                            local s = app_key .. app_secret .. time_string
                            request_handle:logInfo("originstring:" .. s)
                            local hash = sha.sha256(s)
                            request_handle:logInfo("Hello World.")
                            request_handle:logInfo(hash)
                            request_handle:headers():add("X-Auth-Signature",hash)
                            end
                      - name: envoy.filters.http.router
                        typed_config:
                          "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
      clusters:
        - name: original_dst
          connect_timeout: 5000s
          type: ORIGINAL_DST
          lb_policy: CLUSTER_PROVIDED
        - name: system-server
          connect_timeout: 2s
          type: LOGICAL_DNS
          dns_lookup_family: V4_ONLY
          dns_refresh_rate: 600s
          lb_policy: ROUND_ROBIN
          load_assignment:
            cluster_name: system-server
            endpoints:
              - lb_endpoints:
                  - endpoint:
                      address:
                        socket_address:
                          address: system-server.user-system-{{ .Values.bfl.username }}
                          port_value: 80
 kind: ConfigMap
 metadata:
  name: sidecar-configs-studio
  namespace: {{ .Release.Namespace }}
--- a/apps/download/config/user/helm-charts/download/values.yaml
+++ b/apps/download/config/user/helm-charts/download/values.yaml
@@ -1,4 +1,3 @@
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
@@ -30,14 +29,14 @@ os:
  message:
    appKey: '${ks[0]}'
    appSecret: test
-  wise:
+  rss:
    appKey: '${ks[0]}'
    appSecret: test
  search:
    appKey: '${ks[0]}'
    appSecret: test
-  search2:
+  studio:
    appKey: '${ks[0]}'
    appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""
--- a/apps/system-apps/config/user/helm-charts/monitoring/templates/system-frontend.yaml
+++ b/apps/system-apps/config/user/helm-charts/monitoring/templates/system-frontend.yaml
@@ -109,6 +109,19 @@ spec:
      port: 3010
      targetPort: 3010
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: studio-svc
  namespace: {{ .Release.Namespace }}
 spec:
  selector:
    app: system-frontend
  ports:
    - protocol: TCP
      port: 8080
      targetPort: 87
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -121,11 +134,11 @@ metadata:
    applications.app.bytetrade.io/group: 'true'
    applications.app.bytetrade.io/author: bytetrade.io
  annotations:
-    applications.app.bytetrade.io/icon: '{"dashboard":"https://file.bttcdn.com/appstore/dashboard/icon.png","control-hub":"https://file.bttcdn.com/appstore/control-hub/icon.png","profile":"https://file.bttcdn.com/appstore/profile/icon.png","wise":"https://file.bttcdn.com/appstore/rss/icon.png","headscale": "https://file.bttcdn.com/appstore/headscale/icon.png","settings": "https://file.bttcdn.com/appstore/settings/icon.png"}'
+    applications.app.bytetrade.io/icon: '{"dashboard":"https://file.bttcdn.com/appstore/dashboard/icon.png","control-hub":"https://file.bttcdn.com/appstore/control-hub/icon.png","profile":"https://file.bttcdn.com/appstore/profile/icon.png","wise":"https://file.bttcdn.com/appstore/rss/icon.png","headscale": "https://file.bttcdn.com/appstore/headscale/icon.png","settings": "https://file.bttcdn.com/appstore/settings/icon.png","studio":"https://file.bttcdn.com/appstore/devbox/icon.png"}'
-    applications.app.bytetrade.io/title: '{"dashboard": "Dashboard","control-hub":"Control Hub","profile":"Profile","wise":"Wise","headscale":"Headscale","settings":"Settings"}'
+    applications.app.bytetrade.io/title: '{"dashboard": "Dashboard","control-hub":"Control Hub","profile":"Profile","wise":"Wise","headscale":"Headscale","settings":"Settings","studio":"Studio"}'
-    applications.app.bytetrade.io/version: '{"dashboard": "0.0.1","control-hub":"0.0.1","profile":"0.0.1","wise":"0.0.1","headscale":"0.0.1","settings":"0.0.1"}'
+    applications.app.bytetrade.io/version: '{"dashboard": "0.0.1","control-hub":"0.0.1","profile":"0.0.1","wise":"0.0.1","headscale":"0.0.1","settings":"0.0.1","studio":"0.0.1"}'
    applications.app.bytetrade.io/policies: '{"dashboard":{"policies":[{"entranceName":"dashboard","uriRegex":"/js/script.js", "level":"public"},{"entranceName":"dashboard","uriRegex":"/js/api/send", "level":"public"}]}}'
-    applications.app.bytetrade.io/entrances: '{"dashboard":[{"name":"dashboard","host":"dashboard-service","port":80,"title":"Dashboard","windowPushState":true}],"control-hub":[{"name":"control-hub","host":"control-hub-service","port":80,"title":"Control Hub","windowPushState":true}],"profile":[{"name":"profile", "host":"profile-service", "port":80,"title":"Profile","windowPushState":true}],"wise":[{"name":"wise", "host":"wise-svc", "port":80,"title":"Wise","windowPushState":true}],"headscale":[{"name":"headscale", "host":"headscale-svc", "port":80,"title":"Headscale","invisible": true}],"settings":[{"name":"settings", "host":"settings-service", "port":80,"title":"Settings"}]}'
+    applications.app.bytetrade.io/entrances: '{"dashboard":[{"name":"dashboard","host":"dashboard-service","port":80,"title":"Dashboard","windowPushState":true}],"control-hub":[{"name":"control-hub","host":"control-hub-service","port":80,"title":"Control Hub","windowPushState":true}],"profile":[{"name":"profile", "host":"profile-service", "port":80,"title":"Profile","windowPushState":true}],"wise":[{"name":"wise", "host":"wise-svc", "port":80,"title":"Wise","windowPushState":true}],"headscale":[{"name":"headscale", "host":"headscale-svc", "port":80,"title":"Headscale","invisible": true}],"settings":[{"name":"settings", "host":"settings-service", "port":80,"title":"Settings"}],"studio":[{"name":"studio","host":"studio-svc","port":8080,"title":"Studio","openMethod":"window"}]}'
 spec:
  replicas: 1
  selector:
@@ -137,10 +150,10 @@ spec:
        app: system-frontend
        io.bytetrade.app: "true"
      annotations:
-        # instrumentation.opentelemetry.io/inject-nodejs: "olares-instrumentation"
+        instrumentation.opentelemetry.io/inject-nodejs: "olares-instrumentation"
-        # instrumentation.opentelemetry.io/nodejs-container-names: "settings-server"    
+        instrumentation.opentelemetry.io/nodejs-container-names: "settings-server"    
-        # instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
+        instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
-        # instrumentation.opentelemetry.io/inject-nginx-container-names: "system-frontend"    
+        instrumentation.opentelemetry.io/inject-nginx-container-names: "system-frontend"    
    spec:
      priorityClassName: "system-cluster-critical"
      initContainers:
@@ -195,7 +208,7 @@ spec:
            - mountPath: /www
              name: www-dir
        - name: control-hub-init
-          image: beclab/admin-console-frontend-v1:v0.5.2
+          image: beclab/admin-console-frontend-v1:v0.5.8
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
@@ -207,7 +220,7 @@ spec:
            - mountPath: /www
              name: www-dir
        - name: profile-editor-init
-          image: beclab/profile-editor:v0.2.1
+          image: beclab/profile-editor:v0.2.21
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
@@ -219,7 +232,7 @@ spec:
            - mountPath: /www
              name: www-dir
        - name: profile-preview-init
-          image: beclab/profile-preview:v0.2.1
+          image: beclab/profile-preview:v0.2.21
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
@@ -231,7 +244,7 @@ spec:
            - mountPath: /www
              name: www-dir
        - name: wise-init
-          image: beclab/wise:v1.3.42
+          image: beclab/wise:v1.3.55
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
@@ -243,7 +256,7 @@ spec:
            - mountPath: /www
              name: www-dir
        - name: settings-init
-          image: beclab/settings:v0.2.14
+          image: beclab/settings:v1.3.62
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
@@ -254,6 +267,18 @@ spec:
          volumeMounts:
            - mountPath: /www
              name: www-dir
        - name: studio-init
          image: beclab/studio:v0.2.16
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
            - -c
            - |
              mkdir -p /www/studio
              cp -r /app/* /www/studio
          volumeMounts:
            - mountPath: /www
              name: www-dir
      containers:
        - name: terminus-envoy-sidecar
          image: bytetrade/envoy:v1.25.11
@@ -280,7 +305,7 @@ spec:
            - -c
            - /etc/envoy/envoy.yaml
        - name: system-frontend
-          image: beclab/docker-nginx-headers-more:v0.1.0
