feat(settings-server): upgrade docker node version to 24.0.2 & upgrade nestjs version to 11.1.1

otel: bump the go auto-instrumentation image version (#1328 )
otel: change the go auto-instrumentation image version
2025-05-19 21:29:50 +08:00 · 2025-05-19 19:30:36 +08:00 · 2025-05-17 01:20:19 +08:00 · 2025-05-16 23:57:26 +08:00 · 2025-05-16 21:00:41 +08:00 · 2025-05-16 00:19:35 +08:00
89 changed files with 849 additions and 905 deletions
--- a/.github/workflows/check.yaml
+++ b/.github/workflows/check.yaml
@@ -38,7 +38,7 @@ jobs:
          bash scripts/package.sh

      - name: Run chart-testing (lint)
-        run: ct lint --chart-dirs build/installer/wizard/config --check-version-increment=false --target-branch ${{ github.event.repository.default_branch }}
+        run: ct lint --chart-dirs build/installer/wizard/config,build/installer/wizard/config/apps,build/installer/wizard/config/gpu --check-version-increment=false --all

      # - name: Create kind cluster
      #   if: steps.list-changed.outputs.changed == 'true'
--- a/.github/workflows/daily-lint-check.yaml
+++ b/.github/workflows/daily-lint-check.yaml
@@ -0,0 +1,37 @@
+name: Lint Check Charts
+
+on:
+  schedule:
+    # This is a UTC time
+    - cron: "30 1 * * *"
+  workflow_dispatch:
+
+
+jobs:
+  lint-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+          
+      - name: Set up Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.12.1
+
+      - uses: actions/setup-python@v4
+        with:
+          python-version: '3.9'
+          check-latest: true
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.6.0
+      
+      - name: Pre package
+        run: |
+          bash scripts/package.sh
+
+      - name: Run chart-testing (lint)
+        run: |
+          ct lint --chart-dirs build/installer/wizard/config,build/installer/wizard/config/apps,build/installer/wizard/config/gpu --check-version-increment=false --all
+
--- a/README.md
+++ b/README.md
@@ -65,19 +65,14 @@ Here is why and where you can count on Olares for private, powerful, and secure
 ## Getting started

 ### System compatibility
-Olares has been tested and verified on the following platforms:

-| Platform            | Operating system                     | Notes                                                 |
-|---------------------|--------------------------------------|-------------------------------------------------------|
-| Linux               | Ubuntu 20.04 LTS or later <br/> Debian 11 or later |                                          |
-| Raspberry Pi        | RaspbianOS                           | Verified on Raspberry Pi 4 Model B and Raspberry Pi 5 |
-| Windows             | Windows 11 23H2 or later <br/>Windows 10 22H2 or later<br/> WSL2 |                                     |
-| Mac                 | Monterey (12) or later              |                                                        |
-| Proxmox VE (PVE)    | Proxmox Virtual Environment 8.0      |                                                       |
+Olares has been tested and verified on the following Linux platforms:

-> **Note**
-> 
-> If you successfully install Olares on an operating system that is not listed in the compatibility table, please let us know! You can [open an issue](https://github.com/beclab/Olares/issues/new) or submit a pull request on our GitHub repository.
+- Ubuntu 20.04 LTS or later 
+- Debian 11 or later
+
+> **Other installation options**
+> Olares can also be installed on other platforms like macOS, Windows, PVE, and Raspberry Pi, or installed via docker compose on Linux. However, these are only for **testing and development purposes**. For detailed instructions, visit [Additional installation options](https://docs.olares.xyz/developer/install/additional-installations.html).

 ### Set up Olares
 To get started with Olares on your own device, follow the [Getting Started Guide](https://docs.olares.xyz/manual/get-started/) for step-by-step instructions.
--- a/README_CN.md
+++ b/README_CN.md
@@ -62,25 +62,18 @@ Olares 是为本地端侧 AI 打造的开源私有云操作系统，可轻松将
 ## 快速开始

 ### 系统兼容性
-Olares 已在以下平台完成测试验证：

-| 平台            | 操作系统                     | 备注                                                 |
-|---------------------|--------------------------------------|-------------------------------------------------------|
-| Linux               | Ubuntu 20.04 LTS 及以上 <br/> Debian 11 及以上  |                                               |
-| Raspberry Pi        | RaspbianOS                           | 已在 Raspberry Pi 4 Model B 和 Raspberry Pi 5 上验证    |
-| Windows             | Windows 11 23H2 及以上 <br/>Windows 10 22H2 及以上 <br/>WSL2 |                                           |
-| Mac                  | macOS Monterey (12) 及以上             |                                                         |
-| Proxmox VE (PVE)    | Proxmox Virtual Environment 8.0      |                                                         |
+Olares 已在以下 Linux 平台完成测试与验证：

-> **注意**
-> 
-> 如果你在未列出的系统版本上成功安装了 Olares，请告诉我们！你可以在 GitHub 仓库中[提交 Issue](https://github.com/beclab/Olares/issues/new) 或发起 Pull Request。
+- Ubuntu 20.04 LTS 及以上版本
+- Debian 11 及以上版本
+
+> **其他安装方式**
+> Olares 也支持在 macOS、Windows、PVE、树莓派等平台上运行，或通过 Docker Compose 在 Linux 上部署。但请注意，这些方式**仅适用于开发和测试环境**。详细安装指南请参阅[其他安装方式](https://docs.joinolares.cn/zh/developer/install/additional-installations.html)。

 ### 安装 Olares
-
-> 当前文档仅有英文版本。
 
-参考[快速上手指南](https://docs.olares.xyz/manual/get-started/)安装并激活 Olares。
+参考[快速上手指南](https://docs.joinolares.cn/zh/manual/get-started/)安装并激活 Olares。

 ## 系统架构
 Olares 的架构设计遵循两个核心原则：
--- a/README_JP.md
+++ b/README_JP.md
@@ -63,19 +63,14 @@ Olaresを使用して、ハードウェアをAIホームサーバーに変換し
 ## はじめに

 ### システム互換性
-Olaresは以下のプラットフォームでテストおよび検証されています：

-| プラットフォーム            | オペレーティングシステム                     | 備考                                                 |
-|---------------------|--------------------------------------|-------------------------------------------------------|
-| Linux               | Ubuntu 20.04 LTS以降 <br/> Debian 11以降 |                                          |
-| Raspberry Pi        | RaspbianOS                           | Raspberry Pi 4 Model BおよびRaspberry Pi 5で検証済み |
-| Windows             | Windows 11 23H2以降 <br/>Windows 10 22H2以降<br/> WSL2 |                                     |
-| Mac                 | Monterey (12)以降              |                                                        |
-| Proxmox VE (PVE)    | Proxmox Virtual Environment 8.0      |                                                       |
+Olaresは以下のLinuxプラットフォームで動作検証を完了しています：

-> **注意**
-> 
-> 互換性テーブルに記載されていないオペレーティングシステムでOlaresを正常にインストールした場合は、お知らせください！GitHubリポジトリで[問題を開く](https://github.com/beclab/Olares/issues/new)か、プルリクエストを送信できます。
+- Ubuntu 20.04 LTS 以降
+- Debian 11 以降
+
+> **追加インストール手順**
+> Olares は macOS、Windows、PVE、Raspberry Pi などのプラットフォームや、Linux 上での Docker Compose を用いたインストールにも対応しています。>ただし、これらの方法は開発およびテスト環境専用です。詳しくは[追加インストール手順](https://docs.olares.xyz/developer/install/additional-installations.html)をご参照ください。

 ### Olaresのセットアップ
 自分のデバイスでOlaresを始めるには、[はじめにガイド](https://docs.olares.xyz/manual/get-started/)に従ってステップバイステップの手順を確認してください。
--- a/apps/argo/config/cluster/deploy/workflow-task.yaml
+++ b/apps/argo/config/cluster/deploy/workflow-task.yaml
@@ -38,6 +38,7 @@ data:
  redis_password: {{ $redis_password }}

 ---
+
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
 metadata:
@@ -59,23 +60,7 @@ spec:
    - name: rss_v1
    - name: argo

---
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
-metadata:
-  name: knowledge-redis
-  namespace: os-system
-spec:
-  app: rss
-  appNamespace: os-system
-  middleware: redis
-  redis:
-    password:
-      valueFrom:
-        secretKeyRef:
-          key: redis_password
-          name: rss-secrets
-    namespace: knowledge
+



--- a/apps/argo/config/cluster/deploy/workflow-controller-config-map.yaml
+++ b/apps/argo/config/cluster/deploy/workflow-controller-config-map.yaml
@@ -7,7 +7,7 @@ data:
  config: |
    instanceID: os-system
    artifactRepository:
-      archiveLogs: false
+      archiveLogs: true
      s3:
        accessKeySecret:
          key: AWS_ACCESS_KEY_ID
@@ -16,7 +16,7 @@ data:
          key: AWS_SECRET_ACCESS_KEY
          name: argo-workflow-log-fakes3
        bucket: mongo-backup
-        endpoint: workflow-archivelog-s3.user-system-mmchong2021:4568
+        endpoint: tapr-s3-svc:4568
        insecure: true
    persistence:
      connectionPool:
--- a/apps/argo/config/user/helm-charts/argo/templates/argo_deployment.yaml
+++ b/apps/argo/config/user/helm-charts/argo/templates/argo_deployment.yaml
@@ -13,7 +13,22 @@ spec:
      name: fakes3
      port: 4568
      targetPort: 4568
-
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: knowledge-base-api
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  type: ClusterIP
+  selector:
+    app: systemserver
+  ports:
+    - protocol: TCP
+      name: knowledge-api
+      port: 3010
+      targetPort: 3010  



--- a/apps/argo/config/user/helm-charts/argo/values.yaml
+++ b/apps/argo/config/user/helm-charts/argo/values.yaml
@@ -1,4 +1,3 @@
-
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
@@ -40,4 +39,4 @@ os:
    appKey: '${ks[0]}'
    appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""
--- a/apps/desktop/config/user/helm-charts/desktop/templates/desktop_deploy.yaml
+++ b/apps/desktop/config/user/helm-charts/desktop/templates/desktop_deploy.yaml
@@ -66,7 +66,7 @@ spec:

      containers:
      - name: edge-desktop
-        image: beclab/desktop:v0.2.57
+        image: beclab/desktop:v0.2.59
        imagePullPolicy: IfNotPresent
        securityContext:
          runAsNonRoot: false
@@ -78,7 +78,7 @@ spec:
            value: http://bfl.{{ .Release.Namespace }}:8080

      - name: desktop-server
-        image: beclab/desktop-server:v0.2.57
+        image: beclab/desktop-server:v0.2.59
        imagePullPolicy: IfNotPresent
        securityContext:
          allowPrivilegeEscalation: false
@@ -156,7 +156,7 @@ spec:
      - name: userspace-dir
        hostPath:
          type: Directory
-          path: {{ .Values.userspace.userData }}
+          path: '{{ .Values.userspace.userData }}'
      - name: terminus-sidecar-config
        configMap:
          name: sidecar-ws-configs
--- a/apps/desktop/config/user/helm-charts/desktop/values.yaml
+++ b/apps/desktop/config/user/helm-charts/desktop/values.yaml
@@ -1,4 +1,3 @@
-
 bfl:
  username: 'test'
  url: 'test'
--- a/apps/download/README.md
+++ b/apps/download/README.md
@@ -1,3 +0,0 @@
-# vault
-
-https://github.com/beclab/analytic
--- a/apps/download/config/cluster/deploy/download_deploy.yaml
+++ b/apps/download/config/cluster/deploy/download_deploy.yaml
@@ -1,304 +0,0 @@
-{{- $namespace := printf "%s" "os-system" -}}
-{{- $download_secret := (lookup "v1" "Secret" $namespace "rss-secrets") -}}
-
-{{- $pg_password := "" -}}
-{{ if $download_secret -}}
-{{ $pg_password = (index $download_secret "data" "pg_password") }}
-{{ else -}}
-{{ $pg_password = randAlphaNum 16 | b64enc }}
-{{- end -}}
-
-{{- $redis_password := "" -}}
-{{ if $download_secret -}}
-{{ $redis_password = (index $download_secret "data" "redis_password") }}
-{{ else -}}
-{{ $redis_password = randAlphaNum 16 | b64enc }}
-{{- end -}}
-
-{{- $download_nats_secret := (lookup "v1" "Secret" $namespace "download-secrets") -}}
-{{- $nat_password := "" -}}
-{{ if $download_nats_secret -}}
-{{ $nat_password = (index $download_nats_secret "data" "nat_password") }}
-{{ else -}}
-{{ $nat_password = randAlphaNum 16 | b64enc }}
-{{- end -}}
-
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: download-secrets
-  namespace: os-system
-type: Opaque
-data:
-  pg_password: {{ $pg_password }}
-  redis_password: {{ $redis_password }}
-  nat_password: {{ $nat_password }}
---
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
-metadata:
-  name: download-pg
-  namespace: os-system
-spec:
-  app: download
-  appNamespace: os-system
-  middleware: postgres
-  postgreSQL:
-    user: knowledge_os_system
-    password:
-      valueFrom:
-        secretKeyRef:
-          key: pg_password
-          name: download-secrets
-    databases:
-    - name: knowledge
---
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
-metadata:
-  name: download-nat
-  namespace: os-system
-spec:
-  app: download
-  appNamespace: os-system
-  middleware: nats
-  nats:
-    password:
-      valueFrom:
-        secretKeyRef:
-          key: nat_password
-          name: download-secrets
-    refs: []
-    subjects:
-    - name: download_status
-      permission:
-        pub: allow
-        sub: allow
-      export:
-      - appName: knowledge
-        sub: allow
-        pub: allow
-    user: os-system-download
---
-
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: download
-  namespace: os-system
-  labels:
-    app: download
-    applications.app.bytetrade.io/author: bytetrade.io
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: download
-  template:
-    metadata:
-      labels:
-        app: download
-    spec:
-      serviceAccount: os-internal
-      serviceAccountName: os-internal
-      securityContext:
-        runAsUser: 0
-        runAsNonRoot: false
-
-      initContainers:
-      - name: init-data
-        image: busybox:1.28
-        securityContext:
-          privileged: true
-          runAsNonRoot: false
-          runAsUser: 0
-        volumeMounts:
-        - name: config-dir
-          mountPath: /config
-        - name: download-dir
-          mountPath: /downloads
-        command:
-        - sh
-        - -c
-        - |
-          chown -R 1000:1000 /config && \
-          chown -R 1000:1000 /downloads
-      - name: init-container
-        image: 'postgres:16.0-alpine3.18'
-        command:
-          - sh
-          - '-c'
-          - >-
-            echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
-        env:
-          - name: PGHOST
-            value: citus-headless.os-system
-          - name: PGPORT
-            value: "5432"
-          - name: PGUSER
-            value: knowledge_os_system
-          - name: PGPASSWORD
-            value: {{ $pg_password | b64dec }}
-          - name: PGDB
-            value: os_system_knowledge
-      containers:
-      - name: aria2
-        image: "beclab/aria2:v0.0.4"
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          runAsNonRoot: false
-          runAsUser: 0
-        ports:
-        - containerPort: 6800
-        - containerPort: 6888
-        env:
-        - name: RPC_SECRET
-          value: kubespider
-        - name: PUID
-          value: "1000"
-        - name: PGID
-          value: "1000"
-        volumeMounts:
-        - name: download-dir
-          mountPath: /downloads
-        resources:
-          requests:
-            cpu: 20m
-            memory: 50Mi
-          limits:
-            cpu: "1"
-            memory: 300Mi
-      - name: yt-dlp
-        image: "beclab/yt-dlp:v0.12.0"
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          allowPrivilegeEscalation: false
-          runAsUser: 1000
-
-        ports:
-        - containerPort: 3082
-        env:
-        - name: PG_USERNAME
-          value: knowledge_os_system
-        - name: PG_PASSWORD
-          value: {{ $pg_password | b64dec }}
-        - name: PG_HOST
-          value: citus-headless.os-system
-        - name: PG_PORT
-          value: "5432"
-        - name: PG_DATABASE
-          value: os_system_knowledge
-        - name: REDIS_HOST
-          value: redis-cluster-proxy.os-system
-        - name: REDIS_PASSWORD
-          value: {{ $redis_password | b64dec }}
-        - name: NATS_HOST
-          value: nats
-        - name: NATS_PORT
-          value: "4222"
-        - name: NATS_USERNAME
-          value: os-system-download
-        - name: NATS_PASSWORD
-          value: {{ $nat_password | b64dec }}
-        - name: NATS_SUBJECT
-          value: terminus.os-system.download_status
-        volumeMounts:
-        - name: config-dir
-          mountPath: /app/config
-        - name: download-dir
-          mountPath: /app/downloads
-        resources:
-          requests:
-            cpu: 20m
-            memory: 50Mi
-          limits:
-            cpu: "1"
-            memory: 300Mi
-      - name: download-spider
-        image: "beclab/download-spider:v0.12.0"
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          allowPrivilegeEscalation: false
-          runAsUser: 1000
-
-        env:
-        - name: PG_USERNAME
-          value: knowledge_os_system
-        - name: PG_PASSWORD
-          value: {{ $pg_password | b64dec }}
-        - name: PG_HOST
-          value: citus-headless.os-system
-        - name: PG_PORT
-          value: "5432"
-        - name: PG_DATABASE
-          value: os_system_knowledge
-        - name: REDIS_HOST
-          value: redis-cluster-proxy.os-system
-        - name: REDIS_PASSWORD
-          value: {{ $redis_password | b64dec }}
-        - name: NATS_HOST
-          value: nats
-        - name: NATS_PORT
-          value: "4222"
-        - name: NATS_USERNAME
-          value: os-system-download
-        - name: NATS_PASSWORD
-          value: {{ $nat_password | b64dec }}
-        - name: NATS_SUBJECT
-          value: terminus.os-system.download_status
-        volumeMounts:
-        - name: download-dir
-          mountPath: /downloads
-        
-        ports:
-        - containerPort: 3080
-        resources:
-          requests:
-            cpu: 20m
-            memory: 50Mi
-          limits:
-            cpu: "1"
-            memory: 300Mi
-
-      volumes:
-      - name: config-dir
-        hostPath: 
-          type: DirectoryOrCreate
-          path: {{ .Values.rootPath }}/userdata/Cache/download
-      - name: download-dir
-        hostPath:
-          type: DirectoryOrCreate
-          path: {{ .Values.rootPath }}/rootfs/userspace
-
-
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: download-svc
-  namespace: os-system
-spec:
-  type: ClusterIP
-  selector:
-    app: download
-  ports:
-    - name: "download-spider"
-      protocol: TCP
-      port: 3080
-      targetPort: 3080
-    - name: "aria2-server"
-      protocol: TCP
-      port: 6800
-      targetPort: 6800
-    - name: ytdlp-server
-      protocol: TCP
-      port: 3082
-      targetPort: 3082
-
-
-
-
--- a/apps/files/config/cluster/deploy/files_deploy.yaml
+++ b/apps/files/config/cluster/deploy/files_deploy.yaml
@@ -43,8 +43,8 @@ spec:
      labels:
        app: files
      annotations:
-        # instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
-        # instrumentation.opentelemetry.io/inject-nginx-container-names: "nginx"    
+        instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
+        instrumentation.opentelemetry.io/inject-nginx-container-names: "nginx"    
        instrumentation.opentelemetry.io/inject-go: "olares-instrumentation"
        instrumentation.opentelemetry.io/go-container-names: "gateway,files,uploader"    
        instrumentation.opentelemetry.io/otel-go-auto-target-exe: "/filebrowser"
@@ -73,6 +73,28 @@ spec:
          - -c
          - |
            chown -R 1000:1000 /appdata; chown -R 1000:1000 /appcache; chown -R 1000:1000 /data
+        - name: init-container
+          image: 'postgres:16.0-alpine3.18'
+          command:
+            - sh
+            - '-c'
+            - >-
+              echo -e "Checking for the availability of PostgreSQL Server
+              deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB1
+              -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >>
+              PostgreSQL DB Server has started";
+          env:
+            - name: PGHOST
+              value: citus-headless.os-system
+            - name: PGPORT
+              value: '5432'
+            - name: PGUSER
+              value: files_os_system
+            - name: PGPASSWORD
+              value: {{ $files_postgres_password | b64dec }}
+            - name: PGDB1
+              value: os_system_files
+
      containers:
        - name: gateway
          image: beclab/appdata-gateway:0.1.18
@@ -84,7 +106,7 @@ spec:
            - containerPort: 8080
          env:
            - name: FILES_SERVER_TAG
-              value: 'beclab/files-server:v0.2.67'
+              value: 'beclab/files-server:v0.2.69'
            - name: NAMESPACE
              valueFrom:
                fieldRef:
@@ -120,7 +142,7 @@ spec:
 {{ end }}

