feat(settings-server): upgrade docker node version to 24.0.2 & upgrade nestjs version to 11.1.1

otel: change the go auto-instrumentation image version

.github/PULL_REQUEST_TEMPLATE.md

@@ -7,7 +7,7 @@ Title: <subsystem>:  <what changed>
 * **Target Version for Merge**
 <!-- Specify the version to which these changes need to be merged -->
 
-* ***Related Issues**
+* **Related Issues**
 <!-- Reference any related issues here, if applicable -->
 
 * **PRs Involving Sub-Systems** 

.github/workflows/build-redis.yaml

@@ -20,7 +20,7 @@ jobs:
           bash scripts/build-redis.sh linux/amd64
 
   push-arm64:
-    runs-on: self-hosted
+    runs-on: [self-hosted, linux, ARM64]
 
     steps:
       - name: Clean

.github/workflows/build-wsl2326.yaml

@@ -0,0 +1,20 @@
+name: Build and Upload WSL MSI
+
+on:
+  workflow_dispatch:
+
+jobs:
+  push:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: "Checkout source code"
+        uses: actions/checkout@v3
+
+      # test
+      - env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: "us-east-1"
+        run: |
+          bash scripts/build-wsl-install-msi.sh

.github/workflows/check.yaml

@@ -37,17 +37,8 @@ jobs:
         run: |
           bash scripts/package.sh
 
-      - name: Run chart-testing (list-changed)
-        id: list-changed
-        run: |
-          changed=$(ct list-changed --chart-dirs build/installer/wizard/config --target-branch ${{ github.event.repository.default_branch }})
-          if [[ -n "$changed" ]]; then
-            echo "changed=true" >> "$GITHUB_OUTPUT"
-          fi
-
       - name: Run chart-testing (lint)
-        if: steps.list-changed.outputs.changed == 'true'
-        run: ct lint --chart-dirs build/installer/wizard/config --check-version-increment=false --target-branch ${{ github.event.repository.default_branch }}
+        run: ct lint --chart-dirs build/installer/wizard/config,build/installer/wizard/config/apps,build/installer/wizard/config/gpu --check-version-increment=false --all
 
       # - name: Create kind cluster
       #   if: steps.list-changed.outputs.changed == 'true'
@@ -68,22 +59,6 @@ jobs:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
 
-      - name: Install coscmd
-        run: pip install coscmd        
-
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          coscmd config -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
-
       # test
       - env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -93,7 +68,7 @@ jobs:
           bash scripts/image-manifest.sh && bash scripts/upload-images.sh .manifest/images.mf
 
   push-image-arm64:
-    runs-on: self-hosted
+    runs-on: [self-hosted, linux, ARM64]
 
     steps:
       - name: 'Checkout source code'
@@ -103,22 +78,6 @@ jobs:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
 
-      - name: Install coscmd
-        run: pip install coscmd        
-
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
-          coscmd config -m 10 -p 10 -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
 
       - env: 
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -140,22 +99,6 @@ jobs:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
 
-      - name: Install coscmd
-        run: pip install coscmd        
-
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          coscmd config -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
-
       # test
       - env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -165,7 +108,7 @@ jobs:
           bash scripts/deps-manifest.sh && bash scripts/upload-deps.sh
 
   push-deps-arm64:
-    runs-on: self-hosted
+    runs-on: [self-hosted, linux, ARM64]
 
     steps:
       - name: "Checkout source code"
@@ -178,20 +121,6 @@ jobs:
       - name: Install coscmd
         run: pip install coscmd        
 
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
-          coscmd config -m 10 -p 10 -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
-
       # test
       - env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -217,7 +146,7 @@ jobs:
       - name: 'Test tag version'
         id: vars
         run: |
-          v=1.11.0-$(echo $RANDOM)
+          v=1.12.0-$(echo $RANDOM)
           echo "tag_version=$v" >> $GITHUB_OUTPUT
 
       - name: Package installer

.github/workflows/daily-lint-check.yaml

@@ -0,0 +1,37 @@
+name: Lint Check Charts
+
+on:
+  schedule:
+    # This is a UTC time
+    - cron: "30 1 * * *"
+  workflow_dispatch:
+
+
+jobs:
+  lint-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+          
+      - name: Set up Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.12.1
+
+      - uses: actions/setup-python@v4
+        with:
+          python-version: '3.9'
+          check-latest: true
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.6.0
+      
+      - name: Pre package
+        run: |
+          bash scripts/package.sh
+
+      - name: Run chart-testing (lint)
+        run: |
+          ct lint --chart-dirs build/installer/wizard/config,build/installer/wizard/config/apps,build/installer/wizard/config/gpu --check-version-increment=false --all
+

.github/workflows/push-deps-to-s3.yml

@@ -5,7 +5,7 @@ on:
 
 jobs:
   push:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
 
     steps:
       - name: "Checkout source code"
@@ -36,7 +36,7 @@ jobs:
           bash scripts/deps-manifest.sh && bash scripts/upload-deps.sh
 
   push-arm64:
-    runs-on: self-hosted
+    runs-on: [self-hosted, linux, ARM64]
 
     steps:
       - name: "Checkout source code"

.github/workflows/push-to-s3.yaml

@@ -5,7 +5,7 @@ on:
 
 jobs:
   push:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
 
     steps:
       - name: "Checkout source code"
@@ -36,7 +36,7 @@ jobs:
           bash scripts/image-manifest.sh && bash scripts/upload-images.sh .manifest/images.mf
 
   push-arm64:
-    runs-on: self-hosted
+    runs-on: [self-hosted, linux, ARM64]
 
     steps:
       - name: "Checkout source code"

.github/workflows/release-daily.yaml

@@ -10,28 +10,12 @@ on:
 
 jobs:
   push-images:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
 
     steps:
       - name: 'Checkout source code'
         uses: actions/checkout@v3
 
-      - name: Install coscmd
-        run: pip install coscmd        
-
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          coscmd config -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
-
       - env: 
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -40,29 +24,12 @@ jobs:
           bash scripts/image-manifest.sh && bash scripts/upload-images.sh .manifest/images.mf
 
   push-images-arm64:
-    runs-on: self-hosted
+    runs-on: [self-hosted, linux, ARM64]
 
     steps:
       - name: 'Checkout source code'
         uses: actions/checkout@v3
 
-      - name: Install coscmd
-        run: pip install coscmd        
-
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
-          coscmd config -m 10 -p 10 -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
-
       - env: 
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -78,22 +45,6 @@ jobs:
       - name: "Checkout source code"
         uses: actions/checkout@v3
 
-      - name: Install coscmd
-        run: pip install coscmd        
-
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          coscmd config -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
-
       # test
       - env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -103,29 +54,12 @@ jobs:
           bash scripts/deps-manifest.sh && bash scripts/upload-deps.sh
 
   push-deps-arm64:
-    runs-on: self-hosted
+    runs-on: [self-hosted, linux, ARM64]
 
     steps:
       - name: "Checkout source code"
         uses: actions/checkout@v3
 
-      - name: Install coscmd
-        run: pip install coscmd        
-
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
-          coscmd config -m 10 -p 10 -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
-
       # test
       - env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -144,7 +78,7 @@ jobs:
       - name: 'Daily tag version'
         id: vars
         run: |
-          v=1.11.0-$(date +"%Y%m%d")
+          v=1.12.0-$(date +"%Y%m%d")
           echo "tag_version=$v" >> $GITHUB_OUTPUT
 
       - name: 'Checkout source code'
@@ -154,29 +88,6 @@ jobs:
         run: |
           bash scripts/build.sh ${{ steps.vars.outputs.tag_version }}
 
-      - name: Install coscmd
-        run: pip install coscmd        
-
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
-          coscmd config -m 10 -p 10 -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
-          
-      # - name: Upload to COS
-      #   run: |
-      #     md5sum install-wizard-v${{ steps.vars.outputs.tag_version }}.tar.gz > install-wizard-v${{ steps.vars.outputs.tag_version }}.md5sum.txt && \
-      #     coscmd upload ./install-wizard-v${{ steps.vars.outputs.tag_version }}.md5sum.txt /install-wizard-v${{ steps.vars.outputs.tag_version }}.md5sum.txt
-      #     coscmd upload ./install-wizard-v${{ steps.vars.outputs.tag_version }}.tar.gz /install-wizard-v${{ steps.vars.outputs.tag_version }}.tar.gz
-
       - name: Upload to S3
         env: 
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -199,7 +110,7 @@ jobs:
       - name: 'Daily tag version'
         id: vars
         run: |
-          v=1.11.0-$(date +"%Y%m%d")
+          v=1.12.0-$(date +"%Y%m%d")
           echo "tag_version=$v" >> $GITHUB_OUTPUT
           echo "version_md5sum=$(curl -sSfL https://dc3p1870nn3cj.cloudfront.net/install-wizard-v${v}.md5sum.txt|awk '{print $1}')" >> $GITHUB_OUTPUT
 
@@ -230,6 +141,7 @@ jobs:
             build/installer/publicInstaller.sh
             build/installer/install.sh
             build/installer/install.ps1
+            build/installer/joincluster.sh
             build/installer/publicAddnode.sh
             build/installer/version.hint
             build/installer/publicRestoreInstaller.sh

.github/workflows/release.yaml

@@ -10,7 +10,7 @@ on:
 
 jobs:
   push:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
 
     steps:
       - name: 'Checkout source code'
@@ -18,22 +18,6 @@ jobs:
         with:
           ref: ${{ github.event.inputs.tags }}
 
-      - name: Install coscmd
-        run: pip install coscmd        
-
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          coscmd config -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
-
       - env: 
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -42,7 +26,7 @@ jobs:
           bash scripts/image-manifest.sh && bash scripts/upload-images.sh .manifest/images.mf
 
   push-arm64:
-    runs-on: self-hosted
+    runs-on: [self-hosted, linux, ARM64]
 
     steps:
       - name: 'Checkout source code'
@@ -50,23 +34,6 @@ jobs:
         with:
           ref: ${{ github.event.inputs.tags }}
 
-      - name: Install coscmd
-        run: pip install coscmd        
-
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
-          coscmd config -m 10 -p 10 -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
-
       - env: 
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -89,29 +56,6 @@ jobs:
         run: |
           bash scripts/build.sh ${{ github.event.inputs.tags }}
 
-      - name: Install coscmd
-        run: pip install coscmd        
-
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
-          coscmd config -m 10 -p 10 -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
-          
-      # - name: Upload to COS
-      #   run: |
-      #     md5sum install-wizard-v${{ github.event.inputs.tags }}.tar.gz > install-wizard-v${{ github.event.inputs.tags }}.md5sum.txt && \
-      #     coscmd upload ./install-wizard-v${{ github.event.inputs.tags }}.md5sum.txt /install-wizard-v${{ github.event.inputs.tags }}.md5sum.txt
-      #     coscmd upload ./install-wizard-v${{ github.event.inputs.tags }}.tar.gz /install-wizard-v${{ github.event.inputs.tags }}.tar.gz
-
       - name: Upload to S3
         env: 
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -174,6 +118,7 @@ jobs:
             build/installer/publicInstaller.latest.ps1
             build/installer/install.ps1
             build/installer/publicAddnode.sh
+            build/installer/joincluster.sh
             build/installer/version.hint
             build/installer/publicRestoreInstaller.sh
           prerelease: true

.gitignore

@@ -27,3 +27,4 @@ install-wizard-*.tar.gz
 olares-cli-*.tar.gz
 !ks-console-*.tgz
 .vscode
+.DS_Store

README.md

@@ -1,6 +1,6 @@
 <div align="center">
 
-# Olares - Your Sovereign Cloud, an Open-Source Self-Hosted Alternative to Public Clouds <!-- omit in toc -->
+# Olares: An Open-Source Sovereign Cloud OS for Local AI<!-- omit in toc -->
 
 [![Mission](https://img.shields.io/badge/Mission-Let%20people%20own%20their%20data%20again-purple)](#)<br/>
 [![Last Commit](https://img.shields.io/github/last-commit/beclab/olares)](https://github.com/beclab/olares/commits/main)
@@ -13,11 +13,12 @@
 <p>
   <a href="./README.md"><img alt="Readme in English" src="https://img.shields.io/badge/English-FFFFFF"></a>
   <a href="./README_CN.md"><img alt="Readme in Chinese" src="https://img.shields.io/badge/简体中文-FFFFFF"></a>
+  <a href="./README_JP.md"><img alt="Readme in Japanese" src="https://img.shields.io/badge/日本語-FFFFFF"></a>
 </p>
 
 </div>
 
-https://github.com/user-attachments/assets/5ea2fe30-7bd2-49ed-be26-e12f1d5d8cb1
+https://github.com/user-attachments/assets/3089a524-c135-4f96-ad2b-c66bf4ee7471
 
 *Build your local AI assistants, sync data across places, self-host your workspace, stream your own media, and more—all in your sovereign cloud made possible by Olares.*
 
@@ -30,32 +31,28 @@ https://github.com/user-attachments/assets/5ea2fe30-7bd2-49ed-be26-e12f1d5d8cb1
 </p>
 
 > [!IMPORTANT]  
-> We just finished our rebranding from Terminus to Olares recently. For more information, refer to our [rebranding blog](https://olares.medium.com/terminus-is-now-olares-2c3bf782f9d1). 
-
-## Table of Contents <!-- omit in toc -->
-- [Introduction](#introduction)
-- [Motivation and design](#motivation-and-design)
-- [Tech stacks](#tech-stacks)
-- [Features](#features)
-- [Feature comparison](#feature-comparison)
-- [Getting started](#getting-started)
-- [Project navigation](#project-navigation)
-- [Contributing to Olares](#contributing-to-olares)
-- [Community \& contact](#community--contact)
-- [Staying ahead](#staying-ahead)
-- [Special thanks](#special-thanks)
+> We just finished our rebranding from Terminus to Olares recently. For more information, refer to our [rebranding blog](https://blog.olares.xyz/terminus-is-now-olares/). 
   
-## Introduction
 
-Olares is the sovereign cloud that puts you in control. It's an open-source, self-hosted alternative to public clouds like AWS, built to reclaim your data ownership and privacy. By combining the power of Kubernetes with a streamlined interface, Olares enables you to take full control of your data and computing resources. Whether you're managing a homelab, hosting applications, or safeguarding your privacy, Olares delivers the flexibility and capabilities of public clouds, without compromising privacy or security.
+Convert your hardware into an AI home server with Olares, an open-source sovereign cloud OS built for local AI. 
 