+          image: beclab/docker-nginx-headers-more:ubuntu-v0.1.0
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 81
@@ -326,6 +351,9 @@ spec:
            - name: system-frontend-nginx-config
              mountPath: /etc/nginx/conf.d/settings.conf
              subPath: settings.conf
            - name: system-frontend-nginx-config
              mountPath: /etc/nginx/conf.d/studio.conf
              subPath: studio.conf
          env:
            - name: POD_UID
              valueFrom:
@@ -357,7 +385,7 @@ spec:
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
        - name: settings-server
-          image: beclab/settings-server:v0.2.12
+          image: beclab/settings-server:v0.2.23
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 3000
@@ -397,7 +425,7 @@ spec:
        - name: userspace-dir
          hostPath:
            type: Directory
-            path: {{ .Values.userspace.userData }}
+            path: '{{ .Values.userspace.userData }}'
        - name: terminus-sidecar-config
          configMap:
            name: sidecar-configs
@@ -409,7 +437,7 @@ spec:
        - name: wise-download-dir
          hostPath:
            type: Directory
-            path: {{ .Values.userspace.userData }}
+            path: '{{ .Values.userspace.userData }}'
        - name: system-frontend-nginx-config
          configMap:
            name: system-frontend-nginx-config
@@ -428,6 +456,8 @@ spec:
                path: headscale.conf
              - key: settings.conf
                path: settings.conf
              - key: studio.conf
                path: studio.conf
 ---
@@ -483,6 +513,31 @@ status:
 ---
 apiVersion: sys.bytetrade.io/v1alpha1
 kind: ApplicationPermission
 metadata:
  name: studio
  namespace: user-system-{{ .Values.bfl.username }}
 spec:
  app: studio
  appid: studio
  key: {{ .Values.os.studio.appKey }}
  secret: {{ .Values.os.studio.appSecret }}
  permissions:
    - dataType: app
      group: service.appstore
      ops:
        - InstallDevApp
        - UninstallDevApp
      version: v1
    - dataType: legacy_api
      group: api.intent
      ops:
        - POST
      version: v2
 status:
  state: active
 ---
 apiVersion: sys.bytetrade.io/v1alpha1
 kind: ApplicationPermission
 metadata:
  name: settings
  namespace: user-system-{{ .Values.bfl.username }}
@@ -618,6 +673,16 @@ metadata:
  namespace: user-system-{{ .Values.bfl.username }}
 spec:
  callbacks:
    - filters:
        type:
          - backup-state-event
      op: Create
      uri: /api/event/backup_state_event
    - filters:
        type:
          - restore-state-event
      op: Create
      uri: /api/event/restore_state_event
    - filters:
        type:
          - app-installation-event
@@ -759,6 +824,10 @@ data:
        server anayltic2-server.os-system:3010;
    }
    upstream HamiServer {
        server hami-webui.kube-system:3000;
    }
    server {
      listen 81;
      gzip off;
@@ -798,6 +867,11 @@ data:
      location /kapis {
        proxy_pass http://SettingsServer;
      }
      location /hami/ {
        proxy_pass http://HamiServer/;
      }
      location /api/profile/init {
        proxy_pass http://127.0.0.1:3010;
@@ -1039,7 +1113,7 @@ data:
    }
  wise.conf: |-
    upstream KnowledgeServer {
-        server rss-svc:3010;
+        server rss-svc.os-system:3010;
    }
    upstream RSSServer {
@@ -1047,7 +1121,7 @@ data:
    }
    upstream ArgoworkflowsSever {
-        server argoworkflows-svc:2746;
+        server argoworkflows-svc.os-system:2746;
    }
    server {
@@ -1075,7 +1149,7 @@ data:
      }
      location /ws {
-        proxy_pass http://rss-svc:40010;
+        proxy_pass http://rss-svc.os-system:40010;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
@@ -1219,8 +1293,8 @@ data:
        server infisical-service:8080;
    }
-    upstream NotificationServer {
+    upstream BackupServer {
-        server notifications-server;
+        server backup-server.os-system:8082;
    }
    server {
@@ -1280,6 +1354,31 @@ data:
            proxy_set_header X-Forwarded-Host $host;
        }
        location /apis/backup {
            proxy_pass http://backup-server.os-system:8082;
           add_header Accept "application/json, text/plain, */*";
           add_header Content-Type "application/json; charset=utf-8";
        }
        location /api/resources {
           proxy_pass http://files-service.os-system:80;
           # rewrite ^/server(.*)$ $1 break;
           # Add original-request-related headers
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Host $host;
           add_header Accept-Ranges bytes;
           client_body_timeout 600s;
           client_max_body_size 4000M;
           proxy_request_buffering off;
           keepalive_timeout 750s;
           proxy_read_timeout 600s;
           proxy_send_timeout 600s;
        }
        location /drive {
            proxy_pass http://127.0.0.1:8080;
@@ -1318,11 +1417,193 @@ data:
            proxy_set_header X-Forwarded-Host $host;
        }
        location /notification {
            proxy_pass http://NotificationServer;
        }
        location ~.*\.(js|css|png|jpg|svg|woff|woff2)$ {
            add_header Cache-Control "public, max-age=2678400";
        }
    }
  studio.conf: |-
    upstream SettingsServerStudio {
        server monitoring-server.os-system;
    }
    upstream MiddlewareStudio {
        server middleware-service.os-system;
    }
    upstream AnalyticsStudio {
      server anayltic2-server.os-system:3010;
    }
    server {
        listen 87;
        # Gzip Settings
        gzip off;
        gzip_disable "msie6";
        gzip_min_length 1k;
        gzip_buffers 16 64k;
        gzip_http_version 1.1;
        gzip_comp_level 6;
        gzip_types *;
        root /www/studio;
        location / {
          try_files $uri $uri/index.html /index.html;
          add_header Cache-Control "private,no-cache";
          add_header Last-Modified "Oct, 03 Jan 2022 13:46:41 GMT";
          expires 0;
        }
       location /api/command {
          proxy_pass http://studio-server:8080;
          proxy_set_header            Host $http_host;
          proxy_set_header            X-real-ip $remote_addr;
          proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection $http_connection;
          proxy_set_header Accept-Encoding gzip;
          proxy_read_timeout 180;
      }
      location /api/apps {
          proxy_pass http://studio-server:8080;
          proxy_set_header            Host $http_host;
          proxy_set_header            X-real-ip $remote_addr;
          proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection $http_connection;
          proxy_set_header Accept-Encoding gzip;
          proxy_read_timeout 180;
      }
      location /api/app-cfg {
        proxy_pass http://studio-server:8080;
        proxy_set_header            Host $http_host;
        proxy_set_header            X-real-ip $remote_addr;
        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header Accept-Encoding gzip;
        proxy_read_timeout 180;
      }
      location /api/app-state {
        proxy_pass http://studio-server:8080;
        proxy_set_header            Host $http_host;
        proxy_set_header            X-real-ip $remote_addr;
        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header Accept-Encoding gzip;
        proxy_read_timeout 180;
      }
      location /api/app-status {
        proxy_pass http://studio-server:8080;
        proxy_set_header            Host $http_host;
        proxy_set_header            X-real-ip $remote_addr;
        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header Accept-Encoding gzip;
        proxy_read_timeout 180;
      }
      location /api/list-my-containers {
        proxy_pass http://studio-server:8080;
        proxy_set_header            Host $http_host;
        proxy_set_header            X-real-ip $remote_addr;
        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header Accept-Encoding gzip;
        proxy_read_timeout 180;
      }
      location /api/files {
        proxy_pass http://studio-server:8080;
        proxy_set_header            Host $http_host;
        proxy_set_header            X-real-ip $remote_addr;
        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header Accept-Encoding gzip;
        proxy_read_timeout 180;
      }
      location /ws {
        proxy_pass http://127.0.0.1:40010;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
      }
      location /bfl {
        add_header 'Access-Control-Allow-Headers' 'x-api-nonce,x-api-ts,x-api-ver,x-api-source';
        proxy_pass http://bfl;
        proxy_set_header            Host $host;
        proxy_set_header            X-real-ip $remote_addr;
        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
        add_header X-Frame-Options SAMEORIGIN;
      }