        - name: files
-          image: beclab/files-server:v0.2.67
+          image: beclab/files-server:v0.2.69
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: true
@@ -281,7 +303,7 @@ spec:
            runAsUser: 0
            privileged: true
        - name: nginx
-          image: 'nginx:stable-alpine3.17-slim'
+          image: 'beclab/docker-nginx-headers-more:ubuntu-v0.1.0'
          securityContext:
            runAsNonRoot: false
            runAsUser: 0
@@ -304,14 +326,14 @@ spec:
        - name: userspace-dir
          hostPath:
            type: Directory
-            path: {{ .Values.rootPath }}/rootfs/userspace
+            path: '{{ .Values.rootPath }}/rootfs/userspace'
        - name: fb-data
          hostPath:
            type: DirectoryOrCreate
-            path: {{ .Values.rootPath }}/userdata/Cache/files
+            path: '{{ .Values.rootPath }}/userdata/Cache/files'
        - name: upload-appdata
          hostPath:
-            path: {{ .Values.rootPath }}/userdata/Cache
+            path: '{{ .Values.rootPath }}/userdata/Cache'
            type: DirectoryOrCreate
        - name: files-nginx-config
          configMap:
@@ -324,13 +346,13 @@ spec:
            defaultMode: 420
        - name: user-appdata-dir
          hostPath:
-            path: {{ .Values.rootPath }}/userdata/Cache
+            path: '{{ .Values.rootPath }}/userdata/Cache'
            type: Directory
        
 {{ if .Values.sharedlib }}        
        - name: shared-lib
          hostPath:
-            path: {{ .Values.sharedlib }}
+            path: "{{ .Values.sharedlib }}"
            type: Directory
 {{ end }}            

@@ -412,7 +434,7 @@ spec:
          name: check-nats
      containers:
        - name: files
-          image: beclab/files-server:v0.2.67
+          image: beclab/files-server:v0.2.69
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: true
@@ -447,11 +469,11 @@ spec:
        - name: user-appdata-dir
          hostPath:
            type: Directory
-            path: {{ .Values.rootPath }}/userdata/Cache
+            path: '{{ .Values.rootPath }}/userdata/Cache'
        - name: fb-data
          hostPath:
            type: DirectoryOrCreate
-            path: {{ .Values.rootPath }}/userdata/Cache/files-appdata
+            path: '{{ .Values.rootPath }}/userdata/Cache/files-appdata'

 ---
 apiVersion: v1
--- a/apps/files/config/user/helm-charts/files/templates/files_fe_deploy.yaml
+++ b/apps/files/config/user/helm-charts/files/templates/files_fe_deploy.yaml
@@ -114,9 +114,11 @@ spec:
        io.bytetrade.app: "true"
      annotations:
        # support nginx 1.24.3 1.25.3
-        # instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
-        # instrumentation.opentelemetry.io/inject-nginx-container-names: "files-frontend"    
-        # instrumentation.opentelemetry.io/otel-go-auto-target-exe: "drive"
+        instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
+        instrumentation.opentelemetry.io/inject-nginx-container-names: "files-frontend"    
+        instrumentation.opentelemetry.io/inject-go: "olares-instrumentation"
+        instrumentation.opentelemetry.io/go-container-names: "driver-server"    
+        instrumentation.opentelemetry.io/otel-go-auto-target-exe: "drive"
    spec:
      serviceAccountName: bytetrade-controller
      securityContext:
@@ -204,6 +206,20 @@ spec:
            value: "{{ $pg_password | b64dec }}"
          - name: PGDB
            value: user_space_{{ .Values.bfl.username }}_cloud_drive_integration
+      - name: files-frontend-init
+        image: beclab/files-frontend:v1.3.61
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+          - name: app
+            mountPath: /cp_app
+          - name: nginx-confd
+            mountPath: /confd
+        command:
+        - sh
+        - -c
+        - |
+          cp -rf /app/* /cp_app/. && cp -rf /etc/nginx/conf.d/* /confd/.
+
      containers:
 #      - name: gateway
 #        image: beclab/appdata-gateway:0.1.12
@@ -302,7 +318,7 @@ spec:
 #        - /filebrowser
 #        - --noauth
      - name: files-frontend
-        image: beclab/files-frontend:v1.3.46
+        image: beclab/docker-nginx-headers-more:ubuntu-v0.1.0
        imagePullPolicy: IfNotPresent
        securityContext:
          runAsNonRoot: false
@@ -323,6 +339,10 @@ spec:
        volumeMounts:
        - name: userspace-dir
          mountPath: /data
+        - name: app
+          mountPath: /app
+        - name: nginx-confd
+          mountPath: /etc/nginx/conf.d
      - name: drive-server
        image: beclab/drive:v0.0.72
        imagePullPolicy: IfNotPresent
@@ -433,42 +453,46 @@ spec:
      volumes:
      - name: data-dir
        hostPath:
-          path: {{ .Values.rootPath }}/rootfs/userspace
+          path: '{{ .Values.rootPath }}/rootfs/userspace'
          type: Directory
      - name: watch-dir
        hostPath:
          type: Directory
-          path: {{ .Values.userspace.userData }}/Documents
+          path: '{{ .Values.userspace.userData }}/Documents'
      - name: userspace-dir
        hostPath:
          type: Directory
-          path: {{ .Values.userspace.userData }}
+          path: '{{ .Values.userspace.userData }}'
      - name: userspace-app-dir
        hostPath:
          type: Directory
-          path: {{ .Values.userspace.appData }}
+          path: '{{ .Values.userspace.appData }}'
      - name: fb-data
        hostPath:
          type: DirectoryOrCreate
-          path: {{ .Values.userspace.appCache}}/files
+          path: '{{ .Values.userspace.appCache}}/files'
      - name: upload-data
        hostPath:
          type: Directory
-          path: {{ .Values.userspace.userData }}
+          path: '{{ .Values.userspace.userData }}'
      - name: upload-appdata
        hostPath:
          type: Directory
-          path: {{ .Values.userspace.appCache}}
+          path: '{{ .Values.userspace.appCache}}'
      - name: uploads-temp
        hostPath:
          type: DirectoryOrCreate
-          path: {{ .Values.userspace.appCache }}/files/uploadstemp
+          path: '{{ .Values.userspace.appCache }}/files/uploadstemp'
      - name: terminus-sidecar-config
        configMap:
          name: sidecar-upload-configs
          items:
          - key: envoy.yaml
            path: envoy.yaml
+      - name: app
+        emptyDir: {}
+      - name: nginx-confd
+        emptyDir: {}

   

--- a/apps/files/config/user/helm-charts/files/values.yaml
+++ b/apps/files/config/user/helm-charts/files/values.yaml
@@ -1,4 +1,3 @@
-
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
@@ -46,4 +45,4 @@ os:
    appKey: '${ks[0]}'
    appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""
--- a/apps/knowledge/config/cluster/deploy/knowledge_deployment.yaml
+++ b/apps/knowledge/config/cluster/deploy/knowledge_deployment.yaml
@@ -1,9 +1,8 @@
-{{- $namespace := printf "%s" "os-system" -}}
-{{- $knowledge_secret := (lookup "v1" "Secret" $namespace "rss-secrets") -}}
+{{- $share_secret := (lookup "v1" "Secret" "os-system" "knowledge-share-secrets") -}}

 {{- $redis_password := "" -}}
-{{ if $knowledge_secret -}}
-{{ $redis_password = (index $knowledge_secret "data" "redis_password") }}
+{{ if $share_secret -}}
+{{ $redis_password = (index $share_secret "data" "redis_password") }}
 {{ else -}}
 {{ $redis_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
@@ -13,19 +12,20 @@


 {{- $pg_password := "" -}}
-{{ if $knowledge_secret -}}
-{{ $pg_password = (index $knowledge_secret "data" "pg_password") }}
+{{ if $share_secret -}}
+{{ $pg_password = (index $share_secret "data" "pg_password") }}
 {{ else -}}
 {{ $pg_password = randAlphaNum 16 | b64enc }}
 {{- end -}}

-{{- $knowledge_nats_secret := (lookup "v1" "Secret" $namespace "knowledge-secrets") -}}
+{{- $knowledge_nats_secret := (lookup "v1" "Secret" "os-system" "knowledge-secrets") -}}
 {{- $nat_password := "" -}}
 {{ if $knowledge_nats_secret -}}
 {{ $nat_password = (index $knowledge_nats_secret "data" "nat_password") }}
 {{ else -}}
 {{ $nat_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
+
 ---
 apiVersion: v1
 kind: Secret
@@ -34,9 +34,21 @@ metadata:
  namespace: os-system
 type: Opaque
 data:
-  pg_password: {{ $pg_password }}
  nat_password: {{ $nat_password }}
 ---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: knowledge-share-secrets
+  namespace: os-system
+type: Opaque
+data:
+  pg_password: {{ $pg_password }}
+  redis_password: {{ $redis_password }}
+---  
+
+
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
 metadata:
@@ -52,7 +64,7 @@ spec:
      valueFrom:
        secretKeyRef:
          key: pg_password
-          name: knowledge-secrets
+          name: knowledge-share-secrets
    databases:
    - name: knowledge
      extensions:
@@ -61,6 +73,23 @@ spec:
 ---
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
+metadata:
+  name: knowledge-redis
+  namespace: os-system
+spec:
+  app: rss
+  appNamespace: os-system
+  middleware: redis
+  redis:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: redis_password
+          name: knowledge-share-secrets
+    namespace: knowledge
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
 metadata:
  name: knowledge-nat
  namespace: os-system
@@ -148,7 +177,7 @@ spec:
            value: os_system_knowledge
      containers:
      - name: knowledge
-        image: "beclab/knowledge-base-api:v0.12.0"
+        image: "beclab/knowledge-base-api:v0.12.5"
        imagePullPolicy: IfNotPresent
        securityContext:
          allowPrivilegeEscalation: false
@@ -167,7 +196,7 @@ spec:
        - name: REDIS_PASSWORD
          value: {{ $redis_password_data }}
        - name: REDIS_ADDR
-          value: redis-cluster-proxy.os-system:6379
+          value: redis-cluster-proxy.os-system
        - name: PG_USERNAME
          value: knowledge_os_system
        - name: PG_PASSWORD
@@ -180,6 +209,8 @@ spec:
          value: os_system_knowledge
        - name: DOWNLOAD_URL
          value: http://download-svc.os-system:3080
+        - name: YTDLP_DOWNLOAD_URL
+          value: http://download-svc.os-system:3082
        - name: NATS_HOST
          value: nats
        - name: NATS_PORT
@@ -254,8 +285,8 @@ spec:
      - name: sync
        image: "beclab/recommend-sync:v0.12.0"
        securityContext:
-          allowPrivilegeEscalation: false
-          runAsUser: 1000
+          runAsUser: 0
+          runAsNonRoot: false
        env:
        - name: USERSPACE_DIRECTORY
          value: /data
@@ -280,7 +311,7 @@ spec:
            mountPath: /data
       
      - name: crawler
-        image: "beclab/recommend-crawler:v0.12.0"
+        image: "beclab/recommend-crawler:v0.12.1"
        securityContext:
          allowPrivilegeEscalation: false
          runAsUser: 1000
@@ -317,10 +348,10 @@ spec:
      - name: userspace-dir
        hostPath:
          type: Directory
-          path: {{ .Values.rootPath }}/rootfs/userspace
+          path: '{{ .Values.rootPath }}/rootfs/userspace'
      - name: cache-dir
        hostPath:
-          path: {{ .Values.rootPath }}/userdata/Cache/rss
+          path: '{{ .Values.rootPath }}/userdata/Cache/rss'
          type: DirectoryOrCreate
      - name: terminus-sidecar-config
        configMap:
@@ -368,26 +399,248 @@ spec:
      name: knowledge-api
      port: 3010
      targetPort: 3010  
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: download-nat
+  namespace: os-system
+spec:
+  app: download
+  appNamespace: os-system
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: nat_password
+          name: knowledge-secrets
+    refs: []
+    subjects:
+    - name: download_status
+      permission:
+        pub: allow
+        sub: allow
+      export:
+      - appName: knowledge
+        sub: allow
+        pub: allow
+    user: os-system-download
 ---