-Typical use cases of Olares include:
+- **Run leading AI models on your term**s: Effortlessly host powerful open AI models like LLaMA, Stable Diffusion, Whisper, and Flux.1 directly on your hardware, giving you full control over your AI environment.
+- **Deploy with ease**: Discover and install a wide range of open-source AI apps from Olares Market in a few clicks. No more complicated configuration or setup.
+- **Access anytime, anywhere**: Access your AI apps and models through a browser whenever and wherever you need them.
+- **Integrated AI for smarter AI experience**: Using a [Model Context Protocol](https://spec.modelcontextprotocol.io/specification/) (MCP)-like mechanism, Olares seamlessly connects AI models with AI apps and your private data sets. This creates highly personalized, context-aware AI interactions that adapt to your needs.
 
-🤖 **Local AI**: Host and run world-class open-source AI models locally, including large language models, image generation, and speech recognition. Create custom AI assistants that integrate seamlessly with your personal data and applications, all while ensuring enhanced privacy and control. <br>
 
-💻**Personal data repository**: Securely store, sync, and manage your photos, documents, and important files in a unified storage and access anywhere. <br>
+> 🌟 *Star us to receive instant notifications about new releases and updates.* 
 
-🛠️ **Self-hosted workspace**: Create a free, powerful workspace for your team or family with open source self-hosted alternatives. <br>
+## Why Olares?
+
+Here is why and where you can count on Olares for private, powerful, and secure sovereign cloud experience:
+
+🤖 **Edge AI**: Run cutting-edge open AI models locally, including large language models, computer vision, and speech recognition. Create private AI services tailored to your data for enhanced functionality and privacy. <br>
+
+📊 **Personal data repository**: Securely store, sync, and manage your important files, photos, and documents across devices and locations.<br>
+
+🚀 **Self-hosted workspace**: Build a free collaborative workspace for your team using secure, open-source SaaS alternatives.<br>
 
 🎥 **Private media server**: Host your own streaming services with your personal media collections. <br>
 
@@ -65,21 +62,30 @@ Typical use cases of Olares include:
 
 📚 **Learning platform**: Explore self-hosting, container orchestration, and cloud technologies hands-on.
 
-## Motivation and design
+## Getting started
 
-We believe the current state of the internet, where user data is centralized and exploited by monopolistic corporations, is deeply flawed. Our goal is to empower individuals with true data ownership and control.
+### System compatibility
 
-Olares provides a next-generation decentralized Internet framework consisting of the following three integral components:  
+Olares has been tested and verified on the following Linux platforms:
 
-- **Snowinning Protocol**: A decentralized identity and reputation system that integrates decentralized identifiers (DIDs), verifiable credentials (VCs), and reputation data. 
-- **Olares OS**: An one-stop self-hosted operating system running on edge devices, allowing users to host their own data and applications.  
-- **LarePass**: A comprehensive client software that securely bridges users to their Olares systems. It offers remote access, identity and device management, data storage, and productivity tools, providing a seamless interface for all Olares interactions.  
+- Ubuntu 20.04 LTS or later 
+- Debian 11 or later
 
-## Tech stacks
+> **Other installation options**
+> Olares can also be installed on other platforms like macOS, Windows, PVE, and Raspberry Pi, or installed via docker compose on Linux. However, these are only for **testing and development purposes**. For detailed instructions, visit [Additional installation options](https://docs.olares.xyz/developer/install/additional-installations.html).
 
- Public clouds have IaaS, PaaS, and SaaS layers. Olares provides open-source alternatives to these layers.
+### Set up Olares
+To get started with Olares on your own device, follow the [Getting Started Guide](https://docs.olares.xyz/manual/get-started/) for step-by-step instructions.
 
-  ![Tech Stacks](https://file.bttcdn.com/github/terminus/v2/tech-stack-olares.jpeg)
+## Architecture 
+
+Olares' architecture is based on two core principles:
+- Adopts an Android-like approach to control software permissions and interactivity, ensuring smooth and secure system operations.
+- Leverages cloud-native technologies to manage hardware and middleware services efficiently.
+
+  ![Olares Architecture](https://file.bttcdn.com/github/terminus/v2/olares-arch-3.png)
+
+ For detailed description of each component, refer to [Olares architecture](https://docs.olares.xyz/manual/system-architecture.html).
 
 ## Features
 
@@ -94,62 +100,6 @@ Olares offers a wide array of features designed to enhance security, ease of use
 - **Seamless anywhere access**: Access your devices from anywhere using dedicated clients for mobile, desktop, and browsers.
 - **Development tools**: Comprehensive development tools for effortless application development and porting.
 
-## Feature comparison
-
-To help you understand how Olares stands out in the landscape, we've created a comparison table that highlights its features alongside those of other leading solutions in the market.
-
-**Legend:** 
-
-- 🚀: **Auto**, indicates that the system completes the task automatically.
-- ✅: **Yes**, indicates that users without a developer background can complete the setup through the product's UI prompts.
-- 🛠️: **Manual Configuration**, indicates that even users with an engineering background need to refer to tutorials to complete the setup.
-- ❌:  **No**, indicates that the feature is not supported.
-
-| | Olares | Synology | TrueNAS | CasaOS | Unraid |
-| --- | --- | --- | --- | --- | --- |
-| Source Code License | Olares License | Closed | GPL 3.0 | Apache 2.0 | Closed |
-| Built On | Kubernetes | Linux | Kubernetes | Docker | Docker |
-| Multi-Node | ✅   | ❌   | ✅   | ❌   | ❌   |
-| Build-in Apps | ✅ (Rich desktop apps) | ✅ (Rich desktop apps) | ❌ (CLI) | ✅ (Simple desktop apps) | ✅ (Dashboard) |
-| Free Domain Name | ✅   | ✅   | ❌   | ❌   | ❌   |
-| Auto SSL Certificate | 🚀  | ✅   | 🛠️ | 🛠️ | 🛠️ |
-| Reverse Proxy | 🚀  | ✅   | 🛠️ | 🛠️ | 🛠️ |
-| VPN Management | 🚀  | 🛠️ | 🛠️ | 🛠️ | 🛠️ |
-| Graded App Entrance | 🚀  | 🛠️ | 🛠️ | 🛠️ | 🛠️ |
-| Multi-User Management | ✅ User management <br>🚀 Resource isolation | ✅ User management<br>🛠️ Resource isolation | ✅ User management<br>🛠️ Resource isolation | ❌   | ✅ User management  <br>🛠️ Resource isolation |
-| Single Login for All Apps | 🚀  | ❌   | ❌   | ❌   |  ❌   |
-| Cross-Node Storage | 🚀 (Juicefs+<br>MinIO) | ❌   | ❌   | ❌   | ❌   |
-| Database Solution | 🚀 (Built-in cloud-native solution) | 🛠️ | 🛠️ | 🛠️ | 🛠️ |
-| Disaster Recovery | 🚀 (MinIO's [**Erasure Coding**](https://min.io/docs/minio/linux/operations/concepts/erasure-coding.html)**)** | ✅ RAID | ✅ RAID | ✅ RAID | ✅ Unraid Storage |
-| Backup | ✅ App Data  <br>✅ User Data | ✅ User Data | ✅ User Data | ✅ User Data | ✅ User Data |
-| App Sandboxing | ✅   | ❌   | ❌ (K8S's namespace) | ❌   | ❌   |
-| App Ecosystem | ✅ (Official + third-party) | ✅ (Majorly official apps) | ✅ (Official + third-party submissions) | ✅ Majorly official apps | ✅ (Community app market) |
-| Developer Friendly | ✅ IDE  <br>✅ CLI  <br>✅ SDK  <br>✅ Doc | ✅ CLI  <br>✅ SDK  <br>✅ Doc | ✅ CLI  <br>✅ Doc | ✅ CLI  <br>✅ Doc | ✅ Doc |
-| Local LLM Hosting | 🚀  | 🛠️ | 🛠️ | 🛠️ | 🛠️ |
-| Local LLM app development | 🚀 | 🛠️ | 🛠️ | 🛠️ | 🛠️ |
-| Client Platforms | ✅ Android  <br>✅ iOS  <br>✅ Windows  <br>✅ Mac  <br>✅ Chrome Plugin | ✅ Android  <br>✅ iOS | ❌   | ❌   | ❌   |
-| Client Functionality | ✅ (All-in-one client app) | ✅ (14 separate client apps) | ❌   | ❌   |  ❌   |
-
-## Getting started
-
-### System compatibility
-Olares is available for Linux, Raspberry Pi, Mac, and Windows. It has been tested and verified on the following systems:
-
-| Platform            | Operating system                     | Notes                                                 |
-|---------------------|--------------------------------------|-------------------------------------------------------|
-| Linux               | Ubuntu 24.04 <br/> Debian 12.8       |                                                       |
-| Raspberry Pi        | RaspbianOS                           | Verified on Raspberry Pi 4 Model B and Raspberry Pi 5 |
-| Windows             | Windows 11 23H2 <br/>Windows 10 22H2 |                                                       |
-| Mac (Apple silicon) | macOS Ventura 13.3.1               |                                                       |
-| Proxmox VE (PVE)    | Proxmox Virtual Environment 8.0      |                                                       |
-
-> **Note**
-> 
-> If you successfully install Olares on an operating system that is not listed in the compatibility table, please let us know! You can [open an issue](https://github.com/beclab/Olares/issues/new) or submit a pull request on our GitHub repository.
-
-### Set up Olares
-To get started with Olares on your own device, follow the [Getting Started Guide](https://docs.olares.xyz/manual/get-started/) for step-by-step instructions.
-
 ## Project navigation
 
 Olares consists of numerous code repositories publicly available on GitHub. The current repository is responsible for the final compilation, packaging, installation, and upgrade of the operating system, while specific changes mostly take place in their corresponding repositories.
@@ -240,14 +190,6 @@ https://docs.olares.xyz/developer/contribute/olares.html
 * [**GitHub Issues**](https://github.com/beclab/olares/issues). Best for filing bugs you encounter using Olares and submitting feature proposals. 
 * [**Discord**](https://discord.com/invite/BzfqrgQPDK). Best for sharing anything Olares.
 
-## Staying ahead
-
-Star the Olares project to receive instant notifications about new releases and updates.
-
- 
-![star us](https://file.bttcdn.com/github/terminus/terminus.git.v2.gif)
- 
-
 ## Special thanks
 
 The Olares project has incorporated numerous third-party open source projects, including: [Kubernetes](https://kubernetes.io/), [Kubesphere](https://github.com/kubesphere/kubesphere), [Padloc](https://padloc.app/), [K3S](https://k3s.io/), [JuiceFS](https://github.com/juicedata/juicefs), [MinIO](https://github.com/minio/minio), [Envoy](https://github.com/envoyproxy/envoy), [Authelia](https://github.com/authelia/authelia), [Infisical](https://github.com/Infisical/infisical), [Dify](https://github.com/langgenius/dify), [Seafile](https://github.com/haiwen/seafile),[HeadScale](https://headscale.net/), [tailscale](https://tailscale.com/), [Redis Operator](https://github.com/spotahome/redis-operator), [Nitro](https://nitro.jan.ai/), [RssHub](http://rsshub.app/), [predixy](https://github.com/joyieldInc/predixy), [nvshare](https://github.com/grgalex/nvshare), [LangChain](https://www.langchain.com/), [Quasar](https://quasar.dev/), [TrustWallet](https://trustwallet.com/), [Restic](https://restic.net/), [ZincSearch](https://zincsearch-docs.zinc.dev/), [filebrowser](https://filebrowser.org/), [lego](https://go-acme.github.io/lego/), [Velero](https://velero.io/), [s3rver](https://github.com/jamhall/s3rver), [Citusdata](https://www.citusdata.com/).

README_CN.md

@@ -1,6 +1,6 @@
 <div align="center">
 
-# Olares - 您的主权云，一个开源自托管的公有云替代方案<!-- omit in toc -->
+# Olares - 为本地 AI 打造的开源私有云操作系统<!-- omit in toc -->
 
 [![Mission](https://img.shields.io/badge/Mission-Let%20people%20own%20their%20data%20again-purple)](#)<br/>
 [![Last Commit](https://img.shields.io/github/last-commit/beclab/terminus)](https://github.com/beclab/olares/commits/main)
@@ -13,12 +13,13 @@
 <p>
   <a href="./README.md"><img alt="Readme in English" src="https://img.shields.io/badge/English-FFFFFF"></a>
   <a href="./README_CN.md"><img alt="Readme in Chinese" src="https://img.shields.io/badge/简体中文-FFFFFF"></a>
+  <a href="./README_JP.md"><img alt="Readme in Japanese" src="https://img.shields.io/badge/日本語-FFFFFF"></a>
 </p>
 
 </div>
 
 
-[![cover](https://file.bttcdn.com/github/terminus/desktop-dark.jpeg)](https://github.com/user-attachments/assets/5ea2fe30-7bd2-49ed-be26-e12f1d5d8cb1)
+https://github.com/user-attachments/assets/3089a524-c135-4f96-ad2b-c66bf4ee7471
 
 *Olares 让你体验更多可能：构建个人 AI 助理、随时随地同步数据、自托管团队协作空间、打造私人影视厅——无缝整合你的数字生活。*
 
@@ -30,31 +31,25 @@
   <a href="https://space.olares.xyz">Olares Space</a>
 </p>
 
-## 目录 <!-- omit in toc -->
-
-- [介绍](#介绍)
-- [动机与设计](#动机与设计)
-- [技术栈](#技术栈)
-- [功能](#功能)
-- [功能对比](#功能对比)
-- [快速开始](#快速开始)
-- [项目目录](#项目目录)
-- [社区贡献](#社区贡献)
-- [社区支持](#社区支持)
-- [持续关注](#持续关注)
-- [特别感谢](#特别感谢)
-  
 ## 介绍
 
-Olares 是一个让您完全掌控的主权云平台。它是一个开源的、自托管的公有云替代方案，旨在帮助您重获数据所有权和隐私控制权。通过将Kubernetes的强大功能与简化的用户界面相结合，Olares使您能够完全掌控自己的数据和计算资源。无论您是在管理家庭实验环境、部署应用程序，还是保护个人隐私，Olares都能提供与公有云同等的灵活性和功能，同时确保您的隐私和安全不受损害。
+Olares 是为本地端侧 AI 打造的开源私有云操作系统，可轻松将您的硬件转变为 AI 家庭服务器。
+- 运行领先 AI 模型：在您的硬件上轻松部署并掌控 LLaMA、Stable Diffusion、Whisper 和 Flux.1 等顶尖开源 AI 模型。
+- 轻松部署 AI 应用：通过 Olares 应用市场，轻松部署丰富多样的开源 AI 应用。无需复杂繁琐的配置。
+- 随心访问：通过浏览器随时随地访问你的 AI 应用。
+- 更智能的专属 AI 体验：通过类似[模型上下文协议](https://spec.modelcontextprotocol.io/specification/)（Model Context Protocol, MCP）的机制，Olares 可让 AI 模型无缝连接 AI 应用与您的私人数据集，提供基于任务场景的个性化 AI 体验。
 