      location /kapis {
        proxy_pass http://SettingsServerStudio;
      }
      location /api/profile/init {
        proxy_pass http://127.0.0.1:3010;
        proxy_set_header            Host $host;
        proxy_set_header            X-real-ip $remote_addr;
        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
      }
      location /api {
        proxy_pass http://SettingsServerStudio;
      }
      location /capi {
        proxy_pass http://SettingsServerStudio;
        proxy_set_header            Host $host;
        proxy_set_header            X-real-ip $remote_addr;
        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
      }
      location = /js/api/send {
        proxy_pass http://AnalyticsStudio;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        rewrite ^/js(.*)$ $1 break;
      }
      location /analytics_service {
        proxy_pass http://AnalyticsStudio;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        rewrite ^/analytics_service(.*)$ $1 break;
      }
      location ~ /(kapis/terminal|api/v1/watch|apis/apps/v1/watch) {
        proxy_pass http://SettingsServerStudio;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
      }
      location = /js/script.js {
        add_header Access-Control-Allow-Origin "*";
      }
      location ~.*\.(js|css|png|jpg|svg|woff|woff2)$ {
        add_header Cache-Control "public, max-age=2678400";
      }
    }
--- a/apps/system-apps/config/user/helm-charts/monitoring/values.yaml
+++ b/apps/system-apps/config/user/helm-charts/monitoring/values.yaml
@@ -1,4 +1,3 @@
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
@@ -18,10 +17,10 @@ docs:
 desktop:
  nodeport: 30180
 os:
-  portfolio:
+  profile:
    appKey: '${ks[0]}'
    appSecret: test
-  vault:
+  studio:
    appKey: '${ks[0]}'
    appSecret: test
  desktop:
@@ -39,5 +38,11 @@ os:
  search2:
    appKey: '${ks[0]}'
    appSecret: test
  settings:
    appKey: '${ks[0]}'
    appSecret: test
  dashboard:
    appKey: '${ks[0]}'
    appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""
--- a/apps/vault/config/cluster/deploy/vault_server_deploy.yaml
+++ b/apps/vault/config/cluster/deploy/vault_server_deploy.yaml
@@ -83,7 +83,7 @@ spec:
            value: os_system_vault
      containers:
      - name: vault-server
-        image: beclab/vault-server:v1.3.43
+        image: beclab/vault-server:v1.3.55
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 3000
@@ -114,7 +114,7 @@ spec:
        - name: vault-attach
          mountPath: /padloc/packages/server/attachments
      - name: vault-admin
-        image: beclab/vault-admin:v1.3.43
+        image: beclab/vault-admin:v1.3.55
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 3010
@@ -135,11 +135,11 @@ spec:
      - name: vault-data
        hostPath:
          type: DirectoryOrCreate
-          path: {{ $vault_rootpath }}/data
+          path: '{{ $vault_rootpath }}/data'
      - name: vault-attach
        hostPath:
          type: DirectoryOrCreate
-          path: {{ $vault_rootpath }}/attachments
+          path: '{{ $vault_rootpath }}/attachments'
 ---
 apiVersion: v1
 kind: Service
--- a/apps/vault/config/user/helm-charts/vault/templates/vault_deploy.yaml
+++ b/apps/vault/config/user/helm-charts/vault/templates/vault_deploy.yaml
@@ -88,13 +88,13 @@ spec:
      containers:
      - name: vault-frontend
-        image: beclab/vault-frontend:v1.3.43
+        image: beclab/vault-frontend:v1.3.55
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
      - name: notification-server
-        image: beclab/vault-notification:v1.3.43
+        image: beclab/vault-notification:v1.3.55
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 3010
--- a/apps/vault/config/user/helm-charts/vault/values.yaml
+++ b/apps/vault/config/user/helm-charts/vault/values.yaml
@@ -1,4 +1,3 @@
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
@@ -40,4 +39,4 @@ os:
    appKey: '${ks[0]}'
    appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""
--- a/apps/wizard/config/user/helm-charts/wizard/templates/wizard_deploy.yaml
+++ b/apps/wizard/config/user/helm-charts/wizard/templates/wizard_deploy.yaml
@@ -61,7 +61,7 @@ spec:
      containers:
      - name: wizard
-        image: beclab/wizard:v0.5.12
+        image: beclab/wizard:v1.3.57
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
@@ -132,7 +132,7 @@ spec:
      - name: userspace-dir
        hostPath:
          type: Directory
-          path: {{ .Values.userspace.userData }}
+          path: "{{ .Values.userspace.userData }}"
      # - name: terminus-sidecar-config
      #   configMap:
      #     name: sidecar-configs
--- a/apps/wizard/config/user/helm-charts/wizard/values.yaml
+++ b/apps/wizard/config/user/helm-charts/wizard/values.yaml
@@ -1,4 +1,3 @@
 bfl:
  username: 'test'
  url: 'test'
--- a/build/installer/install.ps1
+++ b/build/installer/install.ps1
@@ -48,7 +48,7 @@ if (-Not (Test-Path $CLI_PROGRAM_PATH)) {
  New-Item -Path $CLI_PROGRAM_PATH -ItemType Directory
 }
-$CLI_VERSION = "0.2.21"
+$CLI_VERSION = "0.2.35"
 $CLI_FILE = "olares-cli-v{0}_windows_{1}.tar.gz" -f $CLI_VERSION, $arch
 $CLI_URL = "{0}/{1}" -f $downloadUrl, $CLI_FILE
 $CLI_PATH = "{0}{1}" -f $CLI_PROGRAM_PATH, $CLI_FILE
@@ -82,6 +82,6 @@ if ($download -eq 1) {
 Start-Sleep -Seconds 3
 Write-Host ("Preparing to start the installation of Olares {0}. Depending on your network conditions, this process may take several minutes." -f $version)
-$command = "{0}\olares-cli.exe olares install --version {1}" -f $CLI_PROGRAM_PATH, $version
+$command = "{0}\olares-cli.exe install --version {1}" -f $CLI_PROGRAM_PATH, $version
 Start-Process cmd -ArgumentList '/k',$command -Wait -Verb RunAs
--- a/build/installer/install.sh
+++ b/build/installer/install.sh
@@ -74,7 +74,7 @@ if [ -z ${cdn_url} ]; then
    cdn_url="https://dc3p1870nn3cj.cloudfront.net"
 fi
-CLI_VERSION="0.2.21"
+CLI_VERSION="0.2.35"
 CLI_FILE="olares-cli-v${CLI_VERSION}_linux_${ARCH}.tar.gz"
 if [[ x"$os_type" == x"Darwin" ]]; then
    CLI_FILE="olares-cli-v${CLI_VERSION}_darwin_${ARCH}.tar.gz"
@@ -137,7 +137,7 @@ else
            echo ""
        else
            echo "building local release ..."
-            $sh_c "$INSTALL_OLARES_CLI olares release $PARAMS $CDN"
+            $sh_c "$INSTALL_OLARES_CLI release $PARAMS $CDN"
            if [[ $? -ne 0 ]]; then
                echo "error: failed to build local release"
                exit 1
@@ -146,13 +146,13 @@ else
    else
        echo "running system prechecks ..."
        echo ""
-        $sh_c "$INSTALL_OLARES_CLI olares precheck $PARAMS"
+        $sh_c "$INSTALL_OLARES_CLI precheck $PARAMS"
        if [[ $? -ne 0 ]]; then
            exit 1
        fi
        echo "downloading installation wizard..."
        echo ""
-        $sh_c "$INSTALL_OLARES_CLI olares download wizard $PARAMS $KUBE_PARAM $CDN"
+        $sh_c "$INSTALL_OLARES_CLI download wizard $PARAMS $KUBE_PARAM $CDN"
        if [[ $? -ne 0 ]]; then
            echo "error: failed to download installation wizard"
            exit 1
@@ -161,7 +161,7 @@ else
    echo "downloading installation packages..."
    echo ""
-    $sh_c "$INSTALL_OLARES_CLI olares download component $PARAMS $KUBE_PARAM $CDN"
+    $sh_c "$INSTALL_OLARES_CLI download component $PARAMS $KUBE_PARAM $CDN"
    if [[ $? -ne 0 ]]; then
        echo "error: failed to download installation packages"
        exit 1
@@ -173,7 +173,7 @@ else
    if [ x"$REGISTRY_MIRRORS" != x"" ]; then
        extra="--registry-mirrors $REGISTRY_MIRRORS"
    fi
-    $sh_c "$INSTALL_OLARES_CLI olares prepare $PARAMS $KUBE_PARAM $extra"
+    $sh_c "$INSTALL_OLARES_CLI prepare $PARAMS $KUBE_PARAM $extra"
    if [[ $? -ne 0 ]]; then
        echo "error: failed to prepare installation environment"
        exit 1
@@ -198,7 +198,7 @@ if [[ "$JUICEFS" == "1" ]]; then
    else
        echo "checking storage config ..."
    fi
-    $sh_c "$INSTALL_OLARES_CLI olares install storage $PARAMS"
+    $sh_c "$INSTALL_OLARES_CLI install storage $PARAMS"
    if [[ $? -ne 0 ]]; then
      exit 1
    fi
@@ -221,7 +221,7 @@ if [[ -n "$ZRAM_SWAP_PRIORITY" ]]; then
 fi
 echo "installing Olares..."
 echo ""
-$sh_c "$INSTALL_OLARES_CLI olares install $PARAMS $KUBE_PARAM $fsflag $swapflag"
+$sh_c "$INSTALL_OLARES_CLI install $PARAMS $KUBE_PARAM $fsflag $swapflag"
 if [[ $? -ne 0 ]]; then
    echo "error: failed to install Olares"
--- a/build/installer/joincluster.sh
+++ b/build/installer/joincluster.sh
@@ -157,7 +157,7 @@ fi
 set_master_host_ssh_options
-CLI_VERSION="0.2.21"
+CLI_VERSION="0.2.35"
 CLI_FILE="olares-cli-v${CLI_VERSION}_linux_${ARCH}.tar.gz"
 if command_exists olares-cli && [[ "$(olares-cli -v | awk '{print $3}')" == "$CLI_VERSION" ]]; then
@@ -211,14 +211,14 @@ if [[ -f $BASE_DIR/.prepared ]]; then
 else
    echo "running system prechecks ..."