-apiVersion: apr.bytetrade.io/v1alpha1
-kind: SysEventRegistry
+apiVersion: apps/v1
+kind: Deployment
 metadata:
-  name: konwledgebase-recommend-install-cb
+  name: download
  namespace: os-system
+  labels:
+    app: download
+    applications.app.bytetrade.io/author: bytetrade.io
 spec:
-  type: subscriber
-  event: recommend.install
-  callback: http://rss-svc.os-system:3010/knowledge/algorithm/recommend/install
-  
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: download
+  template:
+    metadata:
+      labels:
+        app: download
+    spec:
+      serviceAccount: os-internal
+      serviceAccountName: os-internal
+      securityContext:
+        runAsUser: 0
+        runAsNonRoot: false
+
+      initContainers:
+      - name: init-data
+        image: busybox:1.28
+        securityContext:
+          privileged: true
+          runAsNonRoot: false
+          runAsUser: 0
+        volumeMounts:
+        - name: config-dir
+          mountPath: /config
+        - name: download-dir
+          mountPath: /downloads
+        command:
+        - sh
+        - -c
+        - |
+          chown -R 1000:1000 /config && \
+          chown -R 1000:1000 /downloads
+      - name: init-container
+        image: 'postgres:16.0-alpine3.18'
+        command:
+          - sh
+          - '-c'
+          - >-
+            echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
+        env:
+          - name: PGHOST
+            value: citus-headless.os-system
+          - name: PGPORT
+            value: "5432"
+          - name: PGUSER
+            value: knowledge_os_system
+          - name: PGPASSWORD
+            value: {{ $pg_password | b64dec }}
+          - name: PGDB
+            value: os_system_knowledge
+      containers:
+      - name: aria2
+        image: "beclab/aria2:v0.0.4"
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          runAsNonRoot: false
+          runAsUser: 0
+        ports:
+        - containerPort: 6800
+        - containerPort: 6888
+        env:
+        - name: RPC_SECRET
+          value: kubespider
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        volumeMounts:
+        - name: download-dir
+          mountPath: /downloads
+        resources:
+          requests:
+            cpu: 20m
+            memory: 50Mi
+          limits:
+            cpu: "1"
+            memory: 300Mi
+      - name: yt-dlp
+        image: "beclab/yt-dlp:v0.12.2"
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1000
+
+        ports:
+        - containerPort: 3082
+        env:
+        - name: PG_USERNAME
+          value: knowledge_os_system
+        - name: PG_PASSWORD
+          value: {{ $pg_password | b64dec }}
+        - name: PG_HOST
+          value: citus-headless.os-system
+        - name: PG_PORT
+          value: "5432"
+        - name: PG_DATABASE
+          value: os_system_knowledge
+        - name: REDIS_HOST
+          value: redis-cluster-proxy.os-system
+        - name: REDIS_PASSWORD
+          value: {{ $redis_password | b64dec }}
+        - name: NATS_HOST
+          value: nats
+        - name: NATS_PORT
+          value: "4222"
+        - name: NATS_USERNAME
+          value: os-system-download
+        - name: NATS_PASSWORD
+          value: {{ $nat_password | b64dec }}
+        - name: NATS_SUBJECT
+          value: terminus.os-system.download_status
+        volumeMounts:
+        - name: config-dir
+          mountPath: /app/config
+        - name: download-dir
+          mountPath: /app/downloads
+        resources:
+          requests:
+            cpu: 20m
+            memory: 50Mi
+          limits:
+            cpu: "1"
+            memory: 300Mi
+      - name: download-spider
+        image: "beclab/download-spider:v0.12.2"
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1000
+
+        env:
+        - name: PG_USERNAME
+          value: knowledge_os_system
+        - name: PG_PASSWORD
+          value: {{ $pg_password | b64dec }}
+        - name: PG_HOST
+          value: citus-headless.os-system
+        - name: PG_PORT
+          value: "5432"
+        - name: PG_DATABASE
+          value: os_system_knowledge
+        - name: REDIS_HOST
+          value: redis-cluster-proxy.os-system
+        - name: REDIS_PASSWORD
+          value: {{ $redis_password | b64dec }}
+        - name: NATS_HOST
+          value: nats
+        - name: NATS_PORT
+          value: "4222"
+        - name: NATS_USERNAME
+          value: os-system-download
+        - name: NATS_PASSWORD
+          value: {{ $nat_password | b64dec }}
+        - name: NATS_SUBJECT
+          value: terminus.os-system.download_status
+        volumeMounts:
+        - name: download-dir
+          mountPath: /downloads
+        
+        ports:
+        - containerPort: 3080
+        resources:
+          requests:
+            cpu: 20m
+            memory: 50Mi
+          limits:
+            cpu: "1"
+            memory: 300Mi
+
+      volumes:
+      - name: config-dir
+        hostPath: 
+          type: DirectoryOrCreate
+          path: '{{ .Values.rootPath }}/userdata/Cache/download'
+      - name: download-dir
+        hostPath:
+          type: DirectoryOrCreate
+          path: '{{ .Values.rootPath }}/rootfs/userspace'
 ---
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: SysEventRegistry
+
+apiVersion: v1
+kind: Service
 metadata:
-  name: konwledgebase-recommend-uninstall-cb
+  name: download-svc
  namespace: os-system
 spec:
-  type: subscriber
-  event: recommend.uninstall
-  callback: http://rss-svc.os-system:3010/knowledge/algorithm/recommend/uninstall
+  type: ClusterIP
+  selector:
+    app: download
+  ports:
+    - name: "download-spider"
+      protocol: TCP
+      port: 3080
+      targetPort: 3080
+    - name: "aria2-server"
+      protocol: TCP
+      port: 6800
+      targetPort: 6800
+    - name: ytdlp-server
+      protocol: TCP
+      port: 3082
+      targetPort: 3082
--- a/apps/knowledge/user/helm-charts/knowledge/.helmignore
+++ b/apps/knowledge/user/helm-charts/knowledge/.helmignore
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
--- a/apps/knowledge/user/helm-charts/knowledge/Chart.yaml
+++ b/apps/knowledge/user/helm-charts/knowledge/Chart.yaml
@@ -1,26 +0,0 @@
-apiVersion: v2
-name: argo
-description: A Helm chart for Kubernetes
-maintainers:
- name: bytetrade
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.1
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "1.16.0"
--- a/apps/knowledge/user/helm-charts/knowledge/templates/NOTES.txt
+++ b/apps/knowledge/user/helm-charts/knowledge/templates/NOTES.txt
--- a/apps/knowledge/user/helm-charts/knowledge/templates/_helpers.tpl
+++ b/apps/knowledge/user/helm-charts/knowledge/templates/_helpers.tpl
@@ -1,62 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "rss.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "rss.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "rss.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "rss.labels" -}}
-helm.sh/chart: {{ include "rss.chart" . }}
-{{ include "rss.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "rss.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "rss.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "rss.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "rss.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}
--- a/apps/knowledge/user/helm-charts/knowledge/templates/knowledge_deployment.yaml
+++ b/apps/knowledge/user/helm-charts/knowledge/templates/knowledge_deployment.yaml
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: knowledge-base-api
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  type: ClusterIP
-  selector:
-    app: systemserver
-  ports:
-    - protocol: TCP
-      name: knowledge-api
-      port: 3010
-      targetPort: 3010  
---
--- a/apps/knowledge/user/helm-charts/knowledge/values.yaml
+++ b/apps/knowledge/user/helm-charts/knowledge/values.yaml
@@ -1,43 +0,0 @@
-
-bfl:
-  nodeport: 30883
-  nodeport_ingress_http: 30083
-  nodeport_ingress_https: 30082
-  username: 'test'
-  url: 'test'
-  nodeName: test
-pvc:
-  userspace: test
-userspace:
-  userData: test/Home
-  appData: test/Data
-  appCache: test
-  dbdata: test
-docs:
-  nodeport: 30881
-desktop:
-  nodeport: 30180
-os:
-  portfolio:
-    appKey: '${ks[0]}'
-    appSecret: test
-  vault:
-    appKey: '${ks[0]}'
-    appSecret: test
-  desktop:
-    appKey: '${ks[0]}'
-    appSecret: test
-  message:
-    appKey: '${ks[0]}'
-    appSecret: test
-  wise:
-    appKey: '${ks[0]}'
-    appSecret: test
-  search:
-    appKey: '${ks[0]}'
-    appSecret: test
-  search2:
-    appKey: '${ks[0]}'
-    appSecret: test
-kubesphere:
-  redis_password: ""
--- a/apps/market/config/user/helm-charts/market/templates/market_deploy.yaml
+++ b/apps/market/config/user/helm-charts/market/templates/market_deploy.yaml
@@ -43,6 +43,12 @@ spec:
      labels:
        app: appstore
        io.bytetrade.app: "true"
+      annotations:
+        instrumentation.opentelemetry.io/inject-go: "olares-instrumentation"
+        instrumentation.opentelemetry.io/go-container-names: "appstore-backend"    
+        instrumentation.opentelemetry.io/otel-go-auto-target-exe: "/opt/app/market"
+        instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
+        instrumentation.opentelemetry.io/inject-nginx-container-names: "appstore"    
    spec:
      priorityClassName: "system-cluster-critical"
      initContainers:
@@ -84,14 +90,33 @@ spec:
              fieldRef:
                apiVersion: v1
                fieldPath: status.podIP
+        - name: nginx-init
+          image: beclab/market-frontend:v0.3.11
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - name: app
+              mountPath: /cp_app
+            - name: nginx-confd
+              mountPath: /confd
+          command:
+          - sh
+          - -c
+          - |
+            cp -rf /app/* /cp_app/. && cp -rf /etc/nginx/conf.d/* /confd/.            
      containers:
      - name: appstore
-        image: beclab/market-frontend:v0.3.9
+        image: beclab/docker-nginx-headers-more:ubuntu-v0.1.0
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
+        volumeMounts:
+        - name: app
+          mountPath: /app
+        - name: nginx-confd
+          mountPath: /etc/nginx/conf.d
+        
      - name: appstore-backend
-        image: beclab/market-backend:v0.3.9
+        image: beclab/market-backend:v0.3.11
        imagePullPolicy: IfNotPresent
        ports:
          - containerPort: 81
@@ -192,8 +217,12 @@ spec:
            path: envoy.yaml
      - name: opt-data
        hostPath:
-          path: {{ .Values.userspace.appData}}/appstore/data
+          path: '{{ .Values.userspace.appData}}/appstore/data'
          type: DirectoryOrCreate
+      - name: app
+        emptyDir: {}
+      - name: nginx-confd
+        emptyDir: {}

 ---
 apiVersion: v1
--- a/apps/market/config/user/helm-charts/market/values.yaml
+++ b/apps/market/config/user/helm-charts/market/values.yaml
@@ -1,4 +1,3 @@
-
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
@@ -42,4 +41,4 @@ os:
  appstore:
    marketProvider: ''
 kubesphere:
-  redis_password: ""
+  redis_password: ""
--- a/apps/notifications/config/cluster/deploy/notification_deploy.yaml
+++ b/apps/notifications/config/cluster/deploy/notification_deploy.yaml
@@ -1,6 +1,6 @@


-{{- $namespace := printf "%s%s" "os-system" -}}
+{{- $namespace := printf "%s" "os-system" -}}
 {{- $notifications_secret := (lookup "v1" "Secret" $namespace "notifications-secrets") -}}

 {{- $pg_password := "" -}}
@@ -83,6 +83,23 @@ spec:
        permission:
          pub: allow
          sub: allow
+      - export:
+          - appName: lldap
+            pub: allow
+            sub: allow
+          - appName: vault-server
+            pub: deny
+            sub: allow
+          - appName: seahub
+            pub: deny
+            sub: allow
+          - appName: knowledge
+            pub: deny
+            sub: allow
+        name: system.users
+        permission:
+          pub: allow
+          sub: allow
    user: os-system-notifications

 ---
@@ -131,7 +148,7 @@ spec:
            value: os_system_notifications
      containers:
      - name: notifications-api
-        image: beclab/notifications-api:v1.12.2
+        image: beclab/notifications-api:v1.12.3
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 3010
@@ -160,6 +177,8 @@ spec:
              name: notifications-secrets
        - name: NATS_SUBJECT
          value: "terminus.{{ .Release.Namespace }}.system.notification"
+        - name: NATS_SUBJECT_SYSTEM_USERS
+          value: "terminus.{{ .Release.Namespace }}.system.users"

        livenessProbe:
          tcpSocket:
--- a/apps/notifications/config/user/helm-charts/notification/values.yaml
+++ b/apps/notifications/config/user/helm-charts/notification/values.yaml
@@ -1,4 +1,3 @@
-
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
@@ -40,4 +39,4 @@ os:
    appKey: '${ks[0]}'
    appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""
--- a/apps/studio/config/user/helm-charts/studio/templates/deployment.yaml
+++ b/apps/studio/config/user/helm-charts/studio/templates/deployment.yaml
@@ -125,14 +125,14 @@ spec:
        - name: chart
          hostPath:
            type: DirectoryOrCreate
-            path: {{ .Values.userspace.appData}}/studio/Chart
+            path: '{{ .Values.userspace.appData}}/studio/Chart'
        - name: data
          hostPath:
            type: DirectoryOrCreate
-            path: {{ .Values.userspace.appData }}/studio/Data
+            path: '{{ .Values.userspace.appData }}/studio/Data'
        - name: storage-volume
          hostPath:
-            path: {{ .Values.userspace.appData }}/studio/helm-repo-dev
+            path: '{{ .Values.userspace.appData }}/studio/helm-repo-dev'
            type: DirectoryOrCreate
        - name: config-san
          configMap:
@@ -196,7 +196,7 @@ spec:
              -A PROXY_OUTBOUND -p tcp --dport 6379 -j RETURN
              -A PROXY_OUTBOUND -p tcp --dport 27017 -j RETURN
              -A PROXY_OUTBOUND -p tcp --dport 443 -j RETURN
-
+              -A PROXY_OUTBOUND -p tcp --dport 8080 -j RETURN

              -A PROXY_OUTBOUND -d ${POD_IP}/32 -j RETURN

@@ -249,7 +249,7 @@ spec:

      containers:
        - name: studio
-          image: beclab/studio-server:v0.1.48
+          image: beclab/studio-server:v0.1.50
          imagePullPolicy: IfNotPresent
          args:
            - server
@@ -352,9 +352,9 @@ spec:
                fieldRef:
                  fieldPath: status.podIP
            - name: APP_KEY
-              value: {{ .Values.os.appKey }}
+              value: {{ .Values.os.studio.appKey }}
            - name: APP_SECRET
-              value: {{ .Values.os.appSecret }}
+              value: {{ .Values.os.studio.appSecret }}
        - name: chartmuseum
          image: aboveos/helm-chartmuseum:v0.15.0
          args:
@@ -380,8 +380,8 @@ spec:
              cpu: "50m"
              memory: 100Mi
            limits:
-              cpu: "0.5"
-              memory: 256Mi
+              cpu: 1000m
+              memory: 512Mi
          volumeMounts:
            - name: storage-volume
              mountPath: /storage
@@ -448,7 +448,7 @@ data:
                                prefix: "/"
                              route:
                                cluster: original_dst
-                                timeout: 180s
+                                timeout: 1800s
                    http_protocol_options:
                      accept_http_10: true
                    http_filters:
@@ -483,7 +483,7 @@ data:
                              request_headers_to_add:
                                - header:
                                    key: X-App-Key
-                                    value: {{ .Values.os.appKey }}
+                                    value: {{ .Values.os.studio.appKey }}
                              route:
                                cluster: system-server
                                prefix_rewrite: /system-server/v2/legacy_api/api.intent/v2/server/intent/send
@@ -491,7 +491,7 @@ data:
                                prefix: "/"
                              route:
                                cluster: original_dst
-                                timeout: 180s
+                                timeout: 1800s
                              typed_per_filter_config:
                                envoy.filters.http.lua:
                                  "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.LuaPerRoute
--- a/apps/studio/config/user/helm-charts/studio/values.yaml
+++ b/apps/studio/config/user/helm-charts/studio/values.yaml
@@ -1,4 +1,3 @@
-
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
@@ -36,9 +35,8 @@ os:
  search:
    appKey: '${ks[0]}'
    appSecret: test
-  search2:
+  studio:
    appKey: '${ks[0]}'
    appSecret: test
 kubesphere:
  redis_password: ""
-
--- a/apps/system-apps/config/user/helm-charts/monitoring/templates/system-frontend.yaml
+++ b/apps/system-apps/config/user/helm-charts/monitoring/templates/system-frontend.yaml
@@ -149,11 +149,11 @@ spec:
      labels:
        app: system-frontend
        io.bytetrade.app: "true"
-      # annotations:
-        # instrumentation.opentelemetry.io/inject-nodejs: "olares-instrumentation"
-        # instrumentation.opentelemetry.io/nodejs-container-names: "settings-server"    
-        # instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
-        # instrumentation.opentelemetry.io/inject-nginx-container-names: "system-frontend"    
+      annotations:
+        instrumentation.opentelemetry.io/inject-nodejs: "olares-instrumentation"
+        instrumentation.opentelemetry.io/nodejs-container-names: "settings-server"    
+        instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
+        instrumentation.opentelemetry.io/inject-nginx-container-names: "system-frontend"    
    spec:
      priorityClassName: "system-cluster-critical"
      initContainers:
@@ -208,7 +208,7 @@ spec:
            - mountPath: /www
              name: www-dir
        - name: control-hub-init
-          image: beclab/admin-console-frontend-v1:v0.5.5
+          image: beclab/admin-console-frontend-v1:v0.5.8
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
@@ -220,7 +220,7 @@ spec:
            - mountPath: /www
              name: www-dir
        - name: profile-editor-init
-          image: beclab/profile-editor:v0.2.1
+          image: beclab/profile-editor:v0.2.21
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
@@ -232,7 +232,7 @@ spec:
            - mountPath: /www
              name: www-dir
        - name: profile-preview-init
-          image: beclab/profile-preview:v0.2.1
+          image: beclab/profile-preview:v0.2.21
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
@@ -244,7 +244,7 @@ spec:
            - mountPath: /www
              name: www-dir
        - name: wise-init
-          image: beclab/wise:v1.3.47
+          image: beclab/wise:v1.3.55
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
@@ -256,7 +256,7 @@ spec:
            - mountPath: /www
              name: www-dir
        - name: settings-init
-          image: beclab/settings:v0.2.18
+          image: beclab/settings:v1.3.62
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
@@ -268,7 +268,7 @@ spec:
            - mountPath: /www
              name: www-dir
        - name: studio-init
-          image: beclab/studio:v0.2.9
+          image: beclab/studio:v0.2.16
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
@@ -305,7 +305,7 @@ spec:
            - -c
            - /etc/envoy/envoy.yaml
        - name: system-frontend
-          image: beclab/docker-nginx-headers-more:v0.1.0
+          image: beclab/docker-nginx-headers-more:ubuntu-v0.1.0
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 81
@@ -385,7 +385,7 @@ spec:
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
        - name: settings-server
-          image: beclab/settings-server:v0.2.18
+          image: beclab/settings-server:v0.2.23
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 3000
@@ -425,7 +425,7 @@ spec:
        - name: userspace-dir
          hostPath:
            type: Directory
-            path: {{ .Values.userspace.userData }}
+            path: '{{ .Values.userspace.userData }}'
        - name: terminus-sidecar-config
          configMap:
            name: sidecar-configs
@@ -437,7 +437,7 @@ spec:
        - name: wise-download-dir
          hostPath:
            type: Directory
-            path: {{ .Values.userspace.userData }}
+            path: '{{ .Values.userspace.userData }}'
        - name: system-frontend-nginx-config
          configMap:
            name: system-frontend-nginx-config
@@ -673,6 +673,16 @@ metadata:
  namespace: user-system-{{ .Values.bfl.username }}
 spec:
  callbacks:
+    - filters:
+        type:
+          - backup-state-event
+      op: Create
+      uri: /api/event/backup_state_event
+    - filters:
+        type:
+          - restore-state-event
+      op: Create
+      uri: /api/event/restore_state_event
    - filters:
        type:
          - app-installation-event
@@ -1283,6 +1293,10 @@ data:
        server infisical-service:8080;
    }

+    upstream BackupServer {
+        server backup-server.os-system:8082;
+    }
+
    server {
        listen 86;

@@ -1340,6 +1354,31 @@ data:
            proxy_set_header X-Forwarded-Host $host;
        }

+        location /apis/backup {
+            proxy_pass http://backup-server.os-system:8082;
+           add_header Accept "application/json, text/plain, */*";
+           add_header Content-Type "application/json; charset=utf-8";
+        }
+
+        location /api/resources {
+           proxy_pass http://files-service.os-system:80;
+           # rewrite ^/server(.*)$ $1 break;
+
+           # Add original-request-related headers
+           proxy_set_header X-Real-IP $remote_addr;
+           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+           proxy_set_header X-Forwarded-Host $host;
+
+           add_header Accept-Ranges bytes;
+
+           client_body_timeout 600s;
+           client_max_body_size 4000M;
+           proxy_request_buffering off;
+           keepalive_timeout 750s;
+           proxy_read_timeout 600s;
+           proxy_send_timeout 600s;
+        }
+
        location /drive {
            proxy_pass http://127.0.0.1:8080;

--- a/apps/system-apps/config/user/helm-charts/monitoring/values.yaml
+++ b/apps/system-apps/config/user/helm-charts/monitoring/values.yaml
@@ -1,4 +1,3 @@
-
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
@@ -18,10 +17,10 @@ docs:
 desktop:
  nodeport: 30180
 os:
-  portfolio:
+  profile:
    appKey: '${ks[0]}'
    appSecret: test
-  vault:
+  studio:
    appKey: '${ks[0]}'
    appSecret: test
  desktop:
@@ -39,5 +38,11 @@ os:
  search2:
    appKey: '${ks[0]}'
    appSecret: test
+  settings:
+    appKey: '${ks[0]}'
+    appSecret: test
+  dashboard:
+    appKey: '${ks[0]}'
+    appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""
--- a/apps/vault/config/cluster/deploy/vault_server_deploy.yaml
+++ b/apps/vault/config/cluster/deploy/vault_server_deploy.yaml
@@ -83,7 +83,7 @@ spec:
            value: os_system_vault
      containers:
      - name: vault-server
-        image: beclab/vault-server:v1.3.46
+        image: beclab/vault-server:v1.3.55
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 3000
@@ -114,7 +114,7 @@ spec:
        - name: vault-attach
          mountPath: /padloc/packages/server/attachments
      - name: vault-admin
-        image: beclab/vault-admin:v1.3.46
+        image: beclab/vault-admin:v1.3.55
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 3010
@@ -135,11 +135,11 @@ spec:
      - name: vault-data
        hostPath:
          type: DirectoryOrCreate
-          path: {{ $vault_rootpath }}/data
+          path: '{{ $vault_rootpath }}/data'
      - name: vault-attach
        hostPath:
          type: DirectoryOrCreate
-          path: {{ $vault_rootpath }}/attachments
+          path: '{{ $vault_rootpath }}/attachments'
 ---
 apiVersion: v1
 kind: Service
--- a/apps/vault/config/user/helm-charts/vault/templates/vault_deploy.yaml
+++ b/apps/vault/config/user/helm-charts/vault/templates/vault_deploy.yaml
@@ -88,13 +88,13 @@ spec:

      containers:
      - name: vault-frontend
-        image: beclab/vault-frontend:v1.3.46
+        image: beclab/vault-frontend:v1.3.55
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
      
      - name: notification-server
-        image: beclab/vault-notification:v1.3.46
+        image: beclab/vault-notification:v1.3.55
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 3010
--- a/apps/vault/config/user/helm-charts/vault/values.yaml
+++ b/apps/vault/config/user/helm-charts/vault/values.yaml
@@ -1,4 +1,3 @@
-
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
@@ -40,4 +39,4 @@ os:
    appKey: '${ks[0]}'
    appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""
--- a/apps/wizard/config/user/helm-charts/wizard/templates/wizard_deploy.yaml
+++ b/apps/wizard/config/user/helm-charts/wizard/templates/wizard_deploy.yaml
@@ -61,7 +61,7 @@ spec:

      containers:
      - name: wizard
-        image: beclab/wizard:v0.5.12
+        image: beclab/wizard:v1.3.57
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
@@ -132,7 +132,7 @@ spec:
      - name: userspace-dir
        hostPath:
          type: Directory
-          path: {{ .Values.userspace.userData }}
+          path: "{{ .Values.userspace.userData }}"
      # - name: terminus-sidecar-config
      #   configMap:
      #     name: sidecar-configs
--- a/apps/wizard/config/user/helm-charts/wizard/values.yaml
+++ b/apps/wizard/config/user/helm-charts/wizard/values.yaml
@@ -1,4 +1,3 @@
-
 bfl:
  username: 'test'
  url: 'test'
--- a/build/installer/install.ps1
+++ b/build/installer/install.ps1
@@ -48,7 +48,7 @@ if (-Not (Test-Path $CLI_PROGRAM_PATH)) {
  New-Item -Path $CLI_PROGRAM_PATH -ItemType Directory
 }

-$CLI_VERSION = "0.2.27"
+$CLI_VERSION = "0.2.35"
 $CLI_FILE = "olares-cli-v{0}_windows_{1}.tar.gz" -f $CLI_VERSION, $arch
 $CLI_URL = "{0}/{1}" -f $downloadUrl, $CLI_FILE
 $CLI_PATH = "{0}{1}" -f $CLI_PROGRAM_PATH, $CLI_FILE
@@ -82,6 +82,6 @@ if ($download -eq 1) {
 Start-Sleep -Seconds 3
 Write-Host ("Preparing to start the installation of Olares {0}. Depending on your network conditions, this process may take several minutes." -f $version)

-$command = "{0}\olares-cli.exe olares install --version {1}" -f $CLI_PROGRAM_PATH, $version
+$command = "{0}\olares-cli.exe install --version {1}" -f $CLI_PROGRAM_PATH, $version
 Start-Process cmd -ArgumentList '/k',$command -Wait -Verb RunAs

--- a/build/installer/install.sh
+++ b/build/installer/install.sh
@@ -74,7 +74,7 @@ if [ -z ${cdn_url} ]; then
    cdn_url="https://dc3p1870nn3cj.cloudfront.net"
 fi

-CLI_VERSION="0.2.27"
+CLI_VERSION="0.2.35"
 CLI_FILE="olares-cli-v${CLI_VERSION}_linux_${ARCH}.tar.gz"
 if [[ x"$os_type" == x"Darwin" ]]; then
    CLI_FILE="olares-cli-v${CLI_VERSION}_darwin_${ARCH}.tar.gz"
@@ -137,7 +137,7 @@ else
            echo ""
        else
            echo "building local release ..."
-            $sh_c "$INSTALL_OLARES_CLI olares release $PARAMS $CDN"
+            $sh_c "$INSTALL_OLARES_CLI release $PARAMS $CDN"
            if [[ $? -ne 0 ]]; then
                echo "error: failed to build local release"
                exit 1
@@ -146,13 +146,13 @@ else
    else
        echo "running system prechecks ..."
        echo ""
-        $sh_c "$INSTALL_OLARES_CLI olares precheck $PARAMS"
+        $sh_c "$INSTALL_OLARES_CLI precheck $PARAMS"
        if [[ $? -ne 0 ]]; then
            exit 1
        fi
        echo "downloading installation wizard..."
        echo ""
-        $sh_c "$INSTALL_OLARES_CLI olares download wizard $PARAMS $KUBE_PARAM $CDN"
+        $sh_c "$INSTALL_OLARES_CLI download wizard $PARAMS $KUBE_PARAM $CDN"
        if [[ $? -ne 0 ]]; then
            echo "error: failed to download installation wizard"
            exit 1
@@ -161,7 +161,7 @@ else

    echo "downloading installation packages..."
    echo ""
-    $sh_c "$INSTALL_OLARES_CLI olares download component $PARAMS $KUBE_PARAM $CDN"
+    $sh_c "$INSTALL_OLARES_CLI download component $PARAMS $KUBE_PARAM $CDN"
    if [[ $? -ne 0 ]]; then
        echo "error: failed to download installation packages"
        exit 1
@@ -173,7 +173,7 @@ else
    if [ x"$REGISTRY_MIRRORS" != x"" ]; then
        extra="--registry-mirrors $REGISTRY_MIRRORS"
    fi
-    $sh_c "$INSTALL_OLARES_CLI olares prepare $PARAMS $KUBE_PARAM $extra"
+    $sh_c "$INSTALL_OLARES_CLI prepare $PARAMS $KUBE_PARAM $extra"
    if [[ $? -ne 0 ]]; then
        echo "error: failed to prepare installation environment"
        exit 1
@@ -198,7 +198,7 @@ if [[ "$JUICEFS" == "1" ]]; then
    else
        echo "checking storage config ..."
    fi
-    $sh_c "$INSTALL_OLARES_CLI olares install storage $PARAMS"
+    $sh_c "$INSTALL_OLARES_CLI install storage $PARAMS"
    if [[ $? -ne 0 ]]; then
      exit 1
    fi
@@ -221,7 +221,7 @@ if [[ -n "$ZRAM_SWAP_PRIORITY" ]]; then
 fi
 echo "installing Olares..."
 echo ""
-$sh_c "$INSTALL_OLARES_CLI olares install $PARAMS $KUBE_PARAM $fsflag $swapflag"
+$sh_c "$INSTALL_OLARES_CLI install $PARAMS $KUBE_PARAM $fsflag $swapflag"

 if [[ $? -ne 0 ]]; then
    echo "error: failed to install Olares"
--- a/build/installer/joincluster.sh
+++ b/build/installer/joincluster.sh
@@ -157,7 +157,7 @@ fi

 set_master_host_ssh_options

-CLI_VERSION="0.2.27"
+CLI_VERSION="0.2.35"
 CLI_FILE="olares-cli-v${CLI_VERSION}_linux_${ARCH}.tar.gz"

 if command_exists olares-cli && [[ "$(olares-cli -v | awk '{print $3}')" == "$CLI_VERSION" ]]; then
@@ -211,14 +211,14 @@ if [[ -f $BASE_DIR/.prepared ]]; then
 else
    echo "running system prechecks ..."
    echo ""
-    $sh_c "$INSTALL_OLARES_CLI olares precheck $PARAMS"
+    $sh_c "$INSTALL_OLARES_CLI precheck $PARAMS"
    if [[ $? -ne 0 ]]; then
        exit 1
    fi

    echo "downloading installation wizard..."
    echo ""
-    $sh_c "$INSTALL_OLARES_CLI olares download wizard $PARAMS $CDN"
+    $sh_c "$INSTALL_OLARES_CLI download wizard $PARAMS $CDN"
    if [[ $? -ne 0 ]]; then
        echo "error: failed to download installation wizard"
        exit 1
@@ -226,7 +226,7 @@ else