-Olares 支持以下应用场景：
+> 为 Olares 点亮 🌟 以及时获取新版本和更新的通知。
+
+## 为什么选择 Olares?
+
+在以下场景中，Olares 为您带来私密、强大且安全的私有云体验：
 
 🤖**本地 AI 助手**：在本地部署运行顶级开源 AI 模型，涵盖语言处理、图像生成和语音识别等领域。根据个人需求定制 AI 助手，确保数据隐私和控制权均处于自己手中。<br>
 
 💻**个人数据仓库**：所有个人文件，包括照片、文档和重要资料，都可以在这个安全的统一平台上存储和同步，随时随地都能方便地访问。<br>
 
-🛠️**自托管工作空间**：利用开源解决方案，无需成本即可为家庭或工作团队搭建一个功能强大的工作空间。<br>
+🛠️**自托管工作空间**：利用开源 SaaS 平替方案，无需成本即可为家庭或工作团队搭建一个功能强大的工作空间。<br>
 
 🎥**私人媒体服务器**：用自己的视频和音乐库搭建一个私人流媒体服务，随时享受个性化的娱乐体验。<br>
 
@@ -64,22 +59,32 @@ Olares 支持以下应用场景：
 
 📚**学习探索**：深入学习自托管服务、容器技术和云计算，并上手实践。<br>
 
-## 动机与设计
+## 快速开始
 
-我们深知当前互联网的局限性——用户的数据被主流互联网或云服务公司掌控，并用于其商业利益。我们致力于改变这一现状，希望通过 Olares 赋予用户真正的数据所有权和控制权。
+### 系统兼容性
 
-Olares 为此提供了一套全新的去中心化互联网框架，主要包括以下三个部分：
+Olares 已在以下 Linux 平台完成测试与验证：
 
-- **Snowinning Protocol**：一个去中心化的身份和声誉系统，融合了去中心化标识符（DIDs）、可验证凭证（VCs）以及声誉数据，帮助用户在网络世界中安全地管理自己的身份。
-- **Olares**：一个专为边缘设备设计的自托管操作系统，用户可以在此系统上自主托管自己的数据和应用，确保数据的私密性和安全性。
-- **LarePass**：一款功能全面的客户端软件，通过安全的方式将用户与其 Olares 系统连接起来。它不仅支持远程访问、身份和设备管理，还提供数据存储和各种办公工具，让用户高效管理其日常工作和个人数据。
+- Ubuntu 20.04 LTS 及以上版本
+- Debian 11 及以上版本
 
-## 技术栈
-公有云具有基础设施即服务（IaaS）、平台即服务（PaaS）和软件即服务（SaaS）等层级。Olares 为这些层级提供了开源替代方案。
+> **其他安装方式**
+> Olares 也支持在 macOS、Windows、PVE、树莓派等平台上运行，或通过 Docker Compose 在 Linux 上部署。但请注意，这些方式**仅适用于开发和测试环境**。详细安装指南请参阅[其他安装方式](https://docs.joinolares.cn/zh/developer/install/additional-installations.html)。
 
-  ![技术栈](https://file.bttcdn.com/github/terminus/v2/tech-stack-olares.jpeg)
+### 安装 Olares
+ 
+参考[快速上手指南](https://docs.joinolares.cn/zh/manual/get-started/)安装并激活 Olares。
 
-## 功能
+## 系统架构
+Olares 的架构设计遵循两个核心原则：
+- 参考 Android 模式，控制软件权限和交互性，确保系统的流畅性和安全性。
+- 借鉴云原生技术，高效管理硬件和中间件服务。
+
+  ![架构](https://file.bttcdn.com/github/terminus/v2/olares-arch-3.png)
+
+详细描述请参考 [Olares 架构](https://docs.joinolares.cn/zh/manual/system-architecture.html)文档。
+
+## 功能特性
 
 Olares 提供了一系列功能，旨在提升安全性、使用便捷性以及开发的灵活性：
 
@@ -92,65 +97,6 @@ Olares 提供了一系列功能，旨在提升安全性、使用便捷性以及
 - **无缝访问**：通过移动端、桌面端和网页浏览器客户端，从全球任何地方访问设备。
 - **开发工具**：提供全面的工具支持，便于开发和移植应用，加速开发进程。
 
-## 功能对比
-
-为了帮您快速了解 Olares 在市场中的独特优势，我们制作了一张功能比较表，详细展示了 Olares 的功能以及与市场上其他主流解决方案的对比。
-
-**图例：** 
-
-- 🚀: **自动** - 表示系统自动完成任务。
-- ✅: **支持** - 表示无开发背景的用户可以通过产品的 UI 提示完成设置。
-- 🛠️: **手动配置** - 表示即使是有工程背景的用户也需要参考教程来完成设置。
-- ❌: **不支持** - 表示不支持该功能。
-
-| | Olares | 群晖 | TrueNAS | CasaOS | Unraid |
-| --- | --- | --- | --- | --- | --- |
-| 源代码许可证 | Olares 许可证 | 闭源 | GPL 3.0 | Apache 2.0 | 闭源 |
-| 开发 | Kubernetes | Linux | Kubernetes | Docker | Docker |
-| 多节点支持 | ✅   | ❌   | ✅   | ❌   | ❌   |
-| 内置应用 | ✅（桌面应用丰富）| ✅（桌面应用丰富） | ❌ (CLI) | ✅ （桌面应用较少） | ✅（面板） |
-| 免费域名 | ✅   | ✅   | ❌   | ❌   | ❌   |
-| 自动 SSL 证书 | 🚀  | ✅   | 🛠️ | 🛠️ | 🛠️ |
-| 反向代理 | 🚀  | ✅   | 🛠️ | 🛠️ | 🛠️ |
-| VPN 管理 | 🚀  | 🛠️ | 🛠️ | 🛠️ | 🛠️ |
-| 分级应用入口 | 🚀  | 🛠️ | 🛠️ | 🛠️ | 🛠️ |
-| 多用户管理 | ✅ 用户管理 <br>🚀 资源隔离 | ✅ 用户管理 <br>🛠️ 资源隔离 | ✅ 用户管理<br>🛠️ 资源隔离 | ❌   | ✅ 用户管理  <br>🛠️ 资源隔离 |
-| 单一登录 | 🚀  | ❌   | ❌   | ❌   |  ❌   |
-| 跨节点存储 | 🚀 (Juicefs+<br>MinIO) | ❌   | ❌   | ❌   | ❌   |
-| 数据库解决方案 | 🚀 (内置云原生解决方案) | 🛠️ | 🛠️ | 🛠️ | 🛠️ |
-| 灾难恢复 | 🚀 (MinIO的[**纠错码**](https://min.io/docs/minio/linux/operations/concepts/erasure-coding.html)**)** | ✅ RAID | ✅ RAID | ✅ RAID | ✅ Unraid Storage |
-| 备份 | ✅ 应用数据  <br>✅ 用户数据 | ✅ 用户数据 | ✅ 用户数据 | ✅ 用户数据 | ✅ 用户数据 |
-| 应用沙盒 | ✅   | ❌   | ❌ （K8S的命名空间） | ❌   | ❌   |
-| 应用生态系统 | ✅ （官方 + 第三方应用） | ✅ （官方应用为主） | ✅ （官方应用 + 第三方提交）| ✅ （官方应用为主） | ✅ （社区应用市场） |
-| 开发者友好 | ✅ IDE  <br>✅ CLI  <br>✅ SDK  <br>✅ 文档| ✅ CLI  <br>✅ SDK  <br>✅ 文档 | ✅ CLI  <br>✅ 文档 | ✅ CLI  <br>✅ 文档 | ✅ 文档 |
-| 本地 LLM 部署 | 🚀  | 🛠️ | 🛠️ | 🛠️ | 🛠️ |
-| 本地 LLM 应用开发 | 🚀  | 🛠️ | 🛠️ | 🛠️ | 🛠️ |
-| 客户端 | ✅ Android  <br>✅ iOS  <br>✅ Windows  <br>✅ Mac  <br>✅ Chrome 插件 | ✅ Android  <br>✅ iOS | ❌   | ❌   | ❌   |
-| 客户端功能 | ✅ （一体化客户端应用） | ✅ （14个分散的客户端应用）| ❌   | ❌   |  ❌   |
-
-## 快速开始
-
-### 系统兼容性
-你可以在 Linux、Raspberry Pi、Mac 和 Windows 上安装 Olares。目前已验证支持的系统环境如下：
-
-| 平台            | 操作系统                     | 备注                                                 |
-|---------------------|--------------------------------------|-------------------------------------------------------|
-| Linux               | Ubuntu 24.04 <br/> Debian 12.8       |                                                       |
-| Raspberry Pi        | RaspbianOS                           | 已在 Raspberry Pi 4 Model B 和 Raspberry Pi 5 上验证|
-| Windows             | Windows 11 23H2 <br/>Windows 10 22H2 |                                                       |
-| Mac (Apple Silicon) | macOS Ventura 13.3.1               |                                                       |
-| Proxmox VE (PVE)    | Proxmox Virtual Environment 8.0      |                                                       |
-
-> **注意**
-> 
-> 如果你在未列出的系统版本上成功安装了 Olares，请告诉我们！你可以在 GitHub 仓库中[提交 Issue](https://github.com/beclab/Olares/issues/new) 或发起 Pull Request。
-
-### 安装 Olares
-
-> 当前文档仅有英文版本。
- 
-参考[快速上手指南](https://docs.olares.xyz/manual/get-started/)安装并激活 Olares。
-
 ## 项目目录
 
 Olares 包含多个在 GitHub 上公开可用的代码仓库。当前仓库负责操作系统的最终编译、打包、安装和升级，而特定的更改主要在各自对应的仓库中进行。
@@ -241,14 +187,6 @@ https://docs.olares.xyz/developer/contribute/olares.html
 * [**GitHub Discussion**](https://github.com/beclab/olares/discussions) - 讨论 Olares 使用过程中的疑问。
 * [**GitHub Issues**](https://github.com/beclab/olares/issues) - 报告 Olares 的遇到的问题或提出功能改进建议。
 * [**Discord**](https://discord.com/invite/BzfqrgQPDK) - 日常交流，分享经验，或讨论与 Olares 相关的任何主题。
- 
-## 持续关注
-
-关注 Olares 项目，及时获取新版本和更新的通知。
-
- 
-![点亮星标](https://file.bttcdn.com/github/terminus/terminus.git.v2.gif)
- 
 