    echo ""
-    $sh_c "$INSTALL_OLARES_CLI olares precheck $PARAMS"
+    $sh_c "$INSTALL_OLARES_CLI precheck $PARAMS"
    if [[ $? -ne 0 ]]; then
        exit 1
    fi
    echo "downloading installation wizard..."
    echo ""
-    $sh_c "$INSTALL_OLARES_CLI olares download wizard $PARAMS $CDN"
+    $sh_c "$INSTALL_OLARES_CLI download wizard $PARAMS $CDN"
    if [[ $? -ne 0 ]]; then
        echo "error: failed to download installation wizard"
        exit 1
@@ -226,7 +226,7 @@ else
    echo "downloading installation packages..."
    echo ""
-    $sh_c "$INSTALL_OLARES_CLI olares download component $PARAMS $CDN"
+    $sh_c "$INSTALL_OLARES_CLI download component $PARAMS $CDN"
    if [[ $? -ne 0 ]]; then
        echo "error: failed to download installation packages"
        exit 1
@@ -238,7 +238,7 @@ else
    if [ x"$REGISTRY_MIRRORS" != x"" ]; then
        extra="--registry-mirrors $REGISTRY_MIRRORS"
    fi
-    $sh_c "$INSTALL_OLARES_CLI olares prepare $PARAMS $extra"
+    $sh_c "$INSTALL_OLARES_CLI prepare $PARAMS $extra"
    if [[ $? -ne 0 ]]; then
        echo "error: failed to prepare installation environment"
        exit 1
--- a/build/installer/upgrade_cmd.sh
+++ b/build/installer/upgrade_cmd.sh
@@ -146,7 +146,7 @@ function get_app_key_secret(){
 function get_app_settings(){
    local username=$1
-    local apps=("vault" "desktop" "message" "wise" "search" "appstore" "notification" "dashboard" "settings" "devbox" "profile" "agent" "files")
+    local apps=("vault" "desktop" "message" "wise" "search" "appstore" "notification" "dashboard" "settings" "studio" "profile" "agent" "files")
    for a in ${apps[@]};do
        ks=($(get_app_key_secret "$username" "$a"))
        echo '
--- a/build/installer/version.hint
+++ b/build/installer/version.hint
@@ -1,2 +1,2 @@
 upgrade:
-  minVersion: 1.12.0-0000000
+  minVersion: 1.12.0-1
--- a/build/installer/wizard/config/account/templates/account.yaml
+++ b/build/installer/wizard/config/account/templates/account.yaml
@@ -20,5 +20,7 @@ metadata:
 spec:
  email: "{{.Values.user.email}}"
  initialPassword: "{{ .Values.user.password }}"
  groups:
  - lldap_admin
 status:
  state: Active
--- a/build/installer/wizard/config/system/values.yaml
+++ b/build/installer/wizard/config/system/values.yaml
@@ -1,5 +1,3 @@
 kubesphere:
  redis_password: ""
 backup:
--- a/build/manifest/components
+++ b/build/manifest/components
@@ -1,4 +1,4 @@
-olaresd-v1.12.0.tar.gz,pkg/components,https://dc3p1870nn3cj.cloudfront.net/olaresd-v1.12.0-linux-amd64.tar.gz,https://dc3p1870nn3cj.cloudfront.net/olaresd-v1.12.0-linux-arm64.tar.gz,olaresd
+olaresd-v1.12.0-rc.10.tar.gz,pkg/components,https://dc3p1870nn3cj.cloudfront.net/olaresd-v1.12.0-rc.10-linux-amd64.tar.gz,https://dc3p1870nn3cj.cloudfront.net/olaresd-v1.12.0-rc.10-linux-arm64.tar.gz,olaresd
 socat-1.7.3.2.tar.gz,pkg/components,https://src.fedoraproject.org/lookaside/pkgs/socat/socat-1.7.3.2.tar.gz/sha512/540658b2a3d1b87673196282e5c62b97681bd0f1d1e4759ff9d72909d11060235ee9e9521a973603c1b00376436a9444248e5fbc0ffac65f8edb9c9bc28e7972/socat-1.7.3.2.tar.gz,https://src.fedoraproject.org/lookaside/pkgs/socat/socat-1.7.3.2.tar.gz/sha512/540658b2a3d1b87673196282e5c62b97681bd0f1d1e4759ff9d72909d11060235ee9e9521a973603c1b00376436a9444248e5fbc0ffac65f8edb9c9bc28e7972/socat-1.7.3.2.tar.gz,socat
 conntrack-tools-1.4.1.tar.gz,pkg/components,https://github.com/fqrouter/conntrack-tools/archive/refs/tags/conntrack-tools-1.4.1.tar.gz,https://github.com/fqrouter/conntrack-tools/archive/refs/tags/conntrack-tools-1.4.1.tar.gz,conntrack-tools
 minio.RELEASE.2023-05-04T21-44-30Z,pkg/components,https://dl.min.io/server/minio/release/linux-amd64/archive/minio.RELEASE.2023-05-04T21-44-30Z,https://dl.min.io/server/minio/release/linux-arm64/archive/minio.RELEASE.2023-05-04T21-44-30Z,minio
--- a/build/manifest/images
+++ b/build/manifest/images
@@ -1,5 +1,5 @@
-beclab/ks-apiserver:0.0.5
+beclab/ks-apiserver:0.0.11
-beclab/ks-controller-manager:0.0.5
+beclab/ks-controller-manager:0.0.11
 beclab/kube-state-metrics:v2.3.0-ext.1
 calico/cni:v3.29.2
 calico/kube-controllers:v3.29.2
@@ -18,7 +18,7 @@ kubesphere/prometheus-operator:v0.55.1
 openebs/linux-utils:3.3.0
 openebs/provisioner-localpv:3.3.0
 beclab/percona-server-mongodb-operator:1.15.2
-prom/node-exporter:v1.3.1
+beclab/node-exporter:0.0.1
 prom/prometheus:v2.34.0
 quay.io/argoproj/argocli:v3.5.0
 quay.io/argoproj/argoexec:v3.5.0
@@ -26,16 +26,22 @@ quay.io/argoproj/workflow-controller:v3.5.0
 redis:5.0.14-alpine
 beclab/velero:v1.11.3
 beclab/velero-plugin-for-terminus:v1.0.2
-beclab/l4-bfl-proxy:v0.2.8
+beclab/l4-bfl-proxy:v0.3.0
 gcr.io/k8s-minikube/storage-provisioner:v5
 owncloudci/wait-for:latest
 beclab/recommend-argotask:v0.0.12
 bytetrade/nvshare:nvshare-scheduler
 beclab/nats-server-config-reloader:v1
-beclab/reverse-proxy:v0.1.7
+beclab/reverse-proxy:v0.1.8
 beclab/upgrade-job:0.1.7
 bytetrade/envoy:v1.25.11.1
 liangjw/kube-webhook-certgen:v1.1.1
-beclab/hami:v2.5.1
+beclab/hami:v2.5.2
 alpine:3.14
 mirrorgooglecontainers/defaultbackend-amd64:1.4
 projecthami/hami-webui-fe-oss:v1.0.5
 projecthami/hami-webui-be-oss:v1.0.5
 nvidia/dcgm-exporter:4.1.1-4.0.4-ubuntu22.04
 ghcr.io/open-telemetry/opentelemetry-go-instrumentation/autoinstrumentation-go:v0.20.0
 bytetrade/autoinstrumentation-apache-httpd:1.0.4-fix1
 ghcr.io/open-telemetry/opentelemetry-operator/autoinstrumentation-nodejs:0.40.0
--- a/build/manifest/pkgs
+++ b/build/manifest/pkgs
@@ -1,5 +1,5 @@
 cni-plugins-v1.6.2.tgz,pkg/cni/v1.6.2,https://github.com/containernetworking/plugins/releases/download/v1.6.2/cni-plugins-linux-amd64-v1.6.2.tgz,https://github.com/containernetworking/plugins/releases/download/v1.6.2/cni-plugins-linux-arm-v1.6.2.tgz,cni-plugins
-containerd-1.6.4.tar.gz,pkg/containerd/1.6.4,https://github.com/containerd/containerd/releases/download/v1.6.4/containerd-1.6.4-linux-amd64.tar.gz,https://github.com/containerd/containerd/releases/download/v1.6.4/containerd-1.6.4-linux-arm64.tar.gz,containerd
+containerd-1.6.36.tar.gz,pkg/containerd/1.6.36,https://github.com/containerd/containerd/releases/download/v1.6.36/containerd-1.6.36-linux-amd64.tar.gz,https://github.com/containerd/containerd/releases/download/v1.6.36/containerd-1.6.36-linux-arm64.tar.gz,containerd
 crictl-v1.32.0.tar.gz,pkg/crictl/v1.32.0,https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.32.0/crictl-v1.32.0-linux-amd64.tar.gz,https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.32.0/crictl-v1.32.0-linux-arm64.tar.gz,crictl
 etcd-v3.5.18.tar.gz,pkg/etcd/v3.5.18,https://github.com/coreos/etcd/releases/download/v3.5.18/etcd-v3.5.18-linux-amd64.tar.gz,https://github.com/coreos/etcd/releases/download/v3.5.18/etcd-v3.5.18-linux-arm64.tar.gz,etcd
 helm-v3.9.0.tar.gz,pkg/helm/v3.9.0,https://get.helm.sh/helm-v3.17.1-linux-amd64.tar.gz,https://get.helm.sh/helm-v3.17.1-linux-arm.tar.gz,helm
--- a/frameworks/GPU/config/gpu/hami/Chart.yaml
+++ b/frameworks/GPU/config/gpu/hami/Chart.yaml
@@ -13,4 +13,3 @@ maintainers:
  - name: zhangxiao
    email: xiaozhang0210@hotmail.com
 appVersion: "2.5.0"
--- a/frameworks/GPU/config/gpu/hami/templates/_helpers.tpl
+++ b/frameworks/GPU/config/gpu/hami/templates/_helpers.tpl
@@ -106,3 +106,167 @@ imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 2 }}
 {{- define "strippedKubeVersion" -}}
 {{ regexReplaceAll "^(v[0-9]+\\.[0-9]+\\.[0-9]+)(.*)$" .Capabilities.KubeVersion.Version "$1" }}
 {{- end -}}
 {{- define "dcgm-exporter.name" -}}
 {{- .Values.dcgmExporter.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
 {{- define "dcgm-exporter.fullname" -}}
 {{- if .Values.dcgmExporter.fullnameOverride -}}
 {{- .Values.dcgmExporter.fullnameOverride | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
 {{- $name := .Values.dcgmExporter.nameOverride -}}
 {{- if contains $name .Release.Name -}}
 {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
 {{- printf "hami-%s" $name | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}
 {{/*
 Allow the release namespace to be overridden for multi-namespace deployments in combined charts
 */}}
 {{- define "dcgm-exporter.namespace" -}}
  {{- if .Values.dcgmExporter.namespaceOverride -}}
    {{- .Values.dcgmExporter.namespaceOverride -}}
  {{- else -}}
    {{- .Release.Namespace -}}
  {{- end -}}
 {{- end -}}
 {{/*
 Create chart name and version as used by the chart label.