    echo "downloading installation packages..."
    echo ""
-    $sh_c "$INSTALL_OLARES_CLI olares download component $PARAMS $CDN"
+    $sh_c "$INSTALL_OLARES_CLI download component $PARAMS $CDN"
    if [[ $? -ne 0 ]]; then
        echo "error: failed to download installation packages"
        exit 1
@@ -238,7 +238,7 @@ else
    if [ x"$REGISTRY_MIRRORS" != x"" ]; then
        extra="--registry-mirrors $REGISTRY_MIRRORS"
    fi
-    $sh_c "$INSTALL_OLARES_CLI olares prepare $PARAMS $extra"
+    $sh_c "$INSTALL_OLARES_CLI prepare $PARAMS $extra"
    if [[ $? -ne 0 ]]; then
        echo "error: failed to prepare installation environment"
        exit 1
--- a/build/installer/version.hint
+++ b/build/installer/version.hint
@@ -1,2 +1,2 @@
 upgrade:
-  minVersion: 1.12.0-0000000
+  minVersion: 1.12.0-1
--- a/build/installer/wizard/config/account/templates/account.yaml
+++ b/build/installer/wizard/config/account/templates/account.yaml
@@ -20,5 +20,7 @@ metadata:
 spec:
  email: "{{.Values.user.email}}"
  initialPassword: "{{ .Values.user.password }}"
+  groups:
+  - lldap_admin
 status:
  state: Active
--- a/build/installer/wizard/config/system/values.yaml
+++ b/build/installer/wizard/config/system/values.yaml
@@ -1,5 +1,3 @@
-
-
 kubesphere:
  redis_password: ""
 backup:
--- a/build/manifest/components
+++ b/build/manifest/components
@@ -1,4 +1,4 @@
-olaresd-v1.12.0-rc.0.tar.gz,pkg/components,https://dc3p1870nn3cj.cloudfront.net/olaresd-v1.12.0-rc.0-linux-amd64.tar.gz,https://dc3p1870nn3cj.cloudfront.net/olaresd-v1.12.0-rc.0-linux-arm64.tar.gz,olaresd
+olaresd-v1.12.0-rc.10.tar.gz,pkg/components,https://dc3p1870nn3cj.cloudfront.net/olaresd-v1.12.0-rc.10-linux-amd64.tar.gz,https://dc3p1870nn3cj.cloudfront.net/olaresd-v1.12.0-rc.10-linux-arm64.tar.gz,olaresd
 socat-1.7.3.2.tar.gz,pkg/components,https://src.fedoraproject.org/lookaside/pkgs/socat/socat-1.7.3.2.tar.gz/sha512/540658b2a3d1b87673196282e5c62b97681bd0f1d1e4759ff9d72909d11060235ee9e9521a973603c1b00376436a9444248e5fbc0ffac65f8edb9c9bc28e7972/socat-1.7.3.2.tar.gz,https://src.fedoraproject.org/lookaside/pkgs/socat/socat-1.7.3.2.tar.gz/sha512/540658b2a3d1b87673196282e5c62b97681bd0f1d1e4759ff9d72909d11060235ee9e9521a973603c1b00376436a9444248e5fbc0ffac65f8edb9c9bc28e7972/socat-1.7.3.2.tar.gz,socat
 conntrack-tools-1.4.1.tar.gz,pkg/components,https://github.com/fqrouter/conntrack-tools/archive/refs/tags/conntrack-tools-1.4.1.tar.gz,https://github.com/fqrouter/conntrack-tools/archive/refs/tags/conntrack-tools-1.4.1.tar.gz,conntrack-tools
 minio.RELEASE.2023-05-04T21-44-30Z,pkg/components,https://dl.min.io/server/minio/release/linux-amd64/archive/minio.RELEASE.2023-05-04T21-44-30Z,https://dl.min.io/server/minio/release/linux-arm64/archive/minio.RELEASE.2023-05-04T21-44-30Z,minio
--- a/build/manifest/images
+++ b/build/manifest/images
@@ -1,5 +1,5 @@
-beclab/ks-apiserver:0.0.8
-beclab/ks-controller-manager:0.0.8
+beclab/ks-apiserver:0.0.11
+beclab/ks-controller-manager:0.0.11
 beclab/kube-state-metrics:v2.3.0-ext.1
 calico/cni:v3.29.2
 calico/kube-controllers:v3.29.2
@@ -18,7 +18,7 @@ kubesphere/prometheus-operator:v0.55.1
 openebs/linux-utils:3.3.0
 openebs/provisioner-localpv:3.3.0
 beclab/percona-server-mongodb-operator:1.15.2
-prom/node-exporter:v1.3.1
+beclab/node-exporter:0.0.1
 prom/prometheus:v2.34.0
 quay.io/argoproj/argocli:v3.5.0
 quay.io/argoproj/argoexec:v3.5.0
@@ -36,9 +36,12 @@ beclab/reverse-proxy:v0.1.8
 beclab/upgrade-job:0.1.7
 bytetrade/envoy:v1.25.11.1
 liangjw/kube-webhook-certgen:v1.1.1
-beclab/hami:v2.5.1
+beclab/hami:v2.5.2
 alpine:3.14
 mirrorgooglecontainers/defaultbackend-amd64:1.4
 projecthami/hami-webui-fe-oss:v1.0.5
 projecthami/hami-webui-be-oss:v1.0.5
 nvidia/dcgm-exporter:4.1.1-4.0.4-ubuntu22.04
+ghcr.io/open-telemetry/opentelemetry-go-instrumentation/autoinstrumentation-go:v0.20.0
+bytetrade/autoinstrumentation-apache-httpd:1.0.4-fix1
+ghcr.io/open-telemetry/opentelemetry-operator/autoinstrumentation-nodejs:0.40.0
--- a/build/manifest/pkgs
+++ b/build/manifest/pkgs
@@ -1,5 +1,5 @@
 cni-plugins-v1.6.2.tgz,pkg/cni/v1.6.2,https://github.com/containernetworking/plugins/releases/download/v1.6.2/cni-plugins-linux-amd64-v1.6.2.tgz,https://github.com/containernetworking/plugins/releases/download/v1.6.2/cni-plugins-linux-arm-v1.6.2.tgz,cni-plugins
-containerd-1.6.4.tar.gz,pkg/containerd/1.6.4,https://github.com/containerd/containerd/releases/download/v1.6.4/containerd-1.6.4-linux-amd64.tar.gz,https://github.com/containerd/containerd/releases/download/v1.6.4/containerd-1.6.4-linux-arm64.tar.gz,containerd
+containerd-1.6.36.tar.gz,pkg/containerd/1.6.36,https://github.com/containerd/containerd/releases/download/v1.6.36/containerd-1.6.36-linux-amd64.tar.gz,https://github.com/containerd/containerd/releases/download/v1.6.36/containerd-1.6.36-linux-arm64.tar.gz,containerd
 crictl-v1.32.0.tar.gz,pkg/crictl/v1.32.0,https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.32.0/crictl-v1.32.0-linux-amd64.tar.gz,https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.32.0/crictl-v1.32.0-linux-arm64.tar.gz,crictl
 etcd-v3.5.18.tar.gz,pkg/etcd/v3.5.18,https://github.com/coreos/etcd/releases/download/v3.5.18/etcd-v3.5.18-linux-amd64.tar.gz,https://github.com/coreos/etcd/releases/download/v3.5.18/etcd-v3.5.18-linux-arm64.tar.gz,etcd
 helm-v3.9.0.tar.gz,pkg/helm/v3.9.0,https://get.helm.sh/helm-v3.17.1-linux-amd64.tar.gz,https://get.helm.sh/helm-v3.17.1-linux-arm.tar.gz,helm
--- a/frameworks/GPU/config/gpu/hami/Chart.yaml
+++ b/frameworks/GPU/config/gpu/hami/Chart.yaml
@@ -13,4 +13,3 @@ maintainers:
  - name: zhangxiao
    email: xiaozhang0210@hotmail.com
 appVersion: "2.5.0"
-
--- a/frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/daemonset.yaml
+++ b/frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/daemonset.yaml
@@ -69,7 +69,7 @@ spec:
      volumes:
      - name: "pod-gpu-resources"
        hostPath:
-          path: {{ .Values.dcgmExporter.kubeletPath }}
+          path: '{{ .Values.dcgmExporter.kubeletPath }}'
      {{- if and .Values.dcgmExporter.tlsServerConfig.enabled }}
      - name: "tls"
        secret:
--- a/frameworks/GPU/config/gpu/hami/templates/device-plugin/daemonsetnvidia.yaml
+++ b/frameworks/GPU/config/gpu/hami/templates/device-plugin/daemonsetnvidia.yaml
@@ -112,12 +112,12 @@ spec:
            - name: NVIDIA_MIG_MONITOR_DEVICES
              value: all
            - name: HOOK_PATH
-              value: {{ .Values.global.gpuHookPath }}/vgpu
+              value: '{{ .Values.global.gpuHookPath }}/vgpu'
          resources:
          {{- toYaml .Values.devicePlugin.vgpuMonitor.resources | nindent 12 }}
          volumeMounts:
            - name: ctrs
-              mountPath: {{ .Values.devicePlugin.monitorctrPath }}
+              mountPath: '{{ .Values.devicePlugin.monitorctrPath }}'
            - name: dockers
              mountPath: /run/docker
            - name: containerds
@@ -131,7 +131,7 @@ spec:
      volumes:
        - name: ctrs
          hostPath:
-            path: {{ .Values.devicePlugin.monitorctrPath }}
+            path: '{{ .Values.devicePlugin.monitorctrPath }}'
        - name: hosttmp
          hostPath:
            path: /tmp
@@ -143,10 +143,10 @@ spec:
            path: /run/containerd
        - name: device-plugin
          hostPath:
-            path: {{ .Values.devicePlugin.pluginPath }}
+            path: '{{ .Values.devicePlugin.pluginPath }}'
        - name: lib
          hostPath:
-            path: {{ .Values.devicePlugin.libPath }}
+            path: '{{ .Values.devicePlugin.libPath }}'
        - name: usrbin
          hostPath:
            path: /usr/bin
--- a/frameworks/GPU/config/gpu/hami/values.yaml
+++ b/frameworks/GPU/config/gpu/hami/values.yaml
@@ -2,32 +2,32 @@

 nameOverride: ""
 fullnameOverride: ""
-imagePullSecrets: [ ]
-version: "v2.5.1"
+imagePullSecrets: []
+version: "v2.5.2"

-#Nvidia GPU Parameters
+# Nvidia GPU Parameters
 resourceName: "nvidia.com/gpu"
 resourceMem: "nvidia.com/gpumem"
 resourceMemPercentage: "nvidia.com/gpumem-percentage"
 resourceCores: "nvidia.com/gpucores"
 resourcePriority: "nvidia.com/priority"

-#MLU Parameters
+# MLU Parameters
 mluResourceName: "cambricon.com/vmlu"
 mluResourceMem: "cambricon.com/mlu.smlu.vmemory"
 mluResourceCores: "cambricon.com/mlu.smlu.vcore"

-#Hygon DCU Parameters
+# Hygon DCU Parameters
 dcuResourceName: "hygon.com/dcunum"
 dcuResourceMem: "hygon.com/dcumem"
 dcuResourceCores: "hygon.com/dcucores"

-#Iluvatar GPU Parameters
+# Iluvatar GPU Parameters
 iluvatarResourceName: "iluvatar.ai/vgpu"
 iluvatarResourceMem: "iluvatar.ai/vcuda-memory"
 iluvatarResourceCore: "iluvatar.ai/vcuda-core"

-#Metax SGPU Parameters
+# Metax SGPU Parameters
 metaxResourceName: "metax-tech.com/sgpu"
 metaxResourceCore: "metax-tech.com/vcore"
 metaxResourceMem: "metax-tech.com/vmemory"
@@ -51,7 +51,7 @@ scheduler:
  # if we install the nvidia-vgpu-scheduler-scheduler as default scheduler, we need to remove the k8s default
  # scheduler pod from the cluster first, we must specify node name to skip the schedule workflow.
  nodeName: ""
-  #nodeLabelSelector:
+  # nodeLabelSelector:
  #  "gpu": "on"
  overwriteEnv: "false"
  defaultSchedulerPolicy:
@@ -100,13 +100,13 @@ scheduler:
      - -v=4
  podAnnotations: {}
  tolerations: []
-  #serviceAccountName: "hami-vgpu-scheduler-sa"
+  # serviceAccountName: "hami-vgpu-scheduler-sa"
  admissionWebhook:
    customURL:
      enabled: false
      # must be an endpoint using https.
      # should generate host certs here
-      host: 127.0.0.1 # hostname or ip, can be your node'IP if you want to use https://<nodeIP>:<schedulerPort>/<path>
+      host: 127.0.0.1          # hostname or ip, can be your node'IP if you want to use https://<nodeIP>:<schedulerPort>/<path>
      port: 31998
      path: /webhook
    whitelistNamespaces:
@@ -147,16 +147,13 @@ devicePlugin:
  passDeviceSpecsEnabled: false
  extraArgs:
    - -v=4
-  
  service:
    type: ClusterIP  # Default type is NodePort, can be changed to ClusterIP
    httpPort: 31992
    labels: {}
    annotations: {}
-    
  pluginPath: /var/lib/kubelet/device-plugins
  libPath: /usr/local/vgpu
-
  podAnnotations: {}
  nvidianodeSelector:
    gpu.bytetrade.io/cuda-supported: 'true'
@@ -315,7 +312,7 @@ dcgmExporter:
    interval: 15s
    honorLabels: false
    additionalLabels: {}
-      #monitoring: prometheus
+      # monitoring: prometheus
    relabelings: []
      # - sourceLabels: [__meta_kubernetes_pod_node_name]
      #   separator: ;
@@ -325,13 +322,13 @@ dcgmExporter:
      #   action: replace

  nodeSelector: {}
-    #node: gpu
+    # node: gpu

  tolerations: []
-  #- operator: Exists
+  # - operator: Exists

  affinity: {}
-    #nodeAffinity:
+    # nodeAffinity:
    #  requiredDuringSchedulingIgnoredDuringExecution:
    #    nodeSelectorTerms:
    #    - matchExpressions:
@@ -339,7 +336,7 @@ dcgmExporter:
    #        operator: Exists

  extraHostVolumes: []
-  #- name: host-binaries
+  # - name: host-binaries
  #  hostPath: /opt/bin

  extraConfigMapVolumes:
@@ -356,7 +353,7 @@ dcgmExporter:
      subPath: default-counters.csv

  extraEnv: []
-  #- name: EXTRA_VAR
+  # - name: EXTRA_VAR
  #  value: "TheStringValue"

  # Path to the kubelet socket for /pod-resources
@@ -391,7 +388,7 @@ dcgmExporter:
    ca: ""

  basicAuth:
-    #Object containing <user>:<passwords> key-value pairs for each user that will have access via basic authentication
+    # Object containing <user>:<passwords> key-value pairs for each user that will have access via basic authentication
    users: {}

  # Customized list of metrics to emit. Expected to be in the same format (CSV) as the default list.
@@ -527,4 +524,4 @@ webui:

  externalPrometheus:
    address: "http://prometheus-k8s.kubesphere-monitoring-system:9090"
-    enabled: true
+    enabled: true
--- a/frameworks/app-service/config/cluster/deploy/appservice_deploy.yaml
+++ b/frameworks/app-service/config/cluster/deploy/appservice_deploy.yaml
@@ -1,5 +1,3 @@
-
-
 {{ $charts_rootpath := printf "%s%s" .Values.rootPath "/rootfs/charts" }}
 {{ $usertmpl_rootpath := printf "%s%s" .Values.rootPath "/rootfs/usertemplate" }}
 {{ $charts_pv := "pv-charts" }}
@@ -23,7 +21,7 @@ spec:
  capacity:
    storage: 100Mi
  hostPath:
-    path: {{ $charts_rootpath }}/{{ default $charts_pvc .Values.charts_pvc }}
+    path: '{{ $charts_rootpath }}/{{ default $charts_pvc .Values.charts_pvc }}'
    type: DirectoryOrCreate
  persistentVolumeReclaimPolicy: Delete
  volumeMode: Filesystem
@@ -58,7 +56,7 @@ spec:
  capacity:
    storage: 100Mi
  hostPath:
-    path: {{ $usertmpl_rootpath }}/{{ default $usertmpl_pvc .Values.usertmpl_pvc }}
+    path: '{{ $usertmpl_rootpath }}/{{ default $usertmpl_pvc .Values.usertmpl_pvc }}'
    type: DirectoryOrCreate
  persistentVolumeReclaimPolicy: Delete
  volumeMode: Filesystem
@@ -107,8 +105,8 @@ data:

    [bytetrade]
    DNS.1 = app-service.os-system.svc
---

+---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
@@ -122,13 +120,13 @@ metadata:
    charts_pv: {{ default $charts_pv .Values.charts_pv }}
    charts_pvc: {{ default $charts_pvc .Values.charts_pvc }}
    charts_sc: {{ default $charts_sc .Values.charts_sc }}
-    charts_hostpath: {{ $charts_rootpath }}/{{ default $charts_pvc .Values.charts_pvc }}
+    charts_hostpath: '{{ $charts_rootpath }}/{{ default $charts_pvc .Values.charts_pvc }}'

    usertmpl_storage: {{ $usertmpl_storage }}
    usertmpl_pv: {{ default $usertmpl_pv .Values.usertmpl_pv }}
    usertmpl_pvc: {{ default $usertmpl_pvc .Values.usertmpl_pvc }}
    usertmpl_sc: {{ default $usertmpl_sc .Values.usertmpl_sc }}
-    usertmpl_hostpath: {{ $usertmpl_rootpath }}/{{ default $usertmpl_pvc .Values.usertmpl_pvc }}
+    usertmpl_hostpath: '{{ $usertmpl_rootpath }}/{{ default $usertmpl_pvc .Values.usertmpl_pvc }}'
 spec:
  replicas: 1
  selector:
@@ -145,7 +143,7 @@ spec:
      priorityClassName: "system-cluster-critical"
      containers:
      - name: app-service
-        image: beclab/app-service:0.3.23
+        image: beclab/app-service:0.3.29
        imagePullPolicy: IfNotPresent
        securityContext:
          runAsUser: 0
@@ -225,7 +223,7 @@ spec:
      volumes:
      - name: app-cache
        hostPath:
-          path: {{ .Values.rootPath }}/userdata/Cache
+          path: '{{ .Values.rootPath }}/userdata/Cache'
          type: DirectoryOrCreate
      - name: configtoml
        hostPath:
@@ -363,7 +361,7 @@ spec:
      hostNetwork: true
      containers:
        - name: image-service
-          image: beclab/image-service:0.3.21
+          image: beclab/image-service:0.3.28
          imagePullPolicy: IfNotPresent
          securityContext:
            runAsUser: 0
--- a/frameworks/backup-server/config/cluster/crds/sys.bytetrade.io_backups.yaml
+++ b/frameworks/backup-server/config/cluster/crds/sys.bytetrade.io_backups.yaml
@@ -21,7 +21,7 @@ spec:
  versions:
    - additionalPrinterColumns:
        - jsonPath: .spec.name
-          name: name
+          name: backup name
          type: string
        - jsonPath: .spec.owner
          name: owner
@@ -66,17 +66,23 @@ spec:
                      type: string
                    timesOfDay:
                      type: string
+                    timespanOfDay:
+                      type: string
                  required:
                    - dateOfMonth
                    - dayOfWeek
                    - enabled
                    - snapshotFrequency
                    - timesOfDay
+                    - timespanOfDay
                  type: object
                backupType:
                  additionalProperties:
                    type: string
                  type: object
+                createAt:
+                  format: date-time
+                  type: string
                deleted:
                  type: boolean
                extra:
@@ -98,6 +104,7 @@ spec:
                  type: integer
              required:
                - backupType
+                - createAt
                - deleted
                - location
                - name
--- a/frameworks/backup-server/config/cluster/deploy/backup_server.yaml
+++ b/frameworks/backup-server/config/cluster/deploy/backup_server.yaml
@@ -1,6 +1,6 @@