 ## 特别感谢
 

README_JP.md

@@ -0,0 +1,193 @@
+<div align="center">
+
+# Olares: ローカルAIのためのオープンソース主権クラウドOS<!-- omit in toc -->
+
+[![Mission](https://img.shields.io/badge/Mission-Let%20people%20own%20their%20data%20again-purple)](#)<br/>
+[![Last Commit](https://img.shields.io/github/last-commit/beclab/olares)](https://github.com/beclab/olares/commits/main)
+![Build Status](https://github.com/beclab/olares/actions/workflows/release-daily.yaml/badge.svg)
+[![GitHub release (latest by date)](https://img.shields.io/github/v/release/beclab/olares)](https://github.com/beclab/olares/releases)
+[![GitHub Repo stars](https://img.shields.io/github/stars/beclab/olares?style=social)](https://github.com/beclab/olares/stargazers)
+[![Discord](https://img.shields.io/badge/Discord-7289DA?logo=discord&logoColor=white)](https://discord.com/invite/BzfqrgQPDK)
+[![License](https://img.shields.io/badge/License-Olares-darkblue)](https://github.com/beclab/olares/blob/main/LICENSE.md)
+
+<p>
+  <a href="./README.md"><img alt="Readme in English" src="https://img.shields.io/badge/English-FFFFFF"></a>
+  <a href="./README_CN.md"><img alt="Readme in Chinese" src="https://img.shields.io/badge/简体中文-FFFFFF"></a>
+  <a href="./README_JP.md"><img alt="Readme in Japanese" src="https://img.shields.io/badge/日本語-FFFFFF"></a>
+</p>
+
+</div>
+
+https://github.com/user-attachments/assets/3089a524-c135-4f96-ad2b-c66bf4ee7471
+
+*Olaresを使って、ローカルAIアシスタントを構築し、データを場所を問わず同期し、ワークスペースをセルフホストし、独自のメディアをストリーミングし、その他多くのことを実現できます。*
+
+<p align="center">
+  <a href="https://olares.xyz">ウェブサイト</a> ·
+  <a href="https://docs.olares.xyz">ドキュメント</a> ·
+  <a href="https://olares.xyz/larepass">LarePassをダウンロード</a> ·
+  <a href="https://github.com/beclab/apps">Olaresアプリ</a> ·
+  <a href="https://space.olares.xyz">Olares Space</a>
+</p>
+
+> [!IMPORTANT]  
+> 最近、TerminusからOlaresへのリブランディングを完了しました。詳細については、[リブランディングブログ](https://blog.olares.xyz/terminus-is-now-olares/)をご覧ください。
+
+Olaresを使用して、ハードウェアをAIホームサーバーに変換します。Olaresは、ローカルAIのためのオープンソース主権クラウドOSです。
+
+- **最先端のAIモデルを自分の条件で実行**: LLaMA、Stable Diffusion、Whisper、Flux.1などの強力なオープンAIモデルをハードウェア上で簡単にホストし、AI環境を完全に制御します。
+- **簡単にデプロイ**: Olares Marketから幅広いオープンソースAIアプリを数クリックで発見してインストールします。複雑な設定やセットアップは不要です。
+- **いつでもどこでもアクセス**: ブラウザを通じて、必要なときにAIアプリやモデルにアクセスします。
+- **統合されたAIでスマートなAI体験**: [Model Context Protocol](https://spec.modelcontextprotocol.io/specification/)（MCP）に似たメカニズムを使用して、OlaresはAIモデルとAIアプリ、およびプライベートデータセットをシームレスに接続します。これにより、ニーズに応じて適応する高度にパーソナライズされたコンテキスト対応のAIインタラクションが実現します。
+
+> 🌟 *新しいリリースや更新についての通知を受け取るために、スターを付けてください。*
+
+## なぜOlaresなのか？
+
+以下の理由とシナリオで、Olaresはプライベートで強力かつ安全な主権クラウド体験を提供します：
+
+🤖 **エッジAI**: 最先端のオープンAIモデルをローカルで実行し、大規模言語モデル、コンピュータビジョン、音声認識などを含みます。データに合わせてプライベートAIサービスを作成し、機能性とプライバシーを向上させます。<br>
+
+📊 **個人データリポジトリ**: 重要なファイル、写真、ドキュメントを安全に保存し、デバイスや場所を問わず同期および管理します。<br>
+
+🚀 **セルフホストワークスペース**: 安全なオープンソースSaaS代替品を使用して、チームのための無料のコラボレーションワークスペースを構築します。<br>
+
+🎥 **プライベートメディアサーバー**: 個人のメディアコレクションをホストし、独自のストリーミングサービスを提供します。<br>
+
+🏡 **スマートホームハブ**: IoTデバイスやホームオートメーションの中央制御ポイントを作成します。<br>
+
+🤝 **ユーザー所有の分散型ソーシャルメディア**: Mastodon、Ghost、WordPressなどの分散型ソーシャルメディアアプリをOlaresに簡単にインストールし、プラットフォームの手数料やアカウント停止のリスクなしに個人ブランドを構築します。<br>
+
+📚 **学習プラットフォーム**: セルフホスティング、コンテナオーケストレーション、クラウド技術を実践的に学びます。
+
+## はじめに
+
+### システム互換性
+
+Olaresは以下のLinuxプラットフォームで動作検証を完了しています：
+
+- Ubuntu 20.04 LTS 以降
+- Debian 11 以降
+
+> **追加インストール手順**
+> Olares は macOS、Windows、PVE、Raspberry Pi などのプラットフォームや、Linux 上での Docker Compose を用いたインストールにも対応しています。>ただし、これらの方法は開発およびテスト環境専用です。詳しくは[追加インストール手順](https://docs.olares.xyz/developer/install/additional-installations.html)をご参照ください。
+
+### Olaresのセットアップ
+自分のデバイスでOlaresを始めるには、[はじめにガイド](https://docs.olares.xyz/manual/get-started/)に従ってステップバイステップの手順を確認してください。
+
+## アーキテクチャ
+
+Olaresのアーキテクチャは、次の2つの基本原則に基づいています：
+- Androidの設計思想を取り入れ、ソフトウェアの権限と対話性を制御することで、システムの安全かつ円滑な運用を実現します。
+- クラウドネイティブ技術を活用し、ハードウェアとミドルウェアサービスを効率的に管理します。
+
+  ![Olaresのアーキテクチ](https://file.bttcdn.com/github/terminus/v2/olares-arch-3.png)
+
+各コンポーネントの詳細については、[Olares アーキテクチャ](https://docs.olares.xyz/manual/system-architecture.html)（英語版）をご参照ください。
+
+## 機能
+
+Olaresは、セキュリティ、使いやすさ、開発の柔軟性を向上させるための幅広い機能を提供します：
+
+- **エンタープライズグレードのセキュリティ**: Tailscale、Headscale、Cloudflare Tunnel、FRPを使用してネットワーク構成を簡素化します。
+- **安全で許可のないアプリケーションエコシステム**: サンドボックス化によりアプリケーションの分離とセキュリティを確保します。
+- **統一ファイルシステムとデータベース**: 自動スケーリング、バックアップ、高可用性を提供します。
+- **シングルサインオン**: 一度ログインするだけで、Olares内のすべてのアプリケーションに共有認証サービスを使用してアクセスできます。
+- **AI機能**: GPU管理、ローカルAIモデルホスティング、プライベートナレッジベースの包括的なソリューションを提供し、データプライバシーを維持します。
+- **内蔵アプリケーション**: ファイルマネージャー、同期ドライブ、ボールト、リーダー、アプリマーケット、設定、ダッシュボードを含みます。
+- **どこからでもシームレスにアクセス**: モバイル、デスクトップ、ブラウザ用の専用クライアントを使用して、どこからでもデバイスにアクセスできます。
+- **開発ツール**: アプリケーションの開発と移植を容易にする包括的な開発ツールを提供します。
+
+## プロジェクトナビゲーション
+
+Olaresは、GitHubで公開されている多数のコードリポジトリで構成されています。現在のリポジトリは、オペレーティングシステムの最終コンパイル、パッケージング、インストール、およびアップグレードを担当しており、特定の変更は主に対応するリポジトリで行われます。
+
+以下の表は、Olaresのプロジェクトディレクトリと対応するリポジトリを一覧にしたものです。興味のあるものを見つけてください：
+
+<details>
+<summary><b>フレームワークコンポーネント</b></summary>
+  
+| ディレクトリ | リポジトリ | 説明 |
+| --- | --- | --- |
+| [frameworks/app-service](https://github.com/beclab/olares/tree/main/frameworks/app-service) | <https://github.com/beclab/app-service> | システムフレームワークコンポーネントで、システム内のすべてのアプリのライフサイクル管理とさまざまなセキュリティ制御を提供します。 |
+| [frameworks/backup-server](https://github.com/beclab/olares/tree/main/frameworks/backup-server) | <https://github.com/beclab/backup-server> | システムフレームワークコンポーネントで、定期的なフルまたは増分クラスターのバックアップサービスを提供します。 |
+| [frameworks/bfl](https://github.com/beclab/olares/tree/main/frameworks/bfl) | <https://github.com/beclab/bfl> | ランチャーのバックエンド（BFL）、ユーザーアクセスポイントとして機能し、さまざまなバックエンドサービスのインターフェースを集約およびプロキシします。 |
+| [frameworks/GPU](https://github.com/beclab/olares/tree/main/frameworks/GPU) | <https://github.com/grgalex/nvshare> | 複数のプロセス（またはKubernetes上で実行されるコンテナ）が同じ物理GPU上で同時に安全に実行できるようにするGPU共有メカニズムで、各プロセスが全GPUメモリを利用できます。 |
+| [frameworks/l4-bfl-proxy](https://github.com/beclab/olares/tree/main/frameworks/l4-bfl-proxy) | <https://github.com/beclab/l4-bfl-proxy> | BFLの第4層ネットワークプロキシ。SNIを事前に読み取ることで、ユーザーのIngressに通過する動的ルートを提供します。 |
+| [frameworks/osnode-init](https://github.com/beclab/olares/tree/main/frameworks/osnode-init) | <https://github.com/beclab/osnode-init> | 新しいノードがクラスターに参加する際にノードデータを初期化するシステムフレームワークコンポーネント。 |
+| [frameworks/system-server](https://github.com/beclab/olares/tree/main/frameworks/system-server) | <https://github.com/beclab/system-server> | システムランタイムフレームワークの一部として、アプリ間のセキュリティコールのメカニズムを提供します。 |
+| [frameworks/tapr](https://github.com/beclab/olares/tree/main/frameworks/tapr) | <https://github.com/beclab/tapr> | Olaresアプリケーションランタイムコンポーネント。 |
+</details>
+
+<details>
+<summary><b>システムレベルのアプリケーションとサービス</b></summary>
+  
+| ディレクトリ | リポジトリ | 説明 |
+| --- | --- | --- |
+| [apps/analytic](https://github.com/beclab/olares/tree/main/apps/analytic) | <https://github.com/beclab/analytic> | [Umami](https://github.com/umami-software/umami)に基づいて開発されたAnalyticは、Google Analyticsのシンプルで高速、プライバシー重視の代替品です。 |
+| [apps/market](https://github.com/beclab/olares/tree/main/apps/market) | <https://github.com/beclab/market> | このリポジトリは、Olaresのアプリケーションマーケットのフロントエンド部分をデプロイします。 |
+| [apps/market-server](https://github.com/beclab/olares/tree/main/apps/market-server) | <https://github.com/beclab/market> | このリポジトリは、Olaresのアプリケーションマーケットのバックエンド部分をデプロイします。 |
+| [apps/argo](https://github.com/beclab/olares/tree/main/apps/argo) | <https://github.com/argoproj/argo-workflows> | ローカル推奨アルゴリズムのコンテナ実行をオーケストレーションするワークフローエンジン。 |
+| [apps/desktop](https://github.com/beclab/olares/tree/main/apps/desktop) | <https://github.com/beclab/desktop> | システムの内蔵デスクトップアプリケーション。 |
+| [apps/devbox](https://github.com/beclab/olares/tree/main/apps/devbox) | <https://github.com/beclab/devbox> | Olaresアプリケーションの移植と開発のための開発者向けIDE。 |
+| [apps/vault](https://github.com/beclab/olares/tree/main/apps/vault) | <https://github.com/beclab/termipass> | [Padloc](https://github.com/padloc/padloc)に基づいて開発された、あらゆる規模のチームや企業向けの無料の1PasswordおよびBitwardenの代替品。DID、Olares ID、およびOlaresデバイスの管理を支援するクライアントとして機能します。 |
+| [apps/files](https://github.com/beclab/olares/tree/main/apps/files) | <https://github.com/beclab/files> | [Filebrowser](https://github.com/filebrowser/filebrowser)から変更された内蔵ファイルマネージャーで、Drive、Sync、およびさまざまなOlares物理ノード上のファイルの管理を提供します。 |
+| [apps/notifications](https://github.com/beclab/olares/tree/main/apps/notifications) | <https://github.com/beclab/notifications> | Olaresの通知システム |
+| [apps/profile](https://github.com/beclab/olares/tree/main/apps/profile) | <https://github.com/beclab/profile> | OlaresのLinktree代替品 |
+| [apps/rsshub](https://github.com/beclab/olares/tree/main/apps/rsshub) | <https://github.com/beclab/rsshub> | [RssHub](https://github.com/DIYgod/RSSHub)に基づいたRSS購読管理ツール。 |
+| [apps/settings](https://github.com/beclab/olares/tree/main/apps/settings) | <https://github.com/beclab/settings> | 内蔵システム設定。 |
+| [apps/system-apps](https://github.com/beclab/olares/tree/main/apps/system-apps) | <https://github.com/beclab/system-apps> | _kubesphere/console_プロジェクトに基づいて構築されたsystem-serviceは、視覚的なダッシュボードと機能豊富なControlHubを通じて、システムの実行状態とリソース使用状況を理解し、制御するためのセルフホストクラウドプラットフォームを提供します。 |
+| [apps/wizard](https://github.com/beclab/olares/tree/main/apps/wizard) | <https://github.com/beclab/wizard> | ユーザーにシステムのアクティベーションプロセスを案内するウィザードアプリケーション。 |
+</details>
+
+<details>
+<summary><b>サードパーティコンポーネントとサービス</b></summary>
+
+| ディレクトリ | リポジトリ | 説明 |
+| --- | --- | --- |
+| [third-party/authelia](https://github.com/beclab/olares/tree/main/third-party/authelia) | <https://github.com/beclab/authelia> | Webポータルを介してアプリケーションに二要素認証とシングルサインオン（SSO）を提供するオープンソースの認証および認可サーバー。 |
+| [third-party/headscale](https://github.com/beclab/olares/tree/main/third-party/headscale) | <https://github.com/beclab/headscale> | OlaresでのTailscaleコントロールサーバーのオープンソース自ホスト実装で、LarePassで異なるデバイス間でTailscaleを管理します。 |
+| [third-party/infisical](https://github.com/beclab/olares/tree/main/third-party/infisical) | <https://github.com/beclab/infisical> | チーム/インフラストラクチャ間でシークレットを同期し、シークレットの漏洩を防ぐオープンソースのシーク<E383BC><E382AF>ッ<EFBFBD><E38383>管理プラットフォーム。 |
+| [third-party/juicefs](https://github.com/beclab/olares/tree/main/third-party/juicefs) | <https://github.com/beclab/juicefs-ext> | RedisとS3の上に構築された分散POSIXファイルシステムで、異なるノード上のアプリがPOSIXインターフェースを介して同じデータにアクセスできるようにします。 |
+| [third-party/ks-console](https://github.com/beclab/olares/tree/main/third-party/ks-console) | <https://github.com/kubesphere/console> | Web GUIを介してクラスター管理を可能にするKubesphereコンソール。 |
+| [third-party/ks-installer](https://github.com/beclab/olares/tree/main/third-party/ks-installer) | <https://github.com/beclab/ks-installer-ext> | クラスターリソース定義に基づいて自動的にKubesphereクラスターを作成するKubesphereインストーラーコンポーネント。 |
+| [third-party/kube-state-metrics](https://github.com/beclab/olares/tree/main/third-party/kube-state-metrics) | <https://github.com/beclab/kube-state-metrics> | kube-state-metrics（KSM）は、Kubernetes APIサーバーをリッスンし、オブジェクトの状態に関するメトリックを生成するシンプルなサービスです。 |
+| [third-party/notification-manager](https://github.com/beclab/olares/tree/main/third-party/notification-manager) | <https://github.com/beclab/notification-manager-ext> | 複数の通知チャネルの統一管理と通知内容のカスタム集約を提供するKubesphereの通知管<E79FA5><E7AEA1>コンポーネント。 |
+| [third-party/predixy](https://github.com/beclab/olares/tree/main/third-party/predixy) | <https://github.com/beclab/predixy> | 利用可能なノードを自動的に識別し、名前空間の分離を追加するRedisクラスターのプロキシサービス。 |
+| [third-party/redis-cluster-operator](https://github.com/beclab/olares/tree/main/third-party/redis-cluster-operator) | <https://github.com/beclab/redis-cluster-operator> | Kubernetesに基づいてRedisクラスターを作成および管理するためのクラウドネイティブツール。 |
+| [third-party/seafile-server](https://github.com/beclab/olares/tree/main/third-party/seafile-server) | <https://github.com/beclab/seafile-server> | データストレージを処理するSeafile（同期ドライブ）のバックエンドサービス。 |
+| [third-party/seahub](https://github.com/beclab/olares/tree/main/third-party/seahub) | <https://github.com/beclab/seahub> | ファイル共有、データ同期などを処理するSeafile（同期ドライブ）のフロントエンドおよびミドルウェアサービス。 |
+| [third-party/tailscale](https://github.com/beclab/olares/tree/main/third-party/tailscale) | <https://github.com/tailscale/tailscale> | TailscaleはすべてのプラットフォームのLarePassに統合されています。 |
+</details>
+
+<details>
+<summary><b>追加のライブラリとコンポーネント</b></summary>
+
+| ディレクトリ | リポジトリ | 説明 |
+| --- | --- | --- |
+| [build/installer](https://github.com/beclab/olares/tree/main/build/installer) |     | インストーラービルドを生成するためのテンプレート。 |
+| [build/manifest](https://github.com/beclab/olares/tree/main/build/manifest) |     | インストールビルドイメージリストテンプレート。 |
+| [libs/fs-lib](https://github.com/beclab/olares/tree/main/libs) | <https://github.com/beclab/fs-lib> | JuiceFSに基づいて実装されたiNotify互換インターフェースのSDKライブラリ。 |
+| [scripts](https://github.com/beclab/olares/tree/main/scripts) |     | インストーラービルドを生成するための補助スクリプト。 |
+</details>
+
+## Olaresへの貢献
+
+あらゆる形での貢献を歓迎します：
+
+- Olaresで独自のアプリケーションを開発したい場合は、以下を参照してください：<br>
+https://docs.olares.xyz/developer/develop/
+
+
+- Olaresの改善に協力したい場合は、以下を参照してください：<br>
+https://docs.olares.xyz/developer/contribute/olares.html
+
+## コミュニティと連絡先
+
+* [**GitHub Discussion**](https://github.com/beclab/olares/discussions). フィードバックの共有や質問に最適です。
+* [**GitHub Issues**](https://github.com/beclab/olares/issues). Olaresの使用中に遭遇したバグの報告や機能提案の提出に最適です。 
+* [**Discord**](https://discord.com/invite/BzfqrgQPDK). Olaresに関するあらゆることを共有するのに最適です。
+
+## 特別な感謝
+
+Olaresプロジェクトは、次のような多数のサードパーティオープンソースプロジェクトを統合しています：[Kubernetes](https://kubernetes.io/)、[Kubesphere](https://github.com/kubesphere/kubesphere)、[Padloc](https://padloc.app/)、[K3S](https://k3s.io/)、[JuiceFS](https://github.com/juicedata/juicefs)、[MinIO](https://github.com/minio/minio)、[Envoy](https://github.com/envoyproxy/envoy)、[Authelia](https://github.com/authelia/authelia)、[Infisical](https://github.com/Infisical/infisical)、[Dify](https://github.com/langgenius/dify)、[Seafile](https://github.com/haiwen/seafile)、[HeadScale](https://headscale.net/)、 [tailscale](https://tailscale.com/)、[Redis Operator](https://github.com/spotahome/redis-operator)、[Nitro](https://nitro.jan.ai/)、[RssHub](http://rsshub.app/)、[predixy](https://github.com/joyieldInc/predixy)、[nvshare](https://github.com/grgalex/nvshare)、[LangChain](https://www.langchain.com/)、[Quasar](https://quasar.dev/)、[TrustWallet](https://trustwallet.com/)、[Restic](https://restic.net/)、[ZincSearch](https://zincsearch-docs.zinc.dev/)、[filebrowser](https://filebrowser.org/)、[lego](https://go-acme.github.io/lego/)、[Velero](https://velero.io/)、[s3rver](https://github.com/jamhall/s3rver)、[Citusdata](https://www.citusdata.com/)。