 */}}
 {{- define "dcgm-exporter.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{/*
 Common labels
 */}}
 {{- define "dcgm-exporter.labels" -}}
 helm.sh/chart: {{ include "dcgm-exporter.chart" . }}
 {{ include "dcgm-exporter.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
 {{/*
 Selector labels
 */}}
 {{- define "dcgm-exporter.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "dcgm-exporter.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 {{/*
 Create the name of the service account to use
 */}}
 {{- define "dcgm-exporter.serviceAccountName" -}}
 {{- if .Values.dcgmExporter.serviceAccount.create -}}
    {{ default (include "dcgm-exporter.fullname" .) .Values.dcgmExporter.serviceAccount.name }}
 {{- else -}}
    {{ default "default" .Values.dcgmExporter.serviceAccount.name }}
 {{- end -}}
 {{- end -}}
 {{/*
 Create the name of the tls secret to use
 */}}
 {{- define "dcgm-exporter.tlsCertsSecretName" -}}
 {{- if .Values.dcgmExporter.tlsServerConfig.existingSecret -}}
    {{- printf "%s" (tpl .Values.dcgmExporter.tlsServerConfig.existingSecret $) -}}
 {{- else -}}
    {{ printf "%s-tls" (include "dcgm-exporter.fullname" .) }}
 {{- end -}}
 {{- end -}}
 {{/*
 Create the name of the web-config configmap name to use
 */}}
 {{- define "dcgm-exporter.webConfigConfigMap" -}}
  {{ printf "%s-web-config.yml" (include "dcgm-exporter.fullname" .) }}
 {{- end -}}
 {{- define "hami-webui.name" -}}
 {{- .Values.webui.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
 {{- define "hami-webui.fullname" -}}
 {{- if .Values.webui.fullnameOverride }}
 {{- .Values.webui.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- $name := .Values.webui.nameOverride }}
 {{- if contains $name .Release.Name }}
 {{- .Release.Name | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- printf "hami-%s" $name | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{- end }}
 {{- end }}
 {{/*
 Allow the release namespace to be overridden for multi-namespace deployments in combined charts
 */}}
 {{- define "hami-webui.namespace" -}}
  {{- if .Values.webui.namespaceOverride -}}
    {{- .Values.webui.namespaceOverride -}}
  {{- else -}}
    {{- .Release.Namespace -}}
  {{- end -}}
 {{- end -}}
 {{/*
 Create chart name and version as used by the chart label.
 */}}
 {{- define "hami-webui.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Common labels
 */}}
 {{- define "hami-webui.labels" -}}
 helm.sh/chart: {{ include "hami-webui.chart" . }}
 {{ include "hami-webui.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "hami-webui.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "hami-webui.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 {{/*
 Create the name of the service account to use
 */}}
 {{- define "hami-webui.serviceAccountName" -}}
 {{- if .Values.webui.serviceAccount.create }}
 {{- default (include "hami-webui.fullname" .) .Values.webui.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.webui.serviceAccount.name }}
 {{- end }}
 {{- end }}
--- a/frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/daemonset.yaml
+++ b/frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/daemonset.yaml
@@ -0,0 +1,168 @@
 # Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: {{ include "dcgm-exporter.fullname" . }}
  namespace: {{ include "dcgm-exporter.namespace" . }}
  labels:
    {{- include "dcgm-exporter.labels" . | nindent 4 }}
    app.kubernetes.io/component: "dcgm-exporter"
 spec:
  updateStrategy:
    type: RollingUpdate
    {{- with .Values.dcgmExporter.rollingUpdate }}
    rollingUpdate:
      maxUnavailable: {{ .maxUnavailable }}
      maxSurge: {{ .maxSurge }}
    {{- end }}
  selector:
    matchLabels:
      {{- include "dcgm-exporter.selectorLabels" . | nindent 6 }}
      app.kubernetes.io/component: "dcgm-exporter"
  template:
    metadata:
      labels:
        {{- include "dcgm-exporter.selectorLabels" . | nindent 8 }}
        app.kubernetes.io/component: "dcgm-exporter"
      {{- if .Values.dcgmExporter.podLabels }}
        {{- toYaml .Values.podLabels | nindent 8 }}
      {{- end }}
      {{- if .Values.dcgmExporter.podAnnotations }}
      annotations:
        {{- toYaml .Values.dcgmExporter.podAnnotations | nindent 8 }}
      {{- end }}
    spec:
      {{- if .Values.dcgmExporter.runtimeClassName }}
      runtimeClassName: {{ .Values.dcgmExporter.runtimeClassName }}
      {{- end }}
      priorityClassName: {{ .Values.dcgmExporter.priorityClassName | default "system-node-critical" }}
      serviceAccountName: {{ include "dcgm-exporter.serviceAccountName" . }}
      {{- if .Values.dcgmExporter.podSecurityContext }}
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
      {{- end }}
      {{- if .Values.dcgmExporter.affinity }}
      affinity:
        {{- toYaml .Values.dcgmExporter.affinity | nindent 8 }}
      {{- end }}
      {{- if .Values.dcgmExporter.nodeSelector }}
      nodeSelector:
        {{- toYaml .Values.dcgmExporter.nodeSelector | nindent 8 }}
      {{- end }}
      {{- with .Values.dcgmExporter.tolerations }}
      tolerations:
        {{- toYaml . | nindent 6 }}
      {{- end }}
      volumes:
      - name: "pod-gpu-resources"
        hostPath:
          path: '{{ .Values.dcgmExporter.kubeletPath }}'
      {{- if and .Values.dcgmExporter.tlsServerConfig.enabled }}
      - name: "tls"
        secret:
          secretName: {{ include "dcgm-exporter.tlsCertsSecretName" . }}
          defaultMode: 0664
      {{- end }}
      {{- if or .Values.dcgmExporter.tlsServerConfig.enabled $.Values.dcgmExporter.basicAuth.users}}
      - name: "web-config-yaml"
        configMap:
          name: {{ include "dcgm-exporter.webConfigConfigMap" . }}
          defaultMode: 0664
      {{- end }}
      {{- range .Values.dcgmExporter.extraHostVolumes }}
      - name: {{ .name | quote }}
        hostPath:
          path: {{ .hostPath | quote }}
      {{- end }}
      {{- with .Values.dcgmExporter.extraConfigMapVolumes }}
      {{- toYaml . | nindent 6 }}
      {{- end }}
      containers:
      - name: exporter
        securityContext:
          {{- toYaml .Values.dcgmExporter.securityContext | nindent 10 }}
        {{- if .Values.dcgmExporter.image.tag }}
        image: "{{ .Values.dcgmExporter.image.repository }}:{{ .Values.dcgmExporter.image.tag }}"
        {{- else }}
        image: "{{ .Values.dcgmExporter.image.repository }}:{{ .Chart.AppVersion }}"
        {{- end }}
        imagePullPolicy: "{{ .Values.dcgmExporter.image.pullPolicy }}"
        args:
        {{- range $.Values.dcgmExporter.arguments }}
        - {{ . }}
        {{- end }}
        env:
        - name: "DCGM_EXPORTER_KUBERNETES"