-{{ $backupVersion := "0.3.13" }}
+{{ $backupVersion := "0.3.29" }}
 {{ $backup_server_rootpath := printf "%s%s" .Values.rootPath "/rootfs/backup-server" }}

 ---
@@ -31,15 +31,22 @@ spec:
      - name: dbdata
        hostPath:
          type: DirectoryOrCreate
-          path: {{ $backup_server_rootpath }}/data
+          path: '{{ $backup_server_rootpath }}/data'
      - name: rootfs
        hostPath:
-          path: {{ .Values.rootPath }}/rootfs
+          path: '{{ .Values.rootPath }}/rootfs'
+      - name: shares
+        hostPath:
+          path: '{{ .Values.rootPath }}/share'
      serviceAccountName: os-internal
      containers:
      - name: api
        image: beclab/backup-server:v{{ $backupVersion }}
        imagePullPolicy: IfNotPresent
+        securityContext:
+          allowPrivilegeEscalation: true
+          privileged: true
+          runAsUser: 0
        command:
        - /backup-server
        - apiserver
@@ -65,10 +72,15 @@ spec:
        volumeMounts:
        - mountPath: /rootfs
          name: rootfs
+        - mountPath: /shares
+          mountPropagation: Bidirectional
+          name: shares
      - name: controller
        image: beclab/backup-server:v{{ $backupVersion }}
        imagePullPolicy: IfNotPresent
        securityContext:
+          allowPrivilegeEscalation: true
+          privileged: true
          runAsUser: 0
        command:
        - /backup-server
@@ -94,6 +106,9 @@ spec:
        volumeMounts:
        - mountPath: /rootfs
          name: rootfs
+        - mountPath: /shares
+          mountPropagation: Bidirectional
+          name: shares

 ---
 apiVersion: v1
--- a/frameworks/bfl/config/launcher/templates/bfl_deploy.yaml
+++ b/frameworks/bfl/config/launcher/templates/bfl_deploy.yaml
@@ -42,7 +42,7 @@ spec:
  capacity:
    storage: {{ $userspace_storage }}
  hostPath:
-    path: {{ $userspace_pv_rootpath }}/{{ default $userspace_pvc .Values.bfl.userspace_pvc }}
+    path: '{{ $userspace_pv_rootpath }}/{{ default $userspace_pvc .Values.bfl.userspace_pvc }}'
    type: DirectoryOrCreate
  persistentVolumeReclaimPolicy: Delete
  volumeMode: Filesystem
@@ -59,7 +59,7 @@ spec:
  - ReadWriteOnce
  resources:
    requests:
-      storage: {{ $userspace_storage }}
+      storage: '{{ $userspace_storage }}'
  volumeMode: Filesystem
  {{ if .Values.bfl.userspace_pv }}
  volumeName: {{ .Values.bfl.userspace_pv }}
@@ -77,7 +77,7 @@ spec:
  capacity:
    storage: {{ $appcache_storage }}
  hostPath:
-    path: {{ $appcache_pv_rootpath }}/{{ default $appcache_pvc .Values.bfl.appcache_pvc }}
+    path: '{{ $appcache_pv_rootpath }}/{{ default $appcache_pvc .Values.bfl.appcache_pvc }}'
    type: DirectoryOrCreate
  persistentVolumeReclaimPolicy: Delete
  volumeMode: Filesystem
@@ -112,7 +112,7 @@ spec:
  capacity:
    storage: {{ $dbdata_storage }}
  hostPath:
-    path: {{ $dbdata_pv_rootpath }}/{{ default $dbdata_pvc .Values.bfl.dbdata_pvc }}
+    path: '{{ $dbdata_pv_rootpath }}/{{ default $dbdata_pvc .Values.bfl.dbdata_pvc }}'
    type: DirectoryOrCreate
  persistentVolumeReclaimPolicy: Delete
  volumeMode: Filesystem
@@ -173,21 +173,21 @@ metadata:
    userspace_pv: {{ default $userspace_pv .Values.bfl.userspace_pv }}
    userspace_pvc: {{ default $userspace_pvc .Values.bfl.userspace_pvc }}
    userspace_sc: {{ default $userspace_sc .Values.bfl.userspace_sc }}
-    userspace_hostpath: {{ $userspace_pv_rootpath }}/{{ default $userspace_pvc .Values.bfl.userspace_pvc }}
+    userspace_hostpath: '{{ $userspace_pv_rootpath }}/{{ default $userspace_pvc .Values.bfl.userspace_pvc }}'
    userspace_storage: {{ $userspace_storage }}

    appcache_rand16: {{ default $appcache_rand16 .Values.bfl.appcache_rand16 }}
    appcache_pv: {{ default $appcache_pv .Values.bfl.appcache_pv }}
    appcache_pvc: {{ default $appcache_pvc .Values.bfl.appcache_pvc }}
    appcache_sc: {{ default $appcache_sc .Values.bfl.appcache_sc }}
-    appcache_hostpath: {{ $appcache_pv_rootpath }}/{{ default $appcache_pvc .Values.bfl.appcache_pvc }}
+    appcache_hostpath: '{{ $appcache_pv_rootpath }}/{{ default $appcache_pvc .Values.bfl.appcache_pvc }}'
    appcache_storage: {{ $appcache_storage }}

    dbdata_rand16: {{ default $dbdata_rand16 .Values.bfl.dbdata_rand16 }}
    dbdata_pv: {{ default $dbdata_pv .Values.bfl.dbdata_pv }}
    dbdata_pvc: {{ default $dbdata_pvc .Values.bfl.dbdata_pvc }}
    dbdata_sc: {{ default $dbdata_sc .Values.bfl.dbdata_sc }}
-    dbdata_hostpath: {{ $dbdata_pv_rootpath }}/{{ default $dbdata_pvc .Values.bfl.dbdata_pvc }}
+    dbdata_hostpath: '{{ $dbdata_pv_rootpath }}/{{ default $dbdata_pvc .Values.bfl.dbdata_pvc }}'
    dbdata_storage: {{ $dbdata_storage }}
 spec:
  serviceName: bfl
@@ -200,11 +200,11 @@ spec:
      labels:
        tier: bfl
      annotations:
-        # instrumentation.opentelemetry.io/inject-go: "olares-instrumentation"
-        # instrumentation.opentelemetry.io/go-container-names: "api"    
-        # instrumentation.opentelemetry.io/otel-go-auto-target-exe: "/bfl-api"
-        # instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
-        # instrumentation.opentelemetry.io/inject-nginx-container-names: "ingress"    
+        instrumentation.opentelemetry.io/inject-go: "olares-instrumentation"
+        instrumentation.opentelemetry.io/go-container-names: "api"    
+        instrumentation.opentelemetry.io/otel-go-auto-target-exe: "/bfl-api"
+        instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
+        instrumentation.opentelemetry.io/inject-nginx-container-names: "ingress"    
    spec:
 {{ if .Values.bfl.admin_user }}
      affinity:
@@ -249,7 +249,7 @@ spec:

      containers:
      - name: api
-        image: beclab/bfl:v0.4.3
+        image: beclab/bfl:v0.4.5
        imagePullPolicy: IfNotPresent
        securityContext:
          runAsUser: 1000
@@ -306,7 +306,7 @@ spec:
              apiVersion: v1
              fieldPath: spec.nodeName
      - name: ingress
-        image: beclab/bfl-ingress:v0.3.2
+        image: beclab/bfl-ingress:v0.3.5
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - name: ngxlog
--- a/third-party/opentelemetry/config/user/helm-charts/opentelmetry/templates/otel_define.yaml
+++ b/third-party/opentelemetry/config/user/helm-charts/opentelmetry/templates/otel_define.yaml
@@ -5,6 +5,10 @@ kind: Instrumentation
 metadata:
  name: olares-instrumentation
  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": "pre-install,pre-upgrade"
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": "before-hook-creation"
 spec:
  exporter:
    endpoint: https://jaeger-storage-instance-collector.os-system:4317
@@ -20,30 +24,46 @@ spec:
      - name: OTEL_EXPORTER_OTLP_ENDPOINT
        value: http://jaeger-storage-instance-collector.os-system:4318
      - name: OTEL_EXPORTER_OTLP_PROTOCOL
-        value: http/protobuf
+        value: http/json
+      - name: OTEL_TRACES_SAMPLER_ARG
+        value: "1.0"
  dotnet:
    env:
      - name: OTEL_EXPORTER_OTLP_ENDPOINT
        value: http://jaeger-storage-instance-collector.os-system:4318
      - name: OTEL_EXPORTER_OTLP_PROTOCOL
-        value: http/protobuf
+        value: http/json
+      - name: OTEL_TRACES_SAMPLER_ARG
+        value: "1.0"
  nodejs:
    env:
      - name: OTEL_EXPORTER_OTLP_ENDPOINT
        value: http://jaeger-storage-instance-collector.os-system:4318
      - name: OTEL_EXPORTER_OTLP_PROTOCOL
-        value: http/protobuf
+        value: http/json
+      - name: OTEL_TRACES_SAMPLER_ARG
+        value: "1.0"
  nginx:
+    image: bytetrade/autoinstrumentation-apache-httpd:1.0.4-fix1
    env:
      - name: OTEL_EXPORTER_OTLP_ENDPOINT
-        value: https://jaeger-storage-instance-collector.os-system:4317
+        value: http://jaeger-storage-instance-collector.os-system:4318
+      - name: OTEL_EXPORTER_OTLP_PROTOCOL
+        value: http/json
+      - name: OTEL_TRACES_SAMPLER_ARG
+        value: "1.0"
  go:
+    image: ghcr.io/open-telemetry/opentelemetry-go-instrumentation/autoinstrumentation-go:v0.20.0
    env:
      - name: OTEL_EXPORTER_OTLP_ENDPOINT
        value: http://jaeger-storage-instance-collector.os-system:4318
      - name: OTEL_EXPORTER_OTLP_PROTOCOL
        value: http/protobuf
-
+      - name: OTEL_TRACES_SAMPLER_ARG
+        value: "1.0"
+    resourceRequirements:
+      limits:
+        memory: 256Mi

 ---
 apiVersion: opentelemetry.io/v1alpha1
@@ -51,6 +71,11 @@ kind: Instrumentation
 metadata:
  name: olares-instrumentation
  namespace: user-system-{{ .Values.bfl.username }}
+  annotations:
+    "helm.sh/hook": "pre-install,pre-upgrade"
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+
 spec:
  exporter:
    endpoint: https://jaeger-storage-instance-collector.os-system:4317
@@ -66,27 +91,44 @@ spec:
      - name: OTEL_EXPORTER_OTLP_ENDPOINT
        value: http://jaeger-storage-instance-collector.os-system:4318
      - name: OTEL_EXPORTER_OTLP_PROTOCOL
-        value: http/protobuf
+        value: http/json
+      - name: OTEL_TRACES_SAMPLER_ARG
+        value: "1.0"
  dotnet:
    env:
      - name: OTEL_EXPORTER_OTLP_ENDPOINT
        value: http://jaeger-storage-instance-collector.os-system:4318
      - name: OTEL_EXPORTER_OTLP_PROTOCOL
-        value: http/protobuf
+        value: http/json
+      - name: OTEL_TRACES_SAMPLER_ARG
+        value: "1.0"
  nodejs:
    env:
      - name: OTEL_EXPORTER_OTLP_ENDPOINT
-        value: http://jaeger-storage-instance-collector.os-system:4318        
+        value: http://jaeger-storage-instance-collector.os-system:4318
      - name: OTEL_EXPORTER_OTLP_PROTOCOL
-        value: http/protobuf
+        value: http/json
+      - name: OTEL_TRACES_SAMPLER_ARG
+        value: "1.0"
  nginx:
+    image: bytetrade/autoinstrumentation-apache-httpd:1.0.4-fix1
    env:
      - name: OTEL_EXPORTER_OTLP_ENDPOINT
-        value: https://jaeger-storage-instance-collector.os-system:4317
+        value: http://jaeger-storage-instance-collector.os-system:4318
+      - name: OTEL_EXPORTER_OTLP_PROTOCOL
+        value: http/json
+      - name: OTEL_TRACES_SAMPLER_ARG
+        value: "1.0"
  go:
+    image: ghcr.io/open-telemetry/opentelemetry-go-instrumentation/autoinstrumentation-go:v0.20.0
    env:
      - name: OTEL_EXPORTER_OTLP_ENDPOINT
        value: http://jaeger-storage-instance-collector.os-system:4318
      - name: OTEL_EXPORTER_OTLP_PROTOCOL
        value: http/protobuf
+      - name: OTEL_TRACES_SAMPLER_ARG
+        value: "1.0"
+    resourceRequirements:
+      limits:
+        memory: 256Mi

--- a/frameworks/bfl/config/launcher/values.yaml
+++ b/frameworks/bfl/config/launcher/values.yaml
@@ -1,5 +1,3 @@
-
-
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
--- a/frameworks/osnode-init/config/cluster/deploy/nodeinit_daemonset.yaml
+++ b/frameworks/osnode-init/config/cluster/deploy/nodeinit_daemonset.yaml
@@ -64,7 +64,7 @@ spec:
      volumes:
      - name: terminus
        hostPath:
-          path: {{ .Values.rootPath }}
+          path: '{{ .Values.rootPath }}'
      - name: bin
        hostPath:
          path: /usr/local/bin
--- a/frameworks/system-server/config/user/helm-charts/systemserver/templates/systemserver_deploy.yaml
+++ b/frameworks/system-server/config/user/helm-charts/systemserver/templates/systemserver_deploy.yaml
@@ -41,13 +41,17 @@ spec:
    metadata:
      labels:
        app: systemserver
+      annotations:
+        instrumentation.opentelemetry.io/go-container-names: system-server
+        instrumentation.opentelemetry.io/inject-go: olares-instrumentation
+        instrumentation.opentelemetry.io/otel-go-auto-target-exe: /system-server
    spec:
      serviceAccountName: bytetrade-sys-ops
      serviceAccount: bytetrade-sys-ops
      priorityClassName: "system-cluster-critical"
      containers:
      - name: system-server
-        image: beclab/system-server:0.1.21
+        image: beclab/system-server:0.1.22
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
@@ -319,4 +323,4 @@ metadata:
  name: systemserver-proxy-configs
  namespace: user-system-{{ .Values.bfl.username }}

-    
+    
--- a/frameworks/system-server/config/user/helm-charts/systemserver/values.yaml
+++ b/frameworks/system-server/config/user/helm-charts/systemserver/values.yaml
@@ -1,4 +1,3 @@
-
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
@@ -40,4 +39,4 @@ os:
    appKey: '${ks[0]}'
    appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""
--- a/frameworks/tapr/config/cluster/deploy/citus_deployment.yaml
+++ b/frameworks/tapr/config/cluster/deploy/citus_deployment.yaml
@@ -14,7 +14,7 @@ spec:
  capacity:
    storage: '50Gi'
  hostPath:
-    path: {{ $citus_rootpath }}/pg_data
+    path: '{{ $citus_rootpath }}/pg_data'
    type: DirectoryOrCreate
  persistentVolumeReclaimPolicy: Delete
  volumeMode: Filesystem
@@ -45,5 +45,5 @@ metadata:
 spec:
  replicas: 1
  owner: system
-  backupStorage: {{ $citus_backuppath }}/pg_backup
+  backupStorage: '{{ $citus_backuppath }}/pg_backup'
  citusImage: beclab/citus:12.2
--- a/frameworks/tapr/config/cluster/deploy/fakes3_deployment.yaml
+++ b/frameworks/tapr/config/cluster/deploy/fakes3_deployment.yaml
@@ -73,6 +73,6 @@ spec:
      - name: s3-data
        hostPath:
          type: DirectoryOrCreate
-          path: {{ $mongo_backuppath }}/mongo-backup
+          path: '{{ $mongo_backuppath }}/mongo-backup'