apps/argo/config/cluster/deploy/argo-task.yaml

@@ -0,0 +1,67 @@
+{{- $namespace := printf "%s" "os-system" -}}
+{{- $rss_secret := (lookup "v1" "Secret" $namespace "rss-secrets") -}}
+{{- $password := "" -}}
+{{ if $rss_secret -}}
+{{ $password = (index $rss_secret "data" "pg_password") }}
+{{ else -}}
+{{ $password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+{{- $redis_password := "" -}}
+{{ if $rss_secret -}}
+{{ $redis_password = (index $rss_secret "data" "redis_password") }}
+{{ else -}}
+{{ $redis_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+
+{{- $redis_password_data := "" -}}
+{{ $redis_password_data = $redis_password | b64dec }}
+
+{{- $pg_password_data := "" -}}
+{{ $pg_password_data = $password | b64dec }}
+
+{{- $pg_user :=  printf "%s" "argo_os_system" -}}
+{{- $pg_user = $pg_user | b64enc -}}
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: rss-secrets
+  namespace: os-system
+type: Opaque
+data:
+  pg_user: {{ $pg_user }}
+  pg_password: {{ $password }}
+  redis_password: {{ $redis_password }}
+
+---
+
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: rss-pg
+  namespace: os-system
+spec:
+  app: rss
+  appNamespace: os-system
+  middleware: postgres
+  postgreSQL:
+    user: argo_os_system
+    password: 
+      valueFrom:
+        secretKeyRef:
+          key: pg_password
+          name: rss-secrets
+    databases:
+    - name: rss
+    - name: rss_v1
+    - name: argo
+
+
+
+
+
+    

apps/argo/config/cluster/deploy/server-crb.yaml

@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: os-system:argoworkflows
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argoworkflows
+subjects:
+  - kind: ServiceAccount
+    name: argoworkflows
+    namespace: os-system
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: os-system:argoworkflows-cluster-template
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argoworkflows-cluster-template
+subjects:
+  - kind: ServiceAccount
+    name: argoworkflows
+    namespace: os-system

apps/argo/config/cluster/deploy/server-deployment.yaml

@@ -0,0 +1,85 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: argoworkflows
+  namespace: os-system
+  labels:
+    app: argoworkflows
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    applications.app.bytetrade.io/icon: https://argoproj.github.io/argo-workflows/assets/logo.png
+    applications.app.bytetrade.io/title: argoworkflows
+    applications.app.bytetrade.io/version: '0.35.0'
+spec:
+  selector:
+    matchLabels:
+      app: argoworkflows
+  template:
+    metadata:
+      labels:
+        app: argoworkflows
+    spec:
+      serviceAccountName: argoworkflows
+      containers:
+        - name: argo-server
+          image: quay.io/argoproj/argocli:v3.5.0
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+          args:
+            - server
+            - --configmap=argoworkflow-workflow-controller-configmap
+            - "--auth-mode=server"
+            - "--secure=false"
+            - "--x-frame-options="
+            - "--loglevel"
+            - "debug"
+            - "--gloglevel"
+            - "0"
+            - "--log-format"
+            - "text"
+          ports:
+            - name: web
+              containerPort: 2746
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 2746
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 20
+          env:
+            - name: IN_CLUSTER
+              value: "true"
+            - name: ARGO_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.namespace
+            - name: BASE_HREF
+              value: /
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+        
+      volumes:
+        - name: tmp
+          emptyDir: {}
+      nodeSelector:
+        kubernetes.io/os: linux
+      tolerations:
+        - key: node.kubernetes.io/not-ready
+          operator: Exists
+          effect: NoExecute
+          tolerationSeconds: 300
+        - key: node.kubernetes.io/unreachable
+          operator: Exists
+          effect: NoExecute
+          tolerationSeconds: 300
+      
+

apps/argo/config/cluster/deploy/server-sa.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argoworkflows
+  namespace: os-system
+  

apps/argo/config/cluster/deploy/server-service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: argoworkflows-svc
+  namespace: os-system
+spec:
+  ports:
+  - port: 2746
+    name: http
+    protocol: TCP
+    targetPort: 2746
+  selector:
+    app: argoworkflows
+  sessionAffinity: None
+  type: ClusterIP
+  

apps/argo/config/cluster/deploy/workflow-controller-config-map.yaml

@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argoworkflow-workflow-controller-configmap
+  namespace: os-system
+data:
+  config: |
+    instanceID: os-system
+    artifactRepository:
+      archiveLogs: true
+      s3:
+        accessKeySecret:
+          key: AWS_ACCESS_KEY_ID
+          name: argo-workflow-log-fakes3
+        secretKeySecret:
+          key: AWS_SECRET_ACCESS_KEY
+          name: argo-workflow-log-fakes3
+        bucket: mongo-backup
+        endpoint: tapr-s3-svc:4568
+        insecure: true
+    persistence:
+      connectionPool:
+        maxIdleConns: 5
+        maxOpenConns: 0
+      archive: true
+      archiveTTL: 5d
+      postgresql:
+        host: citus-headless.os-system
+        port: 5432
+        database: os_system_argo
+        tableName: argo_workflows
+        userNameSecret:
+          name: rss-secrets
+          key: pg_user
+        passwordSecret:
+          name: rss-secrets
+          key: pg_password
+    nodeEvents:
+      enabled: true
+

apps/argo/config/cluster/deploy/workflow-controller-crb.yaml

@@ -0,0 +1,27 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: os-system:argoworkflow-workflow-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argoworkflow-workflow-controller
+subjects:
+  - kind: ServiceAccount
+    name: argoworkflow-workflow-controller
+    namespace: os-system
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: os-system:argoworkflow-workflow-controller-cluster-template
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argoworkflow-workflow-controller-cluster-template
+subjects:
+  - kind: ServiceAccount
+    name: argoworkflow-workflow-controller
+    namespace: os-system
+

apps/argo/config/cluster/deploy/workflow-controller-deployment.yaml

@@ -0,0 +1,89 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: argoworkflow-workflow-controller
+  namespace: os-system
+  labels:
+    app.kubernetes.io/component: workflow-controller
+    app.kubernetes.io/instance: argo
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: argoworkflows-workflow-controller
+    app.kubernetes.io/part-of: argo-workflows
+    app.kubernetes.io/version: v3.5.0
+    helm.sh/chart: argoworkflows-0.35.0
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: argo
+      app.kubernetes.io/name: argoworkflows-workflow-controller
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: workflow-controller
+        app.kubernetes.io/instance: argo
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: argoworkflows-workflow-controller
+        app.kubernetes.io/part-of: argo-workflows
+        app.kubernetes.io/version: v3.5.0
+        helm.sh/chart: argoworkflows-0.35.0
+    spec:
+      serviceAccountName: argoworkflow-workflow-controller
+      serviceAccount: argoworkflow-workflow-controller
+      schedulerName: default-scheduler
+      containers:
+        - name: controller
+          image: quay.io/argoproj/workflow-controller:v3.5.0
+          imagePullPolicy: IfNotPresent
+          command: [ "workflow-controller" ]
+          args:
+          - "--configmap"
+          - "argoworkflow-workflow-controller-configmap"
+          - "--executor-image"
+          - "quay.io/argoproj/argoexec:v3.5.0"
+          - "--loglevel"
+          - "debug"
+          - "--gloglevel"
+          - "0"
+          - "--log-format"
+          - "text"
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+          env:
+            - name: ARGO_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.namespace
+            - name: LEADER_ELECTION_IDENTITY
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.name
+          
+          ports:
+            - name: metrics
+              containerPort: 9090
+              protocol: TCP
+            - containerPort: 6060
+              protocol: TCP
+          livenessProbe: 
+            httpGet:
+              path: /healthz
+              port: 6060
+              scheme: HTTP
+            initialDelaySeconds: 90
+            timeoutSeconds: 30
+            periodSeconds: 60
+            successThreshold: 1
+            failureThreshold: 3
+
+      nodeSelector:
+        kubernetes.io/os: linux
+      
+     

apps/argo/config/cluster/deploy/workflow-controller-sa.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argoworkflow-workflow-controller
+  namespace: os-system

apps/argo/config/cluster/deploy/workflow-controller-secrets.yaml

@@ -5,7 +5,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: argo-workflow-log-fakes3
-  namespace: {{ .Release.Namespace }}
+  namespace: os-system
 type: Opaque
 stringData:
   AWS_ACCESS_KEY_ID: S3RVER
@@ -16,7 +16,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: workflow-role
-  namespace: {{ .Release.Namespace }}
+  namespace: os-system
 rules:
 - apiGroups:
   - "*"
@@ -30,10 +30,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: workflow-rolebinding
-  namespace: {{ .Release.Namespace }}
+  namespace: os-system
 subjects:
   - kind: ServiceAccount
-    namespace: {{ .Release.Namespace }}
+    namespace: os-system
     name: default
 roleRef:
   kind: Role

apps/argo/config/cluster/deploy/workflow-rb.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argoworkflow-workflow
+  namespace: os-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argoworkflow-workflow
+subjects:
+  - kind: ServiceAccount
+    name: argo-workflow
+    namespace: os-system

apps/argo/config/cluster/deploy/workflow-role.yaml

@@ -1,10 +1,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ template "argo-workflows.fullname" $ }}-workflow
-  labels:
-    {{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $.Values.controller.name) | nindent 4 }}
-  namespace: {{ $.Release.Namespace}}
+  name: argoworkflow-workflow
+  namespace: os-system
 rules:
   - apiGroups:
       - ""

apps/argo/config/user/helm-charts/argo/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-name: rss
+name: argo
 description: A Helm chart for Kubernetes
 maintainers:
 - name: bytetrade

apps/argo/config/user/helm-charts/argo/charts/argoworkflows/Chart.yaml

@@ -1,39 +0,0 @@
-apiVersion: v2
-name: argoworkflows
-description: A Helm chart for Argo Workflows
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.35.0
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "v3.5.0"
-
-icon: https://argoproj.github.io/argo-workflows/assets/logo.png
-home: https://github.com/argoproj/argo-helm
-sources:
-  - https://github.com/argoproj/argo-workflows
-maintainers:
-  - name: argoproj
-    url: https://argoproj.github.io/
-annotations:
-  artifacthub.io/signKey: |
-    fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
-    url: https://argoproj.github.io/argo-helm/pgp_keys.asc
-  artifacthub.io/changes: |
-    - kind: changed
-      description: Upgrade to Argo Workflows v3.4.10

apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/NOTES.txt

@@ -1,7 +0,0 @@
-1. Get Argo Server external IP/domain by running:
-
-kubectl --namespace {{ .Release.Namespace }} get services -o wide | grep {{ template "argo-workflows.server.fullname" . }}
-
-2. Submit the hello-world workflow by running:
-
-argo submit https://raw.githubusercontent.com/argoproj/argo-workflows/master/examples/hello-world.yaml --watch

apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/_helpers.tpl

@@ -1,189 +0,0 @@
-{{/* vim: set filetype=mustache: */}}
-
-{{/*
-Create argo workflows server name and version as used by the chart label.
-*/}}
-{{- define "argo-workflows.server.fullname-bak" -}}
-{{- printf "%s-%s" (include "argo-workflows.fullname" .) .Values.server.name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{- define "argo-workflows.server.fullname" -}}
-argoworkflows
-{{- end -}}
-
-{{/*
-Create controller name and version as used by the chart label.
-*/}}
-{{- define "argo-workflows.controller.fullname" -}}
-{{- printf "%s-%s" (include "argo-workflows.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "argo-workflows.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-*/}}
-{{/*{{- define "argo-workflows.fullname" -}}*/}}
-{{/*{{- if .Values.fullnameOverride -}}*/}}
-{{/*{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}*/}}
-{{/*{{- else -}}*/}}
-{{/*{{- $name := default .Chart.Name .Values.nameOverride -}}*/}}
-{{/*{{- if contains $name .Release.Name -}}*/}}
-{{/*{{- .Release.Name | trunc 63 | trimSuffix "-" -}}*/}}
-{{/*{{- else -}}*/}}
-{{/*{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}*/}}
-{{/*{{- end -}}*/}}
-{{/*{{- end -}}*/}}
-{{/*{{- end -}}*/}}
-
-{{- define "argo-workflows.fullname" -}}
-argoworkflow
-{{- end -}}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "argo-workflows.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{/*
-Create kubernetes friendly chart version label for the controller.
-Examples:
-image.tag = v3.4.4
-output    = v3.4.4
-
-image.tag = v3.4.4@sha256:d06860f1394a94ac3ff8401126ef32ba28915aa6c3c982c7e607ea0b4dadb696
-output    = v3.4.4
-*/}}
-{{- define "argo-workflows.controller_chart_version_label" -}}
-{{- regexReplaceAll "[^a-zA-Z0-9-_.]+" (regexReplaceAll "@sha256:[a-f0-9]+" (default (include "argo-workflows.defaultTag" .) .Values.controller.image.tag) "") "" | trunc 63 | quote -}}
-{{- end -}}
-
-{{/*
-Create kubernetes friendly chart version label for the server.
-Examples:
-image.tag = v3.4.4
-output    = v3.4.4
-
-image.tag = v3.4.4@sha256:d06860f1394a94ac3ff8401126ef32ba28915aa6c3c982c7e607ea0b4dadb696
-output    = v3.4.4
-*/}}
-{{- define "argo-workflows.server_chart_version_label" -}}
-{{- regexReplaceAll "[^a-zA-Z0-9-_.]+" (regexReplaceAll "@sha256:[a-f0-9]+" (default (include "argo-workflows.defaultTag" .) .Values.server.image.tag) "") "" | trunc 63 | quote -}}
-{{- end -}}
-
-{{/*
-Common labels
-*/}}
-{{- define "argo-workflows.labels" -}}
-helm.sh/chart: {{ include "argo-workflows.chart" .context }}
-{{ include "argo-workflows.selectorLabels" (dict "context" .context "component" .component "name" .name) }}
-app.kubernetes.io/managed-by: {{ .context.Release.Service }}
-app.kubernetes.io/part-of: argo-workflows
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "argo-workflows.selectorLabels" -}}
-{{- if .name -}}
-app.kubernetes.io/name: {{ include "argo-workflows.name" .context }}-{{ .name }}
-{{ end -}}
-app.kubernetes.io/instance: {{ .context.Release.Name }}
-{{- if .component }}
-app.kubernetes.io/component: {{ .component }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create the name of the server service account to use
-*/}}
-{{- define "argo-workflows.serverServiceAccountName" -}}
-{{- if .Values.server.serviceAccount.create -}}
-    {{ default (include "argo-workflows.server.fullname" .) .Values.server.serviceAccount.name }}
-{{- else -}}
-    {{ default "default" .Values.server.serviceAccount.name }}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Create the name of the controller service account to use
-*/}}
-{{- define "argo-workflows.controllerServiceAccountName" -}}
-{{- if .Values.controller.serviceAccount.create -}}
-    {{ default (include "argo-workflows.controller.fullname" .) .Values.controller.serviceAccount.name }}
-{{- else -}}
-    {{ default "default" .Values.controller.serviceAccount.name }}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Return the appropriate apiVersion for ingress
-*/}}
-{{- define "argo-workflows.ingress.apiVersion" -}}
-{{- if semverCompare "<1.14-0" (include "argo-workflows.kubeVersion" $) -}}
-{{- print "extensions/v1beta1" -}}
-{{- else if semverCompare "<1.19-0" (include "argo-workflows.kubeVersion" $) -}}
-{{- print "networking.k8s.io/v1beta1" -}}
-{{- else -}}
-{{- print "networking.k8s.io/v1" -}}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Return the target Kubernetes version
-*/}}
-{{- define "argo-workflows.kubeVersion" -}}
-  {{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride }}
-{{- end -}}
-
-{{/*
-Return the default Argo Workflows app version
-*/}}
-{{- define "argo-workflows.defaultTag" -}}
-  {{- default .Chart.AppVersion .Values.images.tag }}
-{{- end -}}
-
-{{/*
-Return full image name including or excluding registry based on existence
-*/}}
-{{- define "argo-workflows.image" -}}
-{{- if and .image.registry .image.repository -}}
-  {{ .image.registry }}/{{ .image.repository }}
-{{- else -}}
-  {{ .image.repository }}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Return the appropriate apiVersion for autoscaling
-*/}}
-{{- define "argo-workflows.apiVersion.autoscaling" -}}
-{{- if .Values.apiVersionOverrides.autoscaling -}}
-{{- print .Values.apiVersionOverrides.autoscaling -}}
-{{- else if semverCompare "<1.23-0" (include "argo-workflows.kubeVersion" .) -}}
-{{- print "autoscaling/v2beta1" -}}
-{{- else -}}
-{{- print "autoscaling/v2" -}}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Return the appropriate apiVersion for GKE resources
-*/}}
-{{- define "argo-workflows.apiVersions.cloudgoogle" -}}
-{{- if .Values.apiVersionOverrides.cloudgoogle -}}
-{{- print .Values.apiVersionOverrides.cloudgoogle -}}
-{{- else if .Capabilities.APIVersions.Has "cloud.google.com/v1" -}}
-{{- print "cloud.google.com/v1" -}}
-{{- else -}}
-{{- print "cloud.google.com/v1beta1" -}}
-{{- end -}}
-{{- end -}}

apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/controller/workflow-controller-config-map.yaml

@@ -1,208 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ template "argo-workflows.controller.fullname" . }}-configmap
-  namespace: {{ .Release.Namespace | quote }}
-  labels:
-    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" "cm") | nindent 4 }}
-data:
-  config: |
-    {{- if .Values.controller.instanceID.enabled }}
-      {{- if .Values.controller.instanceID.useReleaseName }}
-    instanceID: {{ .Release.Namespace }}
-      {{- else }}
-    instanceID: {{ .Values.controller.instanceID.explicitID }}
-      {{- end }}
-    {{- end }}
-    {{- if .Values.controller.parallelism }}
-    parallelism: {{ .Values.controller.parallelism }}
-    {{- end }}
-    {{- if .Values.controller.resourceRateLimit }}
-    resourceRateLimit: {{ toYaml .Values.controller.resourceRateLimit | nindent 6 }}
-    {{- end }}
-    {{- with .Values.controller.namespaceParallelism }}
-    namespaceParallelism: {{ . }}
-    {{- end }}
-    {{- with .Values.controller.initialDelay }}
-    initialDelay: {{ . }}
-    {{- end }}
-    {{- if or .Values.mainContainer.resources .Values.mainContainer.env .Values.mainContainer.envFrom .Values.mainContainer.securityContext}}
-    mainContainer:
-      imagePullPolicy: {{ default (.Values.images.pullPolicy) .Values.mainContainer.imagePullPolicy }}
-      {{- with .Values.mainContainer.resources }}
-      resources: {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.mainContainer.env }}
-      env: {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.mainContainer.envFrom }}
-      envFrom: {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.mainContainer.securityContext }}
-      securityContext: {{- toYaml . | nindent 8 }}
-      {{- end }}
-    {{- end }}
-    {{- if or .Values.executor.resources .Values.executor.env .Values.executor.args .Values.executor.securityContext}}
-    executor:
-      imagePullPolicy: {{ default (.Values.images.pullPolicy) .Values.executor.image.pullPolicy }}
-      {{- with .Values.executor.resources }}
-      resources: {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.executor.args }}
-      args: {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.executor.env }}
-      env: {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.executor.securityContext }}
-      securityContext: {{- toYaml . | nindent 8 }}
-      {{- end }}
-    {{- end }}
-    {{- if or .Values.artifactRepository.s3 .Values.artifactRepository.gcs .Values.artifactRepository.azure .Values.customArtifactRepository }}
-    artifactRepository:
-      {{- if .Values.artifactRepository.archiveLogs }}
-      archiveLogs: {{ .Values.artifactRepository.archiveLogs }}
-      {{- end }}
-      {{- with .Values.artifactRepository.gcs }}
-      gcs: {{- tpl (toYaml .) $ | nindent 8 }}
-      {{- end }}
-      {{- with .Values.artifactRepository.azure }}
-      azure: {{- tpl (toYaml .) $ | nindent 8 }}
-      {{- end }}
-      {{- if .Values.artifactRepository.s3 }}
-      s3:
-        {{- if .Values.useStaticCredentials }}
-        accessKeySecret:
-          key: {{ tpl .Values.artifactRepository.s3.accessKeySecret.key . }}
-          name: {{ tpl .Values.artifactRepository.s3.accessKeySecret.name . }}
-        secretKeySecret:
-          key: {{ tpl .Values.artifactRepository.s3.secretKeySecret.key . }}
-          name: {{ tpl .Values.artifactRepository.s3.secretKeySecret.name . }}
-        {{- end }}
-        bucket: {{ tpl (.Values.artifactRepository.s3.bucket | default "") . }}
-        endpoint: workflow-archivelog-s3.user-system-{{ .Values.global.bfl.username }}:4568
-        insecure: {{ .Values.artifactRepository.s3.insecure }}
-        {{- if .Values.artifactRepository.s3.keyFormat }}
-        keyFormat: {{ .Values.artifactRepository.s3.keyFormat | quote }}
-        {{- end }}
-        {{- if .Values.artifactRepository.s3.region }}
-        region: {{ tpl .Values.artifactRepository.s3.region $ }}
-        {{- end }}
-        {{- if .Values.artifactRepository.s3.roleARN }}
-        roleARN: {{ .Values.artifactRepository.s3.roleARN }}
-        {{- end }}
-        {{- if .Values.artifactRepository.s3.useSDKCreds }}
-        useSDKCreds: {{ .Values.artifactRepository.s3.useSDKCreds }}
-        {{- end }}
-        {{- with .Values.artifactRepository.s3.encryptionOptions }}
-        encryptionOptions:
-          {{- toYaml . | nindent 10 }}
-        {{- end }}
-      {{- end }}
-      {{- if .Values.customArtifactRepository }}
-      {{- toYaml .Values.customArtifactRepository | nindent 6 }}
-      {{- end }}
-    {{- end }}
-    {{- if .Values.controller.metricsConfig.enabled }}
-    metricsConfig:
-      enabled: {{ .Values.controller.metricsConfig.enabled }}
-      path: {{ .Values.controller.metricsConfig.path }}
-      port: {{ .Values.controller.metricsConfig.port }}
-      {{- if .Values.controller.metricsConfig.metricsTTL }}
-      metricsTTL: {{ .Values.controller.metricsConfig.metricsTTL }}
-      {{- end }}
-      ignoreErrors: {{ .Values.controller.metricsConfig.ignoreErrors }}
-      secure: {{ .Values.controller.metricsConfig.secure }}
-    {{- end }}
-    {{- if .Values.controller.telemetryConfig.enabled }}
-    telemetryConfig:
-      enabled: {{ .Values.controller.telemetryConfig.enabled }}
-      path: {{ .Values.controller.telemetryConfig.path }}
-      port: {{ .Values.controller.telemetryConfig.port }}
-      {{- if .Values.controller.telemetryConfig.metricsTTL }}
-      metricsTTL: {{ .Values.controller.telemetryConfig.metricsTTL }}
-      {{- end }}
-      ignoreErrors: {{ .Values.controller.telemetryConfig.ignoreErrors }}
-      secure: {{ .Values.controller.telemetryConfig.secure }}
-    {{- end }}
-    persistence:
-      connectionPool:
-        maxIdleConns: 5
-        maxOpenConns: 0
-      archive: true
-      archiveTTL: 5d
-      postgresql:
-        host: citus-master-svc.user-system-{{ .Values.global.bfl.username }}
-        port: 5432
-        database: user_space_{{ .Values.global.bfl.username }}_argo
-        tableName: argo_workflows
-        userNameSecret:
-          name: rss-secrets
-          key: pg_user
-        passwordSecret:
-          name: rss-secrets
-          key: pg_password
-
-    {{- if .Values.controller.workflowDefaults }}
-    workflowDefaults:
-{{ toYaml .Values.controller.workflowDefaults | indent 6 }}{{- end }}
-    {{- if .Values.server.sso.enabled }}
-    sso:
-      issuer: {{ .Values.server.sso.issuer }}
-      clientId:
-        name: {{ .Values.server.sso.clientId.name }}
-        key: {{ .Values.server.sso.clientId.key }}
-      clientSecret:
-        name: {{ .Values.server.sso.clientSecret.name }}
-        key: {{ .Values.server.sso.clientSecret.key }}
-      redirectUrl: {{ .Values.server.sso.redirectUrl }}
-      rbac:
-        enabled: {{ .Values.server.sso.rbac.enabled }}
-      {{- with .Values.server.sso.scopes }}
-      scopes: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.server.sso.issuerAlias }}
-      issuerAlias: {{ toYaml . }}
-      {{- end }}
-      {{- with .Values.server.sso.sessionExpiry }}
-      sessionExpiry: {{ toYaml . }}
-      {{- end }}
-      {{- with .Values.server.sso.customGroupClaimName }}
-      customGroupClaimName: {{ toYaml . }}
-      {{- end }}
-      {{- with .Values.server.sso.userInfoPath }}
-      userInfoPath: {{ toYaml . }}
-      {{- end }}
-      {{- with .Values.server.sso.insecureSkipVerify }}
-      insecureSkipVerify: {{ toYaml . }}
-      {{- end }}
-    {{- end }}
-    {{- with .Values.controller.workflowRestrictions }}
-    workflowRestrictions: {{- toYaml . | nindent 6 }}
-    {{- end }}
-    {{- with .Values.controller.links }}
-    links: {{- toYaml . | nindent 6 }}
-    {{- end }}
-    {{- with .Values.controller.columns }}
-    columns: {{- toYaml . | nindent 6 }}
-    {{- end }}
-    {{- with .Values.controller.navColor }}
-    navColor: {{ . }}
-    {{- end }}
-    {{- with .Values.controller.retentionPolicy }}
-    retentionPolicy: {{- toYaml . | nindent 6 }}
-    {{- end }}
-    {{- with .Values.emissary.images }}
-    images: {{- toYaml . | nindent 6 }}
-    {{- end }}
-    nodeEvents:
-      enabled: {{ .Values.controller.nodeEvents.enabled }}
-    {{- with .Values.controller.kubeConfig }}
-    kubeConfig: {{- toYaml . | nindent 6 }}
-    {{- end }}
-    {{- with .Values.controller.podGCGracePeriodSeconds }}
-    podGCGracePeriodSeconds: {{ . }}
-    {{- end }}
-    {{- with .Values.controller.podGCDeleteDelayDuration }}
-    podGCDeleteDelayDuration: {{ . }}
-    {{- end }}

apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/controller/workflow-controller-crb.yaml