          value: "true"
        - name: "DCGM_EXPORTER_LISTEN"
          value: "{{ .Values.dcgmExporter.service.address }}"
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        {{- if or .Values.dcgmExporter.tlsServerConfig.enabled $.Values.dcgmExporter.basicAuth.users}}
        - name: "DCGM_EXPORTER_WEB_CONFIG_FILE"
          value: /etc/dcgm-exporter/web-config.yaml
        {{- end }}
        {{- if .Values.dcgmExporter.extraEnv }}
        {{- toYaml .Values.dcgmExporter.extraEnv | nindent 8 }}
        {{- end }}
        ports:
        - name: "metrics"
          containerPort: {{ .Values.dcgmExporter.service.port }}
        volumeMounts:
        - name: "pod-gpu-resources"
          readOnly: true
          mountPath: "/var/lib/kubelet/pod-resources"
        {{- if and .Values.dcgmExporter.tlsServerConfig.enabled }}
        - name: "tls"
          mountPath: /etc/dcgm-exporter/tls
        {{- end }}
        {{- if or .Values.dcgmExporter.tlsServerConfig.enabled $.Values.dcgmExporter.basicAuth.users}}
        - name: "web-config-yaml"
          mountPath: /etc/dcgm-exporter/web-config.yaml
          subPath: web-config.yaml
        {{- end }}
        {{- if .Values.dcgmExporter.extraVolumeMounts }}
        {{- toYaml .Values.dcgmExporter.extraVolumeMounts | nindent 8 }}
        {{- end }}
        livenessProbe:
          {{- if not $.Values.dcgmExporter.basicAuth.users }}
          httpGet:
            path: /health
            port: {{ .Values.dcgmExporter.service.port }}
            scheme: {{ ternary "HTTPS" "HTTP" $.Values.dcgmExporter.tlsServerConfig.enabled }}
          {{- else }}
          tcpSocket:
              port: {{ .Values.dcgmExporter.service.port }}
          {{- end }}
          initialDelaySeconds: 45
          periodSeconds: 5
        readinessProbe:
          {{- if not $.Values.dcgmExporter.basicAuth.users }}
          httpGet:
            path: /health
            port: {{ .Values.dcgmExporter.service.port }}
            scheme: {{ ternary "HTTPS" "HTTP" $.Values.dcgmExporter.tlsServerConfig.enabled }}
          {{- else }}
          tcpSocket:
              port: {{ .Values.dcgmExporter.service.port }}
          {{- end }}
          initialDelaySeconds: 45
        {{- if .Values.dcgmExporter.resources }}
        resources:
          {{- toYaml .Values.dcgmExporter.resources | nindent 10 }}
        {{- end }}
--- a/frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/metrics-configmap.yaml
+++ b/frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/metrics-configmap.yaml
@@ -0,0 +1,96 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: exporter-metrics-config-map
  namespace: {{ include "dcgm-exporter.namespace" . }}
 data:
 {{- if .Values.dcgmExporter.customMetrics }}
  metrics: |
 {{- .Values.dcgmExporter.customMetrics | nindent 4 }}
 {{- else }}
  metrics: |
      # Format
      # If line starts with a '#' it is considered a comment
      # DCGM FIELD, Prometheus metric type, help message
      DCGM_FI_DRIVER_VERSION, label, Driver Version.
      DCGM_FI_DEV_BRAND,  label, Device Brand.
      DCGM_FI_DEV_SERIAL, label, Device Serial Number.
      # Clocks
      DCGM_FI_DEV_SM_CLOCK,  gauge, SM clock frequency (in MHz).
      DCGM_FI_DEV_MEM_CLOCK, gauge, Memory clock frequency (in MHz).
      # Temperature
      DCGM_FI_DEV_MEMORY_TEMP, gauge, Memory temperature (in C).
      DCGM_FI_DEV_GPU_TEMP,    gauge, GPU temperature (in C).
      # Power
      DCGM_FI_DEV_POWER_USAGE,              gauge, Power draw (in W).
      DCGM_FI_DEV_TOTAL_ENERGY_CONSUMPTION, counter, Total energy consumption since boot (in mJ).
      # PCIE
      # DCGM_FI_PROF_PCIE_TX_BYTES,  counter, Total number of bytes transmitted through PCIe TX via NVML.
      # DCGM_FI_PROF_PCIE_RX_BYTES,  counter, Total number of bytes received through PCIe RX via NVML.
      DCGM_FI_DEV_PCIE_REPLAY_COUNTER, counter, Total number of PCIe retries.
      # Utilization (the sample period varies depending on the product)
      DCGM_FI_DEV_GPU_UTIL,      gauge, GPU utilization (in %).
      DCGM_FI_DEV_MEM_COPY_UTIL, gauge, Memory utilization (in %).
      DCGM_FI_DEV_ENC_UTIL,      gauge, Encoder utilization (in %).
      DCGM_FI_DEV_DEC_UTIL ,     gauge, Decoder utilization (in %).
      # Errors and violations
      DCGM_FI_DEV_XID_ERRORS,            gauge,   Value of the last XID error encountered.
      # DCGM_FI_DEV_POWER_VIOLATION,       counter, Throttling duration due to power constraints (in us).
      # DCGM_FI_DEV_THERMAL_VIOLATION,     counter, Throttling duration due to thermal constraints (in us).
      # DCGM_FI_DEV_SYNC_BOOST_VIOLATION,  counter, Throttling duration due to sync-boost constraints (in us).
      # DCGM_FI_DEV_BOARD_LIMIT_VIOLATION, counter, Throttling duration due to board limit constraints (in us).
      # DCGM_FI_DEV_LOW_UTIL_VIOLATION,    counter, Throttling duration due to low utilization (in us).
      # DCGM_FI_DEV_RELIABILITY_VIOLATION, counter, Throttling duration due to reliability constraints (in us).
      # Memory usage
      DCGM_FI_DEV_FB_FREE, gauge, Framebuffer memory free (in MiB).
      DCGM_FI_DEV_FB_USED, gauge, Framebuffer memory used (in MiB).
      # ECC
      # DCGM_FI_DEV_ECC_SBE_VOL_TOTAL, counter, Total number of single-bit volatile ECC errors.
      # DCGM_FI_DEV_ECC_DBE_VOL_TOTAL, counter, Total number of double-bit volatile ECC errors.
      # DCGM_FI_DEV_ECC_SBE_AGG_TOTAL, counter, Total number of single-bit persistent ECC errors.
      # DCGM_FI_DEV_ECC_DBE_AGG_TOTAL, counter, Total number of double-bit persistent ECC errors.
      # Retired pages
      # DCGM_FI_DEV_RETIRED_SBE,     counter, Total number of retired pages due to single-bit errors.
      # DCGM_FI_DEV_RETIRED_DBE,     counter, Total number of retired pages due to double-bit errors.
      # DCGM_FI_DEV_RETIRED_PENDING, counter, Total number of pages pending retirement.
      # NVLink
      # DCGM_FI_DEV_NVLINK_CRC_FLIT_ERROR_COUNT_TOTAL, counter, Total number of NVLink flow-control CRC errors.
      # DCGM_FI_DEV_NVLINK_CRC_DATA_ERROR_COUNT_TOTAL, counter, Total number of NVLink data CRC errors.
      # DCGM_FI_DEV_NVLINK_REPLAY_ERROR_COUNT_TOTAL,   counter, Total number of NVLink retries.
      # DCGM_FI_DEV_NVLINK_RECOVERY_ERROR_COUNT_TOTAL, counter, Total number of NVLink recovery errors.
      DCGM_FI_DEV_NVLINK_BANDWIDTH_TOTAL,            counter, Total number of NVLink bandwidth counters for all lanes.
      # DCGM_FI_DEV_NVLINK_BANDWIDTH_L0,               counter, The number of bytes of active NVLink rx or tx data including both header and payload.