--- a/frameworks/tapr/config/cluster/deploy/lldap-deployment.yaml
+++ b/frameworks/tapr/config/cluster/deploy/lldap-deployment.yaml
@@ -83,6 +83,13 @@ spec:
        perm:
        - pub
        - sub
+    - appName: notifications
+      appNamespace: {{ .Release.Namespace }}
+      subjects:
+      - name: system.users
+        perm:
+        - pub
+        - sub
    user: os-system-lldap

 ---
@@ -164,8 +171,10 @@ spec:
                  name: lldap-pg-secrets
            - name: NATS_SUBJECT
              value: "terminus.{{ .Release.Namespace }}.system.notification"
+            - name: NATS_SUBJECT_SYSTEM_USERS
+              value: "terminus.{{ .Release.Namespace }}.system.users"

-          image: beclab/lldap:0.0.1
+          image: beclab/lldap:0.0.2
          imagePullPolicy: IfNotPresent
          name: lldap
          ports:
--- a/frameworks/tapr/config/cluster/deploy/middleware_deploy.yaml
+++ b/frameworks/tapr/config/cluster/deploy/middleware_deploy.yaml
@@ -45,15 +45,15 @@ spec:
      - name: dbdata-dir
        hostPath:
          type: DirectoryOrCreate
-          path: {{ $dbdata_pv_rootpath }}
+          path: '{{ $dbdata_pv_rootpath }}'
      - name: dbbackup-dir
        hostPath:
          type: DirectoryOrCreate
-          path: {{ $dbbackup_rootpath }}
+          path: '{{ $dbbackup_rootpath }}'
      - name: pgbackup-dir
        hostPath:
          type: DirectoryOrCreate
-          path: {{ $dbbackup_rootpath }}/pg_backup
+          path: '{{ $dbbackup_rootpath }}/pg_backup'
      initContainers:
      - name: init-dbspace
        image: busybox:1.28
--- a/frameworks/tapr/config/cluster/deploy/nats_deployment.yaml
+++ b/frameworks/tapr/config/cluster/deploy/nats_deployment.yaml
@@ -20,7 +20,7 @@ spec:
  capacity:
    storage: '50Gi'
  hostPath:
-    path: {{ $nats_rootpath }}/nats_data
+    path: '{{ $nats_rootpath }}/nats_data'
    type: DirectoryOrCreate
  persistentVolumeReclaimPolicy: Delete
  volumeMode: Filesystem
@@ -215,7 +215,7 @@ spec:
          secret:
            secretName: nats-box-contexts
        - hostPath:
-            path: {{ .Values.rootPath }}/userdata/dbdata/nats_data
+            path: '{{ .Values.rootPath }}/userdata/dbdata/nats_data'
            type: DirectoryOrCreate
          name: nats-data
 ---
--- a/frameworks/tapr/config/cluster/deploy/redixcluster_deploy.yaml
+++ b/frameworks/tapr/config/cluster/deploy/redixcluster_deploy.yaml
@@ -31,7 +31,7 @@ spec:
  capacity:
    storage: '50Gi'
  hostPath:
-    path: {{ $redix_rootpath }}/kvrocks_data
+    path: '{{ $redix_rootpath }}/kvrocks_data'
    type: DirectoryOrCreate
  persistentVolumeReclaimPolicy: Delete
  volumeMode: Filesystem
@@ -63,7 +63,7 @@ spec:
  type: kvrocks
  kvrocks:
    owner: system
-    backupStorage: {{ $redix_backuppath }}/kvrocks_backup
+    backupStorage: '{{ $redix_backuppath }}/kvrocks_backup'
    image: beclab/kvrocks:0.1.0
    imagePullPolicy: IfNotPresent
    password: 
--- a/frameworks/tapr/config/cluster/deploy/sys_event_deploy.yaml
+++ b/frameworks/tapr/config/cluster/deploy/sys_event_deploy.yaml
@@ -76,7 +76,7 @@ spec:
        runAsUser: 0
      containers:
      - name: tapr-sysevent
-        image: beclab/sys-event:0.2.4
+        image: beclab/sys-event:0.2.5
        imagePullPolicy: IfNotPresent
        env:
        - name: APP_RANDOM_KEY
--- a/frameworks/tapr/config/user/helm-charts/citus/values.yaml
+++ b/frameworks/tapr/config/user/helm-charts/citus/values.yaml
@@ -1,4 +1,3 @@
-
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
@@ -40,4 +39,4 @@ os:
    appKey: '${ks[0]}'
    appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""
--- a/frameworks/tapr/config/user/helm-charts/mongo/values.yaml
+++ b/frameworks/tapr/config/user/helm-charts/mongo/values.yaml
@@ -1,4 +1,3 @@
-
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
@@ -40,4 +39,4 @@ os:
    appKey: '${ks[0]}'
    appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""
--- a/frameworks/tapr/config/user/helm-charts/nats/Chart.yaml
+++ b/frameworks/tapr/config/user/helm-charts/nats/Chart.yaml
@@ -1,6 +1,8 @@
 apiVersion: v2
 name: nats
 description: A Helm chart for Kubernetes
+maintainers:
+- name: bytetrade

 # A chart can be either an 'application' or a 'library' chart.
 #
--- a/frameworks/tapr/config/user/helm-charts/nats/values.yaml
+++ b/frameworks/tapr/config/user/helm-charts/nats/values.yaml
@@ -0,0 +1,7 @@
+bfl:
+  nodeport: 30883
+  nodeport_ingress_http: 30083
+  nodeport_ingress_https: 30082
+  username: 'test'
+  url: 'test'
+  nodeName: test
--- a/frameworks/tapr/config/user/helm-charts/redis/values.yaml
+++ b/frameworks/tapr/config/user/helm-charts/redis/values.yaml
@@ -1,4 +1,3 @@
-
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
@@ -40,4 +39,4 @@ os:
    appKey: '${ks[0]}'
    appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""
--- a/frameworks/tapr/config/user/helm-charts/tapr/templates/tapr_deploy.yaml
+++ b/frameworks/tapr/config/user/helm-charts/tapr/templates/tapr_deploy.yaml
@@ -60,7 +60,7 @@ spec:
      - name: image-upload
        hostPath:
          type: DirectoryOrCreate
-          path: {{ .Values.userspace.userData }}/Pictures
+          path: '{{ .Values.userspace.userData }}/Pictures'

 ---
 apiVersion: v1
--- a/frameworks/tapr/config/user/helm-charts/tapr/values.yaml
+++ b/frameworks/tapr/config/user/helm-charts/tapr/values.yaml
@@ -1,4 +1,3 @@
-
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
@@ -40,4 +39,4 @@ os:
    appKey: '${ks[0]}'
    appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""
--- a/libs/fs-lib/config/user/helm-charts/fsnotify/values.yaml
+++ b/libs/fs-lib/config/user/helm-charts/fsnotify/values.yaml
@@ -1,4 +1,3 @@
-
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
@@ -40,4 +39,4 @@ os:
    appKey: '${ks[0]}'
    appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""
--- a/third-party/authelia/config/cluster/deploy/auth_backend_deploy.yaml
+++ b/third-party/authelia/config/cluster/deploy/auth_backend_deploy.yaml
@@ -389,10 +389,21 @@ spec:
        image: owncloudci/wait-for:latest
        imagePullPolicy: IfNotPresent
        name: check-redis
-
+      - name: setsysctl
+        image: 'busybox:1.28'
+        command:
+          - sh
+          - '-c'
+          - |
+            sysctl -w net.core.somaxconn=65535
+            sysctl -w net.ipv4.ip_local_port_range="1024 65535"
+            sysctl -w net.ipv4.tcp_tw_reuse=1
+            sysctl -w fs.file-max=1048576
+        securityContext:
+          privileged: true
      containers:      
      - name: authelia
-        image: beclab/auth:0.2.4
+        image: beclab/auth:0.2.6
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 9091
@@ -436,7 +447,7 @@ spec:
      - name: data
        hostPath:
          type: DirectoryOrCreate
-          path: {{ $auth_rootpath }}
+          path: '{{ $auth_rootpath }}'

 ---
 apiVersion: v1
@@ -541,7 +552,7 @@ spec:
      - name: data
        hostPath:
          type: DirectoryOrCreate
-          path: {{ $auth_rootpath }}
+          path: '{{ $auth_rootpath }}'

 ---
 apiVersion: v1
--- a/third-party/authelia/config/user/helm-charts/auth/templates/auth_deploy.yaml
+++ b/third-party/authelia/config/user/helm-charts/auth/templates/auth_deploy.yaml
@@ -28,7 +28,7 @@ spec:
        name: check-auth
      containers:
      - name: auth-front
-        image: beclab/login:v0.1.40
+        image: beclab/login:v1.3.57
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
--- a/third-party/authelia/config/user/helm-charts/auth/values.yaml
+++ b/third-party/authelia/config/user/helm-charts/auth/values.yaml
@@ -1,4 +1,3 @@
-
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
@@ -40,4 +39,4 @@ os:
    appKey: '${ks[0]}'
    appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""
--- a/third-party/headscale/config/user/helm-charts/headscale/templates/headscale_deploy.yaml
+++ b/third-party/headscale/config/user/helm-charts/headscale/templates/headscale_deploy.yaml
@@ -8,6 +8,12 @@
 {{ $pg_password = randAlphaNum 16 | b64enc }}
 {{- end -}}

+{{ $user := (lookup "iam.kubesphere.io/v1alpha2" "User" "" .Values.bfl.username) }}
+{{- $role := "" -}}
+{{- if $user -}}
+{{ $role = (index $user "metadata" "annotations" "bytetrade.io/owner-role") }}
+{{- end -}}
+
 ---
 apiVersion: v1
 kind: Secret
@@ -201,15 +207,15 @@ spec:
      - name: config
        hostPath:
          type: DirectoryOrCreate
-          path: {{ .Values.userspace.appCache  }}/headscale/config
+          path: '{{ .Values.userspace.appCache  }}/headscale/config'
      - name: headscale-data
        hostPath:
          type: DirectoryOrCreate
-          path: {{ .Values.userspace.appCache }}/headscale/data
+          path: '{{ .Values.userspace.appCache }}/headscale/data'
      - name: config-parent
        hostPath:
          type: DirectoryOrCreate
-          path: {{ .Values.userspace.appCache  }}/headscale
+          path: '{{ .Values.userspace.appCache  }}/headscale'
      - name: acl-config
        configMap:
          defaultMode: 420
@@ -283,16 +289,22 @@ spec:
          value: $(NODE_IP)/32
        - name: TS_EXTRA_ARGS
          value: "--login-server http://headscale-server-svc:8080"
+        {{- if eq $role "platform-admin" }}
+        - name: TS_USERSPACE
+          value: "false"
+        - name: TS_DEBUG_FIREWALL_MODE
+          value: nftables
+        {{- end }}
        - name: TS_KUBE_SECRET
      volumes:
      - name: config
        hostPath:
          type: DirectoryOrCreate
-          path: {{ .Values.userspace.appCache }}/headscale/config
+          path: '{{ .Values.userspace.appCache }}/headscale/config'
      - name: tailscale-data
        hostPath:
          type: DirectoryOrCreate
-          path: {{ .Values.userspace.appCache }}/tailscale/data
+          path: '{{ .Values.userspace.appCache }}/tailscale/data'

 ---
 apiVersion: v1
--- a/third-party/headscale/config/user/helm-charts/headscale/values.yaml
+++ b/third-party/headscale/config/user/helm-charts/headscale/values.yaml
@@ -1,4 +1,3 @@
-
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
@@ -40,4 +39,4 @@ os:
    appKey: '${ks[0]}'
    appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""
--- a/third-party/infisical/config/user/helm-charts/infisical/values.yaml
+++ b/third-party/infisical/config/user/helm-charts/infisical/values.yaml
@@ -1,4 +1,3 @@
-
 bfl:
  nodeport: 30883
  nodeport_ingress_http: 30083
@@ -40,4 +39,4 @@ os:
    appKey: '${ks[0]}'
    appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""
--- a/third-party/ks-console/charts/values.yaml
+++ b/third-party/ks-console/charts/values.yaml
@@ -1,4 +1 @@
-
-
-
 username: test
--- a/third-party/opentelemetry/config/cluster/deploy/opentelemetry_operator.yaml
+++ b/third-party/opentelemetry/config/cluster/deploy/opentelemetry_operator.yaml
@@ -843,7 +843,10 @@ webhooks:
 apiVersion: opentelemetry.io/v1beta1
 kind: OpenTelemetryCollector
 metadata:
-  name: jaeger-storage-instance 
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "5"
+  name: jaeger-storage-instance
  namespace: os-system
  labels:
    applications.app.bytetrade.io/author: bytetrade.io
@@ -862,6 +865,9 @@ spec:
  volumeMounts:
  - name: storage
    mountPath: /data
+
+  securityContext:
+    runAsUser: 1000
    
  ports:
  - name: jaeger
@@ -931,6 +937,9 @@ spec:
 apiVersion: opentelemetry.io/v1alpha1
 kind: Instrumentation
 metadata:
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "5"
  name: olares-instrumentation
  namespace: os-system
 spec:
@@ -948,27 +957,44 @@ spec:
      - name: OTEL_EXPORTER_OTLP_ENDPOINT
        value: http://jaeger-storage-instance-collector.os-system:4318
      - name: OTEL_EXPORTER_OTLP_PROTOCOL
-        value: http/protobuf
+        value: http/json
+      - name: OTEL_TRACES_SAMPLER_ARG
+        value: "1.0"
  dotnet:
    env:
      - name: OTEL_EXPORTER_OTLP_ENDPOINT
        value: http://jaeger-storage-instance-collector.os-system:4318
      - name: OTEL_EXPORTER_OTLP_PROTOCOL
-        value: http/protobuf
+        value: http/json
+      - name: OTEL_TRACES_SAMPLER_ARG
+        value: "1.0"
  nodejs:
    env:
      - name: OTEL_EXPORTER_OTLP_ENDPOINT
        value: http://jaeger-storage-instance-collector.os-system:4318
      - name: OTEL_EXPORTER_OTLP_PROTOCOL
-        value: http/protobuf
+        value: http/json
+      - name: OTEL_TRACES_SAMPLER_ARG
+        value: "1.0"
  nginx:
+    image: bytetrade/autoinstrumentation-apache-httpd:1.0.4-fix1
    env:
      - name: OTEL_EXPORTER_OTLP_ENDPOINT
-        value: https://jaeger-storage-instance-collector.os-system:4317
+        value: http://jaeger-storage-instance-collector.os-system:4318
+      - name: OTEL_EXPORTER_OTLP_PROTOCOL
+        value: http/json
+      - name: OTEL_TRACES_SAMPLER_ARG
+        value: "1.0"
  go:
+    image: ghcr.io/open-telemetry/opentelemetry-go-instrumentation/autoinstrumentation-go:v0.20.0
    env:
      - name: OTEL_EXPORTER_OTLP_ENDPOINT
        value: http://jaeger-storage-instance-collector.os-system:4318
      - name: OTEL_EXPORTER_OTLP_PROTOCOL
        value: http/protobuf
+      - name: OTEL_TRACES_SAMPLER_ARG
+        value: "1.0"
+    resourceRequirements:
+      limits:
+        memory: 256Mi