@@ -1,45 +0,0 @@
-{{- if .Values.controller.rbac.create }}
-apiVersion: rbac.authorization.k8s.io/v1
-{{- if .Values.singleNamespace }}
-kind: RoleBinding
-{{ else }}
-kind: ClusterRoleBinding
-{{- end }}
-metadata:
-  name: {{ .Release.Namespace }}:{{ template "argo-workflows.controller.fullname" . }}
-  {{- if .Values.singleNamespace }}
-  namespace: {{ .Release.Namespace | quote }}
-  {{- end }}
-  labels:
-    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  {{- if .Values.singleNamespace }}
-  kind: Role
-  {{ else }}
-  kind: ClusterRole
-  {{- end }}
-  name: {{ template "argo-workflows.controller.fullname" . }}
-subjects:
-  - kind: ServiceAccount
-    name: {{ template "argo-workflows.controllerServiceAccountName" . }}
-    namespace: {{ .Release.Namespace | quote }}
-
-{{- if .Values.controller.clusterWorkflowTemplates.enabled }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ .Release.Namespace }}:{{ template "argo-workflows.controller.fullname" . }}-cluster-template
-  labels:
-    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ template "argo-workflows.controller.fullname" . }}-cluster-template
-subjects:
-  - kind: ServiceAccount
-    name: {{ template "argo-workflows.controllerServiceAccountName" . }}
-    namespace: {{ .Release.Namespace | quote }}
-{{- end }}
-{{- end }}

apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/controller/workflow-controller-deployment.yaml

@@ -1,129 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ template "argo-workflows.controller.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
-  labels:
-    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
-    app.kubernetes.io/version: {{ include "argo-workflows.controller_chart_version_label" . }}
-  {{- with .Values.controller.deploymentAnnotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  replicas: {{ .Values.controller.replicas }}
-  selector:
-    matchLabels:
-      {{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }}
-  template:
-    metadata:
-      labels:
-        {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 8 }}
-        app.kubernetes.io/version: {{ include "argo-workflows.controller_chart_version_label" . }}
-        {{- with.Values.controller.podLabels }}
-          {{- toYaml . | nindent 8 }}
-        {{- end }}
-      {{- with .Values.controller.podAnnotations }}
-      annotations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-    spec:
-      serviceAccountName: {{ template "argo-workflows.controllerServiceAccountName" . }}
-      {{- with .Values.controller.podSecurityContext }}
-      securityContext:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.controller.extraInitContainers }}
-      initContainers:
-        {{- tpl (toYaml .) $ | nindent 8 }}
-      {{- end }}
-      containers:
-        - name: controller
-          image: "{{- include "argo-workflows.image" (dict "context" . "image" .Values.controller.image) }}:{{ default (include "argo-workflows.defaultTag" .) .Values.controller.image.tag }}"
-          imagePullPolicy: {{ .Values.images.pullPolicy }}
-          command: [ "workflow-controller" ]
-          args:
-          - "--configmap"
-          - "{{ template "argo-workflows.controller.fullname" . }}-configmap"
-          - "--executor-image"
-          - "{{- include "argo-workflows.image" (dict "context" . "image" .Values.executor.image) }}:{{ default (include "argo-workflows.defaultTag" .) .Values.executor.image.tag }}"
-          - "--loglevel"
-          - "{{ .Values.controller.logging.level }}"
-          - "--gloglevel"
-          - "{{ .Values.controller.logging.globallevel }}"
-          - "--log-format"
-          - "{{ .Values.controller.logging.format }}"
-          {{- if .Values.singleNamespace }}
-          - "--namespaced"
-          {{- end }}
-          {{- with .Values.controller.workflowWorkers }}
-          - "--workflow-workers"
-          - {{ . | quote }}
-          {{- end }}
-          {{- with .Values.controller.extraArgs }}
-            {{- toYaml . | nindent 10 }}
-          {{- end }}
-          securityContext:
-            {{- toYaml .Values.controller.securityContext | nindent 12 }}
-          env:
-            - name: ARGO_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  apiVersion: v1
-                  fieldPath: metadata.namespace
-            - name: LEADER_ELECTION_IDENTITY
-              valueFrom:
-                fieldRef:
-                  apiVersion: v1
-                  fieldPath: metadata.name
-          {{- with .Values.controller.extraEnv }}
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          resources:
-            {{- toYaml .Values.controller.resources | nindent 12 }}
-          {{- with .Values.controller.volumeMounts }}
-          volumeMounts:
-            {{- toYaml . | nindent 10 }}
-          {{- end }}
-          ports:
-            - name: {{ .Values.controller.metricsConfig.portName }}
-              containerPort: {{ .Values.controller.metricsConfig.port }}
-            - containerPort: 6060
-          livenessProbe: {{ .Values.controller.livenessProbe | toYaml | nindent 12 }}
-        {{- with .Values.controller.extraContainers }}
-          {{- toYaml . | nindent 8 }}
-        {{- end }}
-      {{- with .Values.images.pullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.controller.volumes }}
-      volumes:
-        {{- toYaml . | nindent 6 }}
-      {{- end }}
-      {{- with .Values.controller.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.controller.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.controller.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.controller.topologySpreadConstraints }}
-      topologySpreadConstraints:
-        {{- range $constraint := . }}
-      - {{ toYaml $constraint | nindent 8 | trim }}
-        {{- if not $constraint.labelSelector }}
-        labelSelector:
-          matchLabels:
-            {{- include "argo-workflows.selectorLabels" (dict "context" $ "name" $.Values.controller.name) | nindent 12 }}
-        {{- end }}
-        {{- end }}
-      {{- end }}
-      {{- with .Values.controller.priorityClassName }}
-      priorityClassName: {{ . }}
-      {{- end }}

apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/controller/workflow-controller-sa.yaml

@@ -1,16 +0,0 @@
-{{- if .Values.controller.serviceAccount.create }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ template "argo-workflows.controllerServiceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
-  labels:
-    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
-  {{- with .Values.controller.serviceAccount.labels  }}
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  {{ with .Values.controller.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml .| nindent 4 }}
-  {{- end }}
-{{- end }}

apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/controller/workflow-rb.yaml

@@ -1,15 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ template "argo-workflows.fullname" $ }}-workflow
-  labels:
-    {{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $.Values.controller.name) | nindent 4 }}
-  namespace: {{ $.Release.Namespace}}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ template "argo-workflows.fullname" $ }}-workflow
-subjects:
-  - kind: ServiceAccount
-    name: {{ $.Values.workflow.serviceAccount.name }}
-    namespace: {{ $.Release.Namespace}}

apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/extra-manifests.yaml

@@ -1,8 +0,0 @@
-{{ range .Values.extraObjects }}
----
-{{- if typeIs "string" . }}
-    {{- tpl . $ }}
-{{- else }}
-    {{- tpl (toYaml .) $ }}
-{{- end }}
-{{ end }}

apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/server/server-crb.yaml

@@ -1,45 +0,0 @@
-{{- if and .Values.server.enabled .Values.server.rbac.create -}}
-apiVersion: rbac.authorization.k8s.io/v1
-{{- if .Values.singleNamespace }}
-kind: RoleBinding
-{{ else }}
-kind: ClusterRoleBinding
-{{- end }}
-metadata:
-  name: {{ .Release.Namespace }}:{{ template "argo-workflows.server.fullname" . }}
-  {{- if .Values.singleNamespace }}
-  namespace: {{ .Release.Namespace | quote }}
-  {{- end }}
-  labels:
-    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  {{- if .Values.singleNamespace }}
-  kind: Role
-  {{ else }}
-  kind: ClusterRole
-  {{- end }}
-  name: {{ template "argo-workflows.server.fullname" . }}
-subjects:
-- kind: ServiceAccount
-  name: {{ template "argo-workflows.serverServiceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
-
-{{- if .Values.server.clusterWorkflowTemplates.enabled }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ .Release.Namespace }}:{{ template "argo-workflows.server.fullname" . }}-cluster-template
-  labels:
-    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ template "argo-workflows.server.fullname" . }}-cluster-template
-subjects:
-- kind: ServiceAccount
-  name: {{ template "argo-workflows.serverServiceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
-{{- end -}}
-{{- end -}}

apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/server/server-deployment.yaml

@@ -1,142 +0,0 @@
-{{- if .Values.server.enabled -}}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ template "argo-workflows.server.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
-  labels:
-    app: argoworkflows
-    app.kubernetes.io/managed-by: Helm
-    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
-    app.kubernetes.io/version: {{ include "argo-workflows.server_chart_version_label" . }}
-  {{- with .Values.server.deploymentAnnotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-    applications.app.bytetrade.io/icon: https://argoproj.github.io/argo-workflows/assets/logo.png
-    applications.app.bytetrade.io/title: argoworkflows
-    applications.app.bytetrade.io/version: '0.35.0'
-  {{- end }}
-spec:
-  {{- if not .Values.server.autoscaling.enabled }}
-  replicas: {{ .Values.server.replicas }}
-  {{- end }}
-  selector:
-    matchLabels:
-      {{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 6 }}
-      app: argoworkflows
-  template:
-    metadata:
-      labels:
-        app: argoworkflows
-        {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 8 }}
-        app.kubernetes.io/version: {{ include "argo-workflows.server_chart_version_label" . }}
-        {{- with .Values.server.podLabels }}
-          {{- toYaml . | nindent 8 }}
-        {{- end }}
-      {{- with .Values.server.podAnnotations }}
-      annotations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-    spec:
-      serviceAccountName: {{ template "argo-workflows.serverServiceAccountName" . }}
-      {{- with .Values.server.podSecurityContext }}
-      securityContext:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.server.extraInitContainers }}
-      initContainers:
-        {{- tpl (toYaml .) $ | nindent 8 }}
-      {{- end }}
-      containers:
-        - name: argo-server
-          image: "{{- include "argo-workflows.image" (dict "context" . "image" .Values.server.image) }}:{{ default (include "argo-workflows.defaultTag" .) .Values.server.image.tag }}"
-          imagePullPolicy: {{ .Values.images.pullPolicy }}
-          securityContext:
-            {{- toYaml .Values.server.securityContext | nindent 12 }}
-          args:
-            - server
-            - --configmap={{ template "argo-workflows.controller.fullname" . }}-configmap
-          {{- with .Values.server.extraArgs }}
-            {{- toYaml . | nindent 10 }}
-          {{- end }}
-          {{- if .Values.server.authMode }}
-            - "--auth-mode={{ .Values.server.authMode }}"
-          {{- end }}
-            - "--secure={{ .Values.server.secure }}"
-            - "--x-frame-options="
-          {{- if .Values.singleNamespace }}
-            - "--namespaced"
-          {{- end }}
-            - "--loglevel"
-            - "{{ .Values.server.logging.level }}"
-            - "--gloglevel"
-            - "{{ .Values.server.logging.globallevel }}"
-            - "--log-format"
-            - "{{ .Values.server.logging.format }}"
-          ports:
-            - name: web
-              containerPort: 2746
-          readinessProbe:
-            httpGet:
-              path: /
-              port: 2746
-              {{- if .Values.server.secure }}
-              scheme: HTTPS
-              {{- else }}
-              scheme: HTTP
-              {{- end }}
-            initialDelaySeconds: 10
-            periodSeconds: 20
-          env:
-            - name: IN_CLUSTER
-              value: "true"
-            - name: ARGO_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  apiVersion: v1
-                  fieldPath: metadata.namespace
-            - name: BASE_HREF
-              value: {{ .Values.server.baseHref | quote }}
-          {{- with .Values.server.extraEnv }}
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          resources:
-            {{- toYaml .Values.server.resources | nindent 12 }}
-          volumeMounts:
-            - name: tmp
-              mountPath: /tmp
-        
-      volumes:
-        - name: tmp
-          emptyDir: {}
-      {{- with .Values.server.volumes }}
-        {{- toYaml . | nindent 6}}
-      {{- end }}
-      {{- with .Values.server.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.server.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.server.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.server.topologySpreadConstraints }}
-      topologySpreadConstraints:
-        {{- range $constraint := . }}
-        - {{ toYaml $constraint | nindent 8 | trim }}
-        {{- if not $constraint.labelSelector }}
-          labelSelector:
-            matchLabels:
-            {{- include "argo-workflows.selectorLabels" (dict "context" $ "name" $.Values.server.name) | nindent 12 }}
-        {{- end }}
-        {{- end }}
-      {{- end }}
-      {{- with .Values.server.priorityClassName }}
-      priorityClassName: {{ . }}
-      {{- end }}
-
-{{- end -}}

apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/server/server-sa.yaml

@@ -1,16 +0,0 @@
-{{- if and .Values.server.enabled .Values.server.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ template "argo-workflows.serverServiceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
-  labels:
-    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
-  {{- with .Values.server.serviceAccount.labels  }}
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  {{- with .Values.server.serviceAccount.annotations  }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end -}}

apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/server/server-service.yaml

@@ -1,36 +0,0 @@
-{{- if .Values.server.enabled -}}
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ template "argo-workflows.server.fullname" . }}-svc
-  namespace: {{ .Release.Namespace | quote }}
-  labels:
-    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
-    app.kubernetes.io/version: {{ include "argo-workflows.server_chart_version_label" . }}
-  {{- with .Values.server.serviceAnnotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  ports:
-  - port: {{ .Values.server.servicePort }}
-    {{- with .Values.server.servicePortName }}
-    name: {{ . }}
-    {{- end }}
-    targetPort: 2746
-    {{- if and (eq .Values.server.serviceType "NodePort") .Values.server.serviceNodePort }}
-    nodePort: {{ .Values.server.serviceNodePort }}
-    {{- end }}
-  selector:
-    app: {{ template "argo-workflows.server.fullname" . }}
-    {{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 4 }}
-  sessionAffinity: None
-  type: {{ .Values.server.serviceType }}
-  {{- if and (eq .Values.server.serviceType "LoadBalancer") .Values.server.loadBalancerIP }}
-  loadBalancerIP: {{ .Values.server.loadBalancerIP | quote }}
-  {{- end }}
-  {{- if and (eq .Values.server.serviceType "LoadBalancer") .Values.server.loadBalancerSourceRanges }}
-  loadBalancerSourceRanges:
-    {{- toYaml .Values.server.loadBalancerSourceRanges | nindent 4 }}
-  {{- end }}
-{{- end -}}