      # VGPU License status
      DCGM_FI_DEV_VGPU_LICENSE_STATUS, gauge, vGPU License status
      # Remapped rows
      DCGM_FI_DEV_UNCORRECTABLE_REMAPPED_ROWS, counter, Number of remapped rows for uncorrectable errors
      DCGM_FI_DEV_CORRECTABLE_REMAPPED_ROWS,   counter, Number of remapped rows for correctable errors
      DCGM_FI_DEV_ROW_REMAP_FAILURE,           gauge,   Whether remapping of rows has failed
      # DCP metrics
      DCGM_FI_PROF_GR_ENGINE_ACTIVE,   gauge, Ratio of time the graphics engine is active.
      # DCGM_FI_PROF_SM_ACTIVE,          gauge, The ratio of cycles an SM has at least 1 warp assigned.
      # DCGM_FI_PROF_SM_OCCUPANCY,       gauge, The ratio of number of warps resident on an SM.
      DCGM_FI_PROF_PIPE_TENSOR_ACTIVE, gauge, Ratio of cycles the tensor (HMMA) pipe is active.
      DCGM_FI_PROF_DRAM_ACTIVE,        gauge, Ratio of cycles the device memory interface is active sending or receiving data.
      # DCGM_FI_PROF_PIPE_FP64_ACTIVE,   gauge, Ratio of cycles the fp64 pipes are active.
      # DCGM_FI_PROF_PIPE_FP32_ACTIVE,   gauge, Ratio of cycles the fp32 pipes are active.
      # DCGM_FI_PROF_PIPE_FP16_ACTIVE,   gauge, Ratio of cycles the fp16 pipes are active.
      DCGM_FI_PROF_PCIE_TX_BYTES,      counter, The number of bytes of active pcie tx data including both header and payload.
      DCGM_FI_PROF_PCIE_RX_BYTES,      counter, The number of bytes of active pcie rx data including both header and payload.
 {{- end }}
--- a/frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/role.yaml
+++ b/frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/role.yaml
@@ -0,0 +1,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: dcgm-exporter-read-cm
  namespace: {{ include "dcgm-exporter.namespace" . }}
  labels:
    {{- include "dcgm-exporter.labels" . | nindent 4 }}
    app.kubernetes.io/component: "dcgm-exporter"
 rules:
 - apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["exporter-metrics-config-map"]
  verbs: ["get"]
--- a/frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/rolebinding.yaml
+++ b/frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/rolebinding.yaml
@@ -0,0 +1,16 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "dcgm-exporter.fullname" . }}
  namespace: {{ include "dcgm-exporter.namespace" . }}
  labels:
    {{- include "dcgm-exporter.labels" . | nindent 4 }}
    app.kubernetes.io/component: "dcgm-exporter"
 subjects:
 - kind: ServiceAccount
  name: {{ include "dcgm-exporter.serviceAccountName" . }}
  namespace: {{ include "dcgm-exporter.namespace" . }}
 roleRef:
  kind: Role 
  name: dcgm-exporter-read-cm
  apiGroup: rbac.authorization.k8s.io
--- a/frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/service-monitor.yaml
+++ b/frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/service-monitor.yaml
@@ -0,0 +1,42 @@
 {{- if .Values.dcgmExporter.serviceMonitor.enabled }}
 # Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: {{ .Values.dcgmExporter.serviceMonitor.apiVersion }}
 kind: ServiceMonitor
 metadata:
  name: {{ include "dcgm-exporter.fullname" . }}
  namespace: kubesphere-monitoring-system
  labels:
    {{- include "dcgm-exporter.labels" . | nindent 4 }}
    app.kubernetes.io/component: "dcgm-exporter"
    {{- if .Values.dcgmExporter.serviceMonitor.additionalLabels }}
    {{- toYaml .Values.dcgmExporter.serviceMonitor.additionalLabels | nindent 4 }}
    {{- end }}
 spec:
  selector:
    matchLabels:
      {{- include "dcgm-exporter.selectorLabels" . | nindent 6 }}
      app.kubernetes.io/component: "dcgm-exporter"
  namespaceSelector:
    matchNames:
    - "{{ include "dcgm-exporter.namespace" . }}"
  endpoints:
  - port: "metrics"
    path: "/metrics"
    interval: "{{ .Values.dcgmExporter.serviceMonitor.interval }}"
    honorLabels: {{ .Values.dcgmExporter.serviceMonitor.honorLabels }}
    relabelings:
      {{ toYaml .Values.dcgmExporter.serviceMonitor.relabelings | nindent 6 }}
 {{- end -}}
--- a/frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/service.yaml
+++ b/frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/service.yaml
@@ -0,0 +1,40 @@
 {{- if .Values.dcgmExporter.service.enable }}
 # Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "dcgm-exporter.fullname" . }}
  namespace: {{ include "dcgm-exporter.namespace" . }}
  labels:
    {{- include "dcgm-exporter.labels" . | nindent 4 }}
    app.kubernetes.io/component: "dcgm-exporter"
  {{- with .Values.dcgmExporter.service.annotations }}
  annotations:
  {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  type: {{ .Values.dcgmExporter.service.type }}
  {{- if .Values.dcgmExporter.service.clusterIP }}
  clusterIP: {{ .Values.dcgmExporter.service.clusterIP | quote }}
  {{- end }}
  ports:
  - name: "metrics"
    port: {{ .Values.dcgmExporter.service.port }}
    targetPort: {{ .Values.dcgmExporter.service.port }}
    protocol: TCP
  selector:
    {{- include "dcgm-exporter.selectorLabels" . | nindent 4 }}
 {{- end }}
--- a/frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/serviceaccount.yaml
+++ b/frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/serviceaccount.yaml
@@ -0,0 +1,28 @@
 {{- if .Values.dcgmExporter.serviceAccount.create -}}
 # Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "dcgm-exporter.serviceAccountName" . }}
  namespace: {{ include "dcgm-exporter.namespace" . }}
  labels:
    {{- include "dcgm-exporter.labels" . | nindent 4 }}
    app.kubernetes.io/component: "dcgm-exporter"
  {{- with .Values.dcgmExporter.serviceAccount.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 {{- end -}}
--- a/frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/tls-secret.yaml
+++ b/frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/tls-secret.yaml
@@ -0,0 +1,43 @@
 # Copyright (c) 2024, NVIDIA CORPORATION.  All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 {{- if and .Values.dcgmExporter.tlsServerConfig.enabled (not .Values.dcgmExporter.tlsServerConfig.existingSecret) }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ (include "dcgm-exporter.tlsCertsSecretName" .) }}
  namespace: {{ include "dcgm-exporter.namespace" . }}
  labels:
    app.kubernetes.io/component: "dcgm-exporter"
    {{- include "dcgm-exporter.labels" . | nindent 4 }}
 type: Opaque
 data:
  {{- if .Values.dcgmExporter.tlsServerConfig.autoGenerated }}
  {{- $ca := genCA "dcgm-exporter-ca" 3650 }}
  {{- $hostname := printf "%s" (include "dcgm-exporter.fullname" .) }}
  {{- $cert := genSignedCert $hostname nil (list $hostname) 3650 $ca }}
  {{ .Values.dcgmExporter.tlsServerConfig.certFilename }}: {{ $cert.Cert | b64enc | quote }}
  {{ .Values.dcgmExporter.tlsServerConfig.keyFilename }}: {{ $cert.Key | b64enc | quote }}
  {{- if .Values.dcgmExporter.tlsServerConfig.clientAuthType }}
  {{ .Values.dcgmExporter.tlsServerConfig.caFilename }}: {{ $ca.Cert | b64enc | quote }}
  {{- end }}
  {{- else }}
  {{ .Values.dcgmExporter.tlsServerConfig.certFilename }}: {{ required "'tlsServerConfig.cert' is required when 'tlsServerConfig.enabled=true'" .Values.dcgmExporter.tlsServerConfig.cert | b64enc | quote }}
  {{ .Values.dcgmExporter.tlsServerConfig.keyFilename }}: {{ required "'tlsServerConfig.key' is required when 'tlsServerConfig.enabled=true'" .Values.dcgmExporter.tlsServerConfig.key | b64enc | quote }}
  {{- if .Values.dcgmExporter.tlsServerConfig.clientAuthType }}
  {{ .Values.dcgmExporter.tlsServerConfig.caFilename }}: {{ required "'tlsServerConfig.ca' is required when 'tlsServerConfig.clientAuthType' is provided" .Values.dcgmExporter.tlsServerConfig.ca | b64enc | quote }}
  {{- end }}
  {{- end }}
 {{- end }}
--- a/frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/web-config-configmap.yaml
+++ b/frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/web-config-configmap.yaml
@@ -0,0 +1,40 @@
 # Copyright (c) 2024, NVIDIA CORPORATION.  All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 {{- if or .Values.dcgmExporter.tlsServerConfig.enabled .Values.dcgmExporter.basicAuth.users }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ include "dcgm-exporter.webConfigConfigMap" . }}
  namespace: {{ include "dcgm-exporter.namespace" . }}
  labels:
    app.kubernetes.io/component: "dcgm-exporter"
    {{- include "dcgm-exporter.labels" . | nindent 4 }}