--- a/third-party/opentelemetry/config/user/helm-charts/opentelmetry/.helmignore
+++ b/third-party/opentelemetry/config/user/helm-charts/opentelmetry/.helmignore
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
--- a/third-party/opentelemetry/config/user/helm-charts/opentelmetry/Chart.yaml
+++ b/third-party/opentelemetry/config/user/helm-charts/opentelmetry/Chart.yaml
@@ -1,24 +0,0 @@
-apiVersion: v2
-name: opentelemetry
-description: A Helm chart for Kubernetes
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.1
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "0.118.0"
--- a/third-party/opentelemetry/config/user/helm-charts/opentelmetry/templates/NOTES.txt
+++ b/third-party/opentelemetry/config/user/helm-charts/opentelmetry/templates/NOTES.txt
--- a/third-party/opentelemetry/config/user/helm-charts/opentelmetry/templates/_helpers.tpl
+++ b/third-party/opentelemetry/config/user/helm-charts/opentelmetry/templates/_helpers.tpl
@@ -1,62 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "seafile.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "seafile.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "seafile.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "seafile.labels" -}}
-helm.sh/chart: {{ include "seafile.chart" . }}
-{{ include "seafile.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "seafile.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "seafile.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "seafile.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "seafile.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}
--- a/third-party/opentelemetry/config/user/helm-charts/opentelmetry/values.yaml
+++ b/third-party/opentelemetry/config/user/helm-charts/opentelmetry/values.yaml
--- a/third-party/seahub/config/cluster/deploy/seafile_deploy.yaml
+++ b/third-party/seahub/config/cluster/deploy/seafile_deploy.yaml
@@ -495,15 +495,15 @@ spec:
      - name: seafile-data
        hostPath:
          type: DirectoryOrCreate
-          path: {{ $seafile_application_rootpath }}/data
+          path: '{{ $seafile_application_rootpath }}/data'
      - name: sync-data
        hostPath:
          type: DirectoryOrCreate
-          path: {{ $seafile_application_rootpath }}
+          path: '{{ $seafile_application_rootpath }}'
      - name: db-data
        hostPath:
          type: DirectoryOrCreate
-          path: {{ $seafile_appcache_rootpath }}/db
+          path: '{{ $seafile_appcache_rootpath }}/db'
      - name: seafile-nginx-conf
        configMap:
          name: seafile-nginx-conf
--- a/third-party/seahub/config/user/helm-charts/seafile/Chart.yaml
+++ b/third-party/seahub/config/user/helm-charts/seafile/Chart.yaml
@@ -1,6 +1,8 @@
 apiVersion: v2
 name: seafile
 description: A Helm chart for Kubernetes
+maintainers:
+- name: bytetrade

 # A chart can be either an 'application' or a 'library' chart.
 #
--- a/third-party/seahub/config/user/helm-charts/seafile/values.yaml
+++ b/third-party/seahub/config/user/helm-charts/seafile/values.yaml
@@ -0,0 +1,7 @@
+bfl:
+  nodeport: 30883
+  nodeport_ingress_http: 30083
+  nodeport_ingress_https: 30082
+  username: 'test'
+  url: 'test'
+  nodeName: test
Author	SHA1	Message	Date
qq815776412	754425670e	feat(settings-server): upgrade docker node version to 24.0.2 & upgrade nestjs version to 11.1.1	2025-05-19 21:29:50 +08:00
eball	d8a69a146c	otel: bump the go auto-instrumentation image version (#1328 ) otel: change the go auto-instrumentation image version	2025-05-19 19:30:36 +08:00
eball	7c134bbb1d	authelia: replace redis client pool of session provider (#1323 ) * authelia: replace redis client pool of session provider * Update auth_backend_deploy.yaml * Update auth_backend_deploy.yaml * feat: add instrumentation to system-server * Update systemserver_deploy.yaml	2025-05-17 01:20:19 +08:00
aby913	39dbad4ec9	backup-server: queue optimization, backup and restore process adjust (#1326 ) backup-server: queue optimization, backup and restore process adjustments	2025-05-16 23:57:26 +08:00
eball	6c1539d65b	otel: add arm64 version ubuntu nginx (#1324 ) * otel: nginx auto instrumentation config reload bug fix * otel: add arm64 version ubuntu nginx * fix: change image tag	2025-05-16 21:00:41 +08:00
hysyeah	a3038f1edb	app-service: improve api performance by use k8s informer (#1322 )	2025-05-16 00:19:35 +08:00
huaiyuan	a2c7b16382	desktop: improve data refresh logic by socket after network reconnection (#1321 ) fix(desktop): improve data refresh logic by socket after network reconnection	2025-05-16 00:19:09 +08:00
huaiyuan	ac598f66fc	studio: show installation status in header bar (#1319 ) fix(studio): show installation status in header bar	2025-05-16 00:18:18 +08:00
dkeven	6a8cb38940	fix(chart): remove redundant format symbol in template (#1317 )	2025-05-15 21:23:29 +08:00
eball	1c1e7dfdf4	otel: nginx instrumentation arm64 version build bug (#1315 ) * otel: nginx auto instrumentation config reload bug fix * otel: nginx instrumentation arm64 version build bug	2025-05-15 21:22:56 +08:00
aby913	21199571ca	backup-server: improve url check for snapshots retrieval and restore … (#1316 ) backup-server: improve url check for snapshots retrieval and restore interface	2025-05-15 01:47:57 +08:00
dkeven	f5da7693a9	feat(installer): get rid of redundant subcommand and scripts; collect dmesg logs (#1314 )	2025-05-14 17:48:26 +08:00
Peng Peng	668fb373bc	feat: Let notification server can get users information (#1313 )	2025-05-14 17:47:10 +08:00
eball	99a20ca23f	otel: nginx auto instrumentation config reload bug fix (#1312 )	2025-05-13 00:31:22 +08:00
wiy	07478c96d6	fix(settings): the problem of failure to create sub-account (#1311 )	2025-05-13 00:30:52 +08:00
hysyeah	6d6f5c248c	bfl: fix sub user delete issue (#1310 )	2025-05-12 20:27:36 +08:00
simon	8f3507fd86	knowledge&download: fix twitter download failure & update larepass download (#1308 ) knowledge	2025-05-11 10:53:21 +08:00
aby913	108c1392e3	backup-server: restore bug fix, sdk supports backup from file list (#1307 ) fix: restore bug fix, sdk supports backup from file list	2025-05-10 00:42:32 +08:00
hysyeah	5cd37a477d	app-service: fix pull image progress (#1306 )	2025-05-10 00:41:59 +08:00
wiy	b137f96517	settings & files: update settings mirror manager & backup, files support backup (#1304 ) feat: update settings support mirror manager feat: update files support backup feat: update settings backup	2025-05-10 00:41:10 +08:00
eball	dc4d5666d8	olares: fix go instrumentation resource limit typo (#1302 ) * olares: fix go instrumentation resource limit typo * fix: change to resourceRequirements * fix: upgrade base image	2025-05-10 00:40:46 +08:00
dkeven	b3cb83de9f	olaresd: manage registries and images in containerd (#1303 ) * olaresd: manage registries and images in containerd * feat: supports backing up from a list file --------- Co-authored-by: aby913 <aby913@163.com>	2025-05-09 22:21:23 +08:00
aby913	862cfc4625	backup-server: fix external binding, improve message pushing (#1301 )	2025-05-08 23:53:39 +08:00
eball	fa5ca7432c	olares: add otel instrumentation image to manifest (#1300 ) * olares: add otel instrumentation image to manifest * fix: add autoinstrumentation-apache-httpd arm64 image * fix: add go instrumentation resource limit * fix: change instrumentation protocol * fix: add add sampler ratio env	2025-05-08 23:53:12 +08:00
hysyeah	427bff8b45	ks,node_exporter,installer: add some metrics (#1299 )	2025-05-08 23:52:56 +08:00
aby913	b8a3c66003	backup-server: check disk free space, api optimization (#1298 ) backup-server: check disk free space	2025-05-08 01:19:37 +08:00
eball	92bf361698	olaresd: steamheadless sunshine mdns proxy (#1297 )	2025-05-08 01:19:18 +08:00
wiy	de1cee0000	feat(settings): Encrypted transmission of login password (#1296 )	2025-05-08 01:18:56 +08:00
eball	cac1978874	olares: add otel instrumentations (#1295 ) * olares: add otel instrumentations * fix: duplicate container name * fix: move instrumentation before bfl installation * feat: change openresty base image to ubuntu --------- Co-authored-by: liuyu <liuy102@gmail.com>	2025-05-08 01:18:24 +08:00
aby913	1083b417b1	backup-server: support external directory (#1294 )	2025-05-06 23:50:26 +08:00
dkeven	d9824a7deb	feat: upgrade hami and use original libvgpu.so (#1293 )	2025-05-06 23:50:02 +08:00
hysyeah	0aa59ab731	feat(login & wizard): Encrypted transmission of login password (#1292 )	2025-05-01 22:55:39 +08:00
simon	28edc29240	download&crawler: fix youtube download failure & crawler cache error (#1291 ) ytdlp	2025-05-01 01:05:59 +08:00
dkeven	ef77bff611	feat(installer): md5 password	2025-04-30 15:04:26 +08:00
qq815776412	0667481fcf	feat:login & wizard Encrypted transmission of login password	2025-04-30 14:40:12 +08:00
lovehunter9	e16ed5ea64	fix: add init container for files-server (#1288 )	2025-04-29 23:47:10 +08:00
simon	93d1237a43	fix: change argo and sync run user (#1287 ) permission	2025-04-29 20:01:08 +08:00
hysyeah	42ff86e0af	studio-server: change cm push url (#1284 )	2025-04-29 00:23:49 +08:00
simon	814dce3dec	fix: argo archivelog and knowledge feed save bug (#1283 ) knowledge v0.12.4	2025-04-28 18:17:20 +08:00
aby913	bfa43257ff	backup-server: abnormal restoration state, get space cos stats failed (#1268 )	2025-04-26 00:33:19 +08:00
berg	e1c9e9ad20	fix(vault&wise): some known issues (#1281 ) * feat: update wise & vault & files new version to v1.3.54 * feat: update 1.3.55 --------- Co-authored-by: qq815776412 <815776412@qq.com>	2025-04-26 00:09:10 +08:00
hysyeah	1b62d2ae31	lldap,bfl,app-service: user event publish;subnet mask minus 1 (#1277 )	2025-04-26 00:07:35 +08:00
berg	51f32c993f	profile, market: modify default theme configuration (#1276 ) fix: modify default theme configuration	2025-04-26 00:07:05 +08:00
huaiyuan	59749c8b7f	desktop: fix iframe hide when zooming the window (#1270 )	2025-04-26 00:06:10 +08:00
dkeven	23816103c9	fix: correct minVersion in version.hint to follow semver spec (#1269 )	2025-04-26 00:05:44 +08:00
0x7fffff92	62489d4ba4	feat: Tailscale for admin user uses tun interface (#1267 ) Co-authored-by: 0x7fffff92 <0x7fffff92@example.com>	2025-04-25 10:58:04 +08:00
huaiyuan	e0803fa6e0	studio: create files err in application page (#1266 ) fix: create files err in application page	2025-04-25 10:57:39 +08:00
dkeven	366b81cf46	fix: create crd in helm post-install hook (#1263 )	2025-04-25 10:56:18 +08:00
lovehunter9	f7b21a42c7	fix: files-server rename and cut/paste of smb bugfix (#1261 )	2025-04-24 15:37:23 +08:00
berg	62ad10d8d8	settings: update settings backup function (#1258 ) feat: update settings backup function	2025-04-24 13:53:59 +08:00
huaiyuan	d9cef165ac	files: notify message when user cancels upload (#1256 )	2025-04-24 00:25:01 +08:00
aby913	7e4b82fff6	backup-server: snapshot progress notification blocking (#1255 ) backup-server: snapshot progress notification blocking causing status abnormality	2025-04-24 00:24:34 +08:00
aby913	64c92e5103	fix: lldap usergroup sync, backup notify improve (#1253 )	2025-04-23 21:45:27 +08:00
hysyeah	0b7da9bf7a	fix: add studio server envoy timeout (#1250 ) fix: add studio envoy timeout	2025-04-23 21:08:53 +08:00
eball	c1d5c4e98c	olaresd: list more wifi access points (#1249 ) * olaresd: list more wifi access points * Update components	2025-04-23 21:05:58 +08:00
yyh	ae95f1e607	ControlHub: fix workloads operation layout (#1248 ) fix(controlHub): fix workloads style disorder in small size	2025-04-22 23:51:06 +08:00
aby913	d772842f4b	backup-server: add notification, improve api interface (#1246 )	2025-04-22 23:50:01 +08:00
simon	8f7584f719	fix: knowledge feed edit and label save bug (#1245 ) knowledge	2025-04-22 23:49:16 +08:00
eball	c0f8b391c6	olaresd: support mounting read-only samba share path (#1243 )	2025-04-22 23:47:47 +08:00
dkeven	3ff2d30b48	feat(installer): collect more logs (#1240 )	2025-04-22 20:55:03 +08:00
huaiyuan	0a8f0c558d	files&files-server: add support mount SMB IP (#1238 ) files-server: add support mount SMB IP	2025-04-22 20:54:18 +08:00
wiy	d59eb5856e	fix: settings frontend add ACL port ui bug (#1237 )	2025-04-22 20:53:55 +08:00
aby913	e90df6cd78	backup-server: fix backup to s3, improve api interface (#1235 )	2025-04-22 11:10:10 +08:00
eball	04e3fcd71b	olaresd: mark as mounted (#1234 )	2025-04-21 21:01:48 +08:00
eball	e74726c5ec	tapr: replace nxdomain with noerror (#1232 )	2025-04-21 21:01:18 +08:00
eball	e6478aa77c	otel: run collector as user 1000 (#1231 )	2025-04-21 21:00:55 +08:00
berg	bba3083752	market: Update the error message when the user has insufficient resources during app preflight (#1229 ) feat: market v0.3.10 release	2025-04-19 01:18:52 +08:00
aby913	5b6973a6ab	backup-server: api interface enhancement (#1227 )	2025-04-19 01:17:45 +08:00
huaiyuan	99185c4729	studio&controlHub: coding in olares by studio (#1225 ) * studio&controlHub: coding in olares by studio * feat: studio server image tag --------- Co-authored-by: hys <hysyeah@gmail.com>	2025-04-19 01:16:44 +08:00
eball	bd631167f5	olaresd: allow mounting a subpath of the share point (#1223 ) * olaresd: allow mounting a subpath of the share point * Update components	2025-04-19 01:15:49 +08:00
aby913	8e3ddfb8af	backup-server: resolved restoration from space and COS using backupUr… (#1222 ) backup-server: resolved restoration from space and COS using backupUrl, enhanced API interface data format	2025-04-17 23:32:27 +08:00
simon	71ccfd34c6	fix(knowledge): recommend install and uninstall error (#1221 ) knowledge v0.12.1	2025-04-17 23:31:55 +08:00
eball	54bd129c33	olaresd: list samba share names before mounting (#1218 )	2025-04-17 23:30:29 +08:00
hysyeah	c4a88aea86	ks,Installer: node shell add lang env (#1216 )	2025-04-16 23:57:20 +08:00
aby913	11aa89687c	backup-server: restore params invalid, api response data format (#1215 ) backup-server: restore snapshotId invalid, api response data format	2025-04-16 23:56:42 +08:00
simon	ac887e9201	fix(knowledge): redis addr error (#1214 ) redis addr	2025-04-16 20:19:40 +08:00
aby913	e8aa4b3521	backup-server: backup loacal path invalid, api response data format (#1213 )	2025-04-16 00:44:31 +08:00
simon	6f4a091380	fix(knowledge): argo archivelogs and knowledge service error (#1212 ) * mr * bug fix * iarchivelogs	2025-04-15 18:06:24 +08:00
eball	939c9671b9	Update check.yaml	2025-04-15 16:05:07 +08:00
eball	a129ea79ca	Update daily-lint-check.yaml	2025-04-15 15:51:20 +08:00
eball	ce40d04085	olares: lint errors in values.yaml (#1210 ) * olares: lint errors in values.yaml * remove empty lines * fix: lint error in appservice_deploy.yaml * fix: lint error in auth_backend_deploy.yaml * fix: all lint errors * fix: lint errors in backup_server.yaml * fix: lint errors in citus_deployment.yaml * fix: all lint errors * fix: all lint errors --------- Co-authored-by: liuyu <>	2025-04-15 13:18:07 +08:00
aby913	cddc5d1ea9	backup-server: fix backup total size (#1211 )	2025-04-15 00:03:36 +08:00
huaiyuan	130bcb2a6a	files: update Larepass new version to v1.3.50 (#1208 )	2025-04-15 00:01:13 +08:00
Calvin W.	dbb52c5d67	docs: update Olares platform support info (#1207 )	2025-04-15 00:00:35 +08:00
eball	c95c9fb9d2	olares: daily lint check all charts files (#1206 ) Co-authored-by: liuyu <>	2025-04-14 19:04:11 +08:00
simon	6a686098bd	fix(knowledge): db connect error (#1205 ) * secret * secret * pg_password * debug * debug * secret * secret add hook * knowledge	2025-04-14 14:58:12 +08:00