 data:
  web-config.yaml: |
 {{- if .Values.dcgmExporter.tlsServerConfig.enabled }}
    tls_server_config:
       cert_file: {{ required "'tlsServerConfig.certFilename' is required when 'tlsServerConfig.enabled=true'" .Values.dcgmExporter.tlsServerConfig.certFilename | printf "/etc/dcgm-exporter/tls/%s" | quote }}
       key_file: {{ required "'tlsServerConfig.keyFilename' is required when 'tlsServerConfig.enabled=true'" .Values.dcgmExporter.tlsServerConfig.keyFilename | printf "/etc/dcgm-exporter/tls/%s" | quote }}
       {{- if .Values.dcgmExporter.tlsServerConfig.clientAuthType }}
       client_auth_type: {{ .Values.dcgmExporter.tlsServerConfig.clientAuthType }}
       client_ca_file: {{ required "'tlsServerConfig.caFilename' is required when 'tlsServerConfig.clientAuthType' is provided" .Values.dcgmExporter.tlsServerConfig.caFilename | printf "/etc/dcgm-exporter/tls/%s" | quote }}
       {{- end }}
 {{- end }}
 {{- if .Values.dcgmExporter.basicAuth.users }}
    basic_auth_users:
      {{- range $user, $password := .Values.dcgmExporter.basicAuth.users }}
      {{ $user }}: {{ (split ":" (htpasswd $user $password))._1 }}
      {{- end }}
 {{- end }}
 {{- end }}
--- a/frameworks/GPU/config/gpu/hami/templates/device-plugin/daemonsetnvidia.yaml
+++ b/frameworks/GPU/config/gpu/hami/templates/device-plugin/daemonsetnvidia.yaml
@@ -112,12 +112,12 @@ spec:
            - name: NVIDIA_MIG_MONITOR_DEVICES
              value: all
            - name: HOOK_PATH
-              value: {{ .Values.global.gpuHookPath }}/vgpu
+              value: '{{ .Values.global.gpuHookPath }}/vgpu'
          resources:
          {{- toYaml .Values.devicePlugin.vgpuMonitor.resources | nindent 12 }}
          volumeMounts:
            - name: ctrs
-              mountPath: {{ .Values.devicePlugin.monitorctrPath }}
+              mountPath: '{{ .Values.devicePlugin.monitorctrPath }}'
            - name: dockers
              mountPath: /run/docker
            - name: containerds
@@ -131,7 +131,7 @@ spec:
      volumes:
        - name: ctrs
          hostPath:
-            path: {{ .Values.devicePlugin.monitorctrPath }}
+            path: '{{ .Values.devicePlugin.monitorctrPath }}'
        - name: hosttmp
          hostPath:
            path: /tmp
@@ -143,10 +143,10 @@ spec:
            path: /run/containerd
        - name: device-plugin
          hostPath:
-            path: {{ .Values.devicePlugin.pluginPath }}
+            path: '{{ .Values.devicePlugin.pluginPath }}'
        - name: lib
          hostPath:
-            path: {{ .Values.devicePlugin.libPath }}
+            path: '{{ .Values.devicePlugin.libPath }}'
        - name: usrbin
          hostPath:
            path: /usr/bin
--- a/frameworks/GPU/config/gpu/hami/templates/webui/configmap.yaml
+++ b/frameworks/GPU/config/gpu/hami/templates/webui/configmap.yaml
@@ -0,0 +1,21 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ include "hami-webui.fullname" . }}-config
  namespace: {{ include "hami-webui.namespace" . }}
 data:
  config.yaml: |
    server:
      http:
        addr: 0.0.0.0:8000
        timeout: 1s
      grpc:
        addr: 0.0.0.0:9000
        timeout: 1s
    prometheus:
      address: {{ ternary .Values.webui.externalPrometheus.address (printf "http://%s-kube-prometh-prometheus.%s.svc.cluster.local:9090" (include "hami-webui.fullname" .) (include "hami-webui.namespace" .)) .Values.webui.externalPrometheus.enabled }}
      timeout: 1m
    node_selectors:
    {{- range $key, $value := .Values.webui.vendorNodeSelectors }}
      {{ $key }}: {{ $value }}
    {{- end }}
--- a/frameworks/GPU/config/gpu/hami/templates/webui/deployment.yaml
+++ b/frameworks/GPU/config/gpu/hami/templates/webui/deployment.yaml
@@ -0,0 +1,82 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "hami-webui.fullname" . }}
  namespace: {{ include "hami-webui.namespace" . }}
  labels:
    {{- include "hami-webui.labels" . | nindent 4 }}
    app.kubernetes.io/component: "hami-webui"
 spec:
  replicas: {{ .Values.webui.replicaCount }}
  selector:
    matchLabels:
      {{- include "hami-webui.selectorLabels" . | nindent 6 }}
      app.kubernetes.io/component: "hami-webui"
  template:
    metadata:
      {{- with .Values.webui.podAnnotations }}
      annotations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      labels:
        {{- include "hami-webui.selectorLabels" . | nindent 8 }}
        app.kubernetes.io/component: "hami-webui"
    spec:
      serviceAccountName: {{ include "hami-webui.serviceAccountName" . }}
      securityContext:
        {{- toYaml .Values.webui.podSecurityContext | nindent 8 }}
      containers:
        - name: {{ .Release.Name }}-fe-oss
          securityContext:
            {{- toYaml .Values.webui.securityContext | nindent 12 }}
          image: "{{ .Values.webui.image.frontend.repository }}:{{ .Values.webui.image.frontend.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.webui.image.frontend.pullPolicy }}
          env:
            {{- toYaml .Values.webui.env.frontend | nindent 12 }}
          ports:
            - name: http
              containerPort: 3000
              protocol: TCP
          command:
            - "node"
          args:
            - "/apps/dist/main"
          resources:
            {{- toYaml .Values.webui.resources.frontend | nindent 12 }}
        - name: {{ .Release.Name }}-be-oss
          securityContext:
                  {{- toYaml .Values.webui.securityContext | nindent 12 }}
          image: "{{ .Values.webui.image.backend.repository }}:{{ .Values.webui.image.backend.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.webui.image.backend.pullPolicy }}
          env:
            {{- toYaml .Values.webui.env.backend | nindent 12 }}
          ports:
            - name: metrics
              containerPort: 8000
              protocol: TCP
          command:
            - "/apps/server"
          args:
            - "--conf"
            - "/apps/config/config.yaml"
          resources:
            {{- toYaml .Values.webui.resources.backend | nindent 12 }}
          volumeMounts:
            - name: config
              mountPath: /apps/config/
      {{- with .Values.webui.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.webui.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      volumes:
        - name: config
          configMap:
            name: {{ include "hami-webui.fullname" . }}-config
--- a/frameworks/GPU/config/gpu/hami/templates/webui/hamiservicemonitor.yaml
+++ b/frameworks/GPU/config/gpu/hami/templates/webui/hamiservicemonitor.yaml
@@ -0,0 +1,27 @@
 {{- if .Values.webui.hamiServiceMonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: {{ include "hami-webui.fullname" . }}-hami-svc-monitor
  namespace: kubesphere-monitoring-system
  labels:
    {{- include "hami-webui.labels" . | nindent 4 }}
    app.kubernetes.io/component: "hami-webui"
    {{- if .Values.webui.hamiServiceMonitor.additionalLabels }}
    {{- toYaml .Values.webui.hamiServiceMonitor.additionalLabels | nindent 4 }}
    {{- end }}
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/component: hami-device-plugin
  namespaceSelector:
    matchNames:
      - "{{ .Values.webui.hamiServiceMonitor.svcNamespace }}"
  endpoints:
  - path: /metrics
    port: monitorport
    interval: "{{ .Values.webui.hamiServiceMonitor.interval }}"
    honorLabels: {{ .Values.webui.hamiServiceMonitor.honorLabels }}
    relabelings:
      {{ toYaml .Values.webui.hamiServiceMonitor.relabelings | nindent 6 }}
 {{- end -}}
--- a/frameworks/GPU/config/gpu/hami/templates/webui/role.yaml
+++ b/frameworks/GPU/config/gpu/hami/templates/webui/role.yaml
@@ -0,0 +1,15 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: hami-webui-reader
  namespace: {{ include "hami-webui.namespace" . }}
  labels:
    {{- include "hami-webui.labels" . | nindent 4 }}
    app.kubernetes.io/component: "hami-webui"
 rules:
  - apiGroups: [ "" ]
    resources: [ "nodes" ]
    verbs: [ "get", "list", "watch" ]
  - apiGroups: [ "" ]
    resources: [ "pods" ]
    verbs: [ "get", "list", "watch" ]
--- a/Show More
+++ b/Show More
		`@@ -1,3 +0,0 @@`
			`# vault`

			`https://github.com/beclab/analytic`
`@@ -1,2 +1,2 @@`
	`upgrade:`	`upgrade:`
	`minVersion: 1.12.0-0000000`	`minVersion: 1.12.0-1`