apps/argo/config/user/helm-charts/argo/charts/argoworkflows/values.yaml

@@ -1,840 +0,0 @@
-images:
-  # -- Common tag for Argo Workflows images. Defaults to `.Chart.AppVersion`.
-  tag: ""
-  # -- imagePullPolicy to apply to all containers
-  pullPolicy: IfNotPresent
-  # -- Secrets with credentials to pull images from a private registry
-  pullSecrets: []
-  # - name: argo-pull-secret
-
-## Custom resource configuration
-crds:
-  # -- Install and upgrade CRDs
-  install: true
-  # -- Keep CRDs on chart uninstall
-  keep: true
-  # -- Annotations to be added to all CRDs
-  annotations: {}
-
-# -- Create clusterroles that extend existing clusterroles to interact with argo-cd crds
-## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
-createAggregateRoles: true
-
-# -- String to partially override "argo-workflows.fullname" template
-nameOverride:
-
-# -- String to fully override "argo-workflows.fullname" template
-fullnameOverride:
-
-# -- Override the Kubernetes version, which is used to evaluate certain manifests
-kubeVersionOverride: ""
-
-# Override APIVersions
-apiVersionOverrides:
-  # -- String to override apiVersion of autoscaling rendered by this helm chart
-  autoscaling: "" # autoscaling/v2
-  # -- String to override apiVersion of GKE resources rendered by this helm chart
-  cloudgoogle: "" # cloud.google.com/v1
-
-# -- Restrict Argo to operate only in a single namespace (the namespace of the
-# Helm release) by apply Roles and RoleBindings instead of the Cluster
-# equivalents, and start workflow-controller with the --namespaced flag. Use it
-# in clusters with strict access policy.
-singleNamespace: false
-
-workflow:
-  # -- Deprecated; use controller.workflowNamespaces instead.
-  namespace:
-  serviceAccount:
-    # -- Specifies whether a service account should be created
-    create: false
-    # -- Labels applied to created service account
-    labels: {}
-    # -- Annotations applied to created service account
-    annotations: {}
-    # -- Service account which is used to run workflows
-    name: "argo-workflow"
-    # -- Secrets with credentials to pull images from a private registry. Same format as `.Values.images.pullSecrets`
-    pullSecrets: []
-  rbac:
-    # -- Adds Role and RoleBinding for the above specified service account to be able to run workflows.
-    # A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below)
-    create: true
-
-controller:
-  image:
-    # -- Registry to use for the controller
-    registry: quay.io
-    # -- Registry to use for the controller
-    repository: argoproj/workflow-controller
-    # -- Image tag for the workflow controller. Defaults to `.Values.images.tag`.
-    tag: ""
-  # -- parallelism dictates how many workflows can be running at the same time
-  parallelism:
-  # -- Globally limits the rate at which pods are created.
-  # This is intended to mitigate flooding of the Kubernetes API server by workflows with a large amount of
-  # parallel nodes.
-  resourceRateLimit: {}
-    # limit: 10
-  # burst: 1
-
-  rbac:
-    # -- Adds Role and RoleBinding for the controller.
-    create: true
-    # -- Allows controller to get, list, and watch certain k8s secrets
-    secretWhitelist: []
-    # -- Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty.
-    accessAllSecrets: false
-    # -- Allows controller to create and update ConfigMaps. Enables memoization feature
-    writeConfigMaps: false
-
-  # -- Limits the maximum number of incomplete workflows in a namespace
-  namespaceParallelism:
-  # -- Resolves ongoing, uncommon AWS EKS bug: https://github.com/argoproj/argo-workflows/pull/4224
-  initialDelay:
-  # -- deploymentAnnotations is an optional map of annotations to be applied to the controller Deployment
-  deploymentAnnotations: {}
-  # -- podAnnotations is an optional map of annotations to be applied to the controller Pods
-  podAnnotations: {}
-  # -- Optional labels to add to the controller pods
-  podLabels: {}
-  # -- SecurityContext to set on the controller pods
-  podSecurityContext: {}
-  # podPortName: http
-  metricsConfig:
-    # -- Enables prometheus metrics server
-    enabled: false
-    # -- Path is the path where metrics are emitted. Must start with a "/".
-    path: /metrics
-    # -- Port is the port where metrics are emitted
-    port: 9090
-    # -- How often custom metrics are cleared from memory
-    metricsTTL: ""
-    # -- Flag that instructs prometheus to ignore metric emission errors.
-    ignoreErrors: false
-    # --  Flag that use a self-signed cert for TLS
-    secure: false
-    # -- Container metrics port name
-    portName: metrics
-    # -- Service metrics port
-    servicePort: 8090
-    # -- Service metrics port name
-    servicePortName: metrics
-    # -- ServiceMonitor relabel configs to apply to samples before scraping
-    ## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
-    relabelings: []
-    # -- ServiceMonitor metric relabel configs to apply to samples before ingestion
-    ## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#endpoint
-    metricRelabelings: []
-    # -- ServiceMonitor will add labels from the service to the Prometheus metric
-    ## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitorspec
-    targetLabels: []
-  # -- the controller container's securityContext
-  securityContext:
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - ALL
-  # -- enable persistence using postgres
-  persistence: {}
-  # connectionPool:
-  #   maxIdleConns: 100
-  #   maxOpenConns: 0
-  # # save the entire workflow into etcd and DB
-  # nodeStatusOffLoad: false
-  # # enable archiving of old workflows
-  # archive: false
-  # postgresql:
-  #   host: localhost
-  #   port: 5432
-  #   database: postgres
-  #   tableName: argo_workflows
-  #   # the database secrets must be in the same namespace of the controller
-  #   userNameSecret:
-  #     name: argo-postgres-config
-  #     key: username
-  #   passwordSecret:
-  #     name: argo-postgres-config
-  #     key: password
-
-  # -- Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level.
-  # Only valid for 2.7+
-  ## See more: https://argoproj.github.io/argo-workflows/default-workflow-specs/
-  workflowDefaults: {}
-  #   spec:
-  #     ttlStrategy:
-  #       secondsAfterCompletion: 84600
-  #     # Ref: https://argoproj.github.io/argo-workflows/artifact-repository-ref/
-  #     artifactRepositoryRef:
-  #       configMap: my-artifact-repository # default is "artifact-repositories"
-  #       key: v2-s3-artifact-repository # default can be set by the `workflows.argoproj.io/default-artifact-repository` annotation in config map.
-
-  # -- Number of workflow workers
-  workflowWorkers: # 32
-  # -- Restricts the Workflows that the controller will process.
-  # Only valid for 2.9+
-  workflowRestrictions: {}
-  # templateReferencing: Strict|Secure
-
-  # telemetryConfig controls the path and port for prometheus telemetry. Telemetry is enabled and emitted in the same endpoint
-  # as metrics by default, but can be overridden using this config.
-  telemetryConfig:
-    # -- Enables prometheus telemetry server
-    enabled: false
-    # -- telemetry path
-    path: /telemetry
-    # -- telemetry container port
-    port: 8081
-    # -- How often custom metrics are cleared from memory
-    metricsTTL: ""
-    # -- Flag that instructs prometheus to ignore metric emission errors.
-    ignoreErrors: false
-    # --  Flag that use a self-signed cert for TLS
-    secure: false
-    # -- telemetry service port
-    servicePort: 8081
-    # -- telemetry service port name
-    servicePortName: telemetry
-  serviceMonitor:
-    # -- Enable a prometheus ServiceMonitor
-    enabled: false
-    # -- Prometheus ServiceMonitor labels
-    additionalLabels: {}
-    # -- Prometheus ServiceMonitor namespace
-    namespace: "" # "monitoring"
-  serviceAccount:
-    # -- Create a service account for the controller
-    create: true
-    # -- Service account name
-    name: ""
-    # -- Labels applied to created service account
-    labels: {}
-    # -- Annotations applied to created service account
-    annotations: {}
-
-  # -- Workflow controller name string
-  name: workflow-controller
-
-  # -- Specify all namespaces where this workflow controller instance will manage
-  # workflows. This controls where the service account and RBAC resources will
-  # be created. Only valid when singleNamespace is false.
-  workflowNamespaces:
-    - default
-
-  instanceID:
-    # -- Configures the controller to filter workflow submissions
-    # to only those which have a matching instanceID attribute.
-    ## NOTE: If `instanceID.enabled` is set to `true` then either `instanceID.userReleaseName`
-    ## or `instanceID.explicitID` must be defined.
-    enabled: true
-    # -- Use ReleaseName as instanceID
-    useReleaseName: true
-    # useReleaseName: true
-
-    # -- Use a custom instanceID
-    explicitID: ""
-    # explicitID: unique-argo-controller-identifier
-
-  logging:
-    # -- Set the logging level (one of: `debug`, `info`, `warn`, `error`)
-    level: info
-    # -- Set the glog logging level
-    globallevel: "0"
-    # -- Set the logging format (one of: `text`, `json`)
-    format: "text"
-
-  # -- Service type of the controller Service
-  serviceType: ClusterIP
-  # -- Annotations to be applied to the controller Service
-  serviceAnnotations: {}
-  # -- Optional labels to add to the controller Service
-  serviceLabels: {}
-  # -- Source ranges to allow access to service from. Only applies to service type `LoadBalancer`
-  loadBalancerSourceRanges: []
-
-  # -- Resource limits and requests for the controller
-  resources: {}
-
-  # -- Configure liveness [probe] for the controller
-  # @default -- See [values.yaml]
-  livenessProbe:
-    httpGet:
-      port: 6060
-      path: /healthz
-    failureThreshold: 3
-    initialDelaySeconds: 90
-    periodSeconds: 60
-    timeoutSeconds: 30
-
-  # -- Extra environment variables to provide to the controller container
-  extraEnv: []
-    # - name: FOO
-  #   value: "bar"
-
-  # -- Extra arguments to be added to the controller
-  extraArgs: []
-  # -- Additional volume mounts to the controller main container
-  volumeMounts: []
-  # -- Additional volumes to the controller pod
-  volumes: []
-  # -- The number of controller pods to run
-  replicas: 1
-
-  pdb:
-    # -- Configure [Pod Disruption Budget] for the controller pods
-    enabled: false
-    # minAvailable: 1
-    # maxUnavailable: 1
-
-  # -- [Node selector]
-  nodeSelector:
-    kubernetes.io/os: linux
-  # -- [Tolerations] for use with node taints
-  tolerations: []
-  # -- Assign custom [affinity] rules
-  affinity: {}
-
-  # -- Assign custom [TopologySpreadConstraints] rules to the workflow controller
-  ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
-  ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
-  topologySpreadConstraints: []
-  # - maxSkew: 1
-  #   topologyKey: topology.kubernetes.io/zone
-  #   whenUnsatisfiable: DoNotSchedule
-
-  # -- Leverage a PriorityClass to ensure your pods survive resource shortages.
-  ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
-  priorityClassName: ""
-
-  # -- Configure Argo Server to show custom [links]
-  ## Ref: https://argoproj.github.io/argo-workflows/links/
-  links: []
-  # -- Configure Argo Server to show custom [columns]
-  ## Ref: https://github.com/argoproj/argo-workflows/pull/10693
-  columns: []
-  # -- Set ui navigation bar background color
-  navColor: ""
-  clusterWorkflowTemplates:
-    # -- Create a ClusterRole and CRB for the controller to access ClusterWorkflowTemplates.
-    enabled: true
-  # -- Extra containers to be added to the controller deployment
-  extraContainers: []
-
-  # -- Enables init containers to be added to the controller deployment
-  extraInitContainers: []
-
-  # -- Workflow retention by number of workflows
-  retentionPolicy: {}
-  #  completed: 10
-  #  failed: 3
-  #  errored: 3
-
-  nodeEvents:
-    # -- Enable to emit events on node completion.
-    ## This can take up a lot of space in k8s (typically etcd) resulting in errors when trying to create new events:
-    ## "Unable to create audit event: etcdserver: mvcc: database space exceeded"
-    enabled: true
-
-  # -- Configure when workflow controller runs in a different k8s cluster with the workflow workloads,
-  # or needs to communicate with the k8s apiserver using an out-of-cluster kubeconfig secret.
-  # @default -- `{}` (See [values.yaml])
-  kubeConfig: {}
-    # # name of the kubeconfig secret, may not be empty when kubeConfig specified
-    # secretName: kubeconfig-secret
-    # # key of the kubeconfig secret, may not be empty when kubeConfig specified
-    # secretKey: kubeconfig
-    # # mounting path of the kubeconfig secret, default to /kube/config
-    # mountPath: /kubeconfig/mount/path
-    # # volume name when mounting the secret, default to kubeconfig
-  # volumeName: kube-config-volume
-
-  # -- Specifies the duration in seconds before a terminating pod is forcefully killed. A zero value indicates that the pod will be forcefully terminated immediately.
-  # @default -- `30` seconds (Kubernetes default)
-  podGCGracePeriodSeconds:
-
-  # -- The duration in seconds before the pods in the GC queue get deleted. A zero value indicates that the pods will be deleted immediately.
-  # @default -- `5s` (Argo Workflows default)
-  podGCDeleteDelayDuration: ""
-
-# mainContainer adds default config for main container that could be overriden in workflows template
-mainContainer:
-  # -- imagePullPolicy to apply to Workflow main container. Defaults to `.Values.images.pullPolicy`.
-  imagePullPolicy: ""
-  # -- Resource limits and requests for the Workflow main container
-  resources: {}
-  # -- Adds environment variables for the Workflow main container
-  env: []
-  # -- Adds reference environment variables for the Workflow main container
-  envFrom: []
-  # -- sets security context for the Workflow main container
-  securityContext: {}
-
-# executor controls how the init and wait container should be customized
-executor:
-  image:
-    # -- Registry to use for the Workflow Executors
-    registry: quay.io
-    # -- Repository to use for the Workflow Executors
-    repository: argoproj/argoexec
-    # -- Image tag for the workflow executor. Defaults to `.Values.images.tag`.
-    tag: ""
-    # -- Image PullPolicy to use for the Workflow Executors. Defaults to `.Values.images.pullPolicy`.
-    pullPolicy: ""
-  # -- Resource limits and requests for the Workflow Executors
-  resources: {}
-  # -- Passes arguments to the executor processes
-  args: []
-  # -- Adds environment variables for the executor.
-  env: []
-  # -- sets security context for the executor container
-  securityContext: {}
-
-server:
-  # -- Deploy the Argo Server
-  enabled: true
-  # -- Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /.
-  ## only updates base url of resources on client side,
-  ## it's expected that a proxy server rewrites the request URL and gets rid of this prefix
-  ## https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190
-  baseHref: /
-  image:
-    # -- Registry to use for the server
-    registry: quay.io
-    # -- Repository to use for the server
-    repository: argoproj/argocli
-    # -- Image tag for the Argo Workflows server. Defaults to `.Values.images.tag`.
-    tag: ""
-  # -- optional map of annotations to be applied to the ui Deployment
-  deploymentAnnotations: {}
-  # -- optional map of annotations to be applied to the ui Pods
-  podAnnotations: {}
-  # -- Optional labels to add to the UI pods
-  podLabels: {}
-  # -- SecurityContext to set on the server pods
-  podSecurityContext: {}
-  rbac:
-    # -- Adds Role and RoleBinding for the server.
-    create: true
-  # -- Servers container-level security context
-  securityContext:
-    readOnlyRootFilesystem: false
-    runAsNonRoot: true
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - ALL
-  # -- Server name string
-  name: server
-  # -- Service type for server pods
-  serviceType: ClusterIP
-  # -- Service port for server
-  servicePort: 2746
-  # -- Service node port
-  serviceNodePort: # 32746
-  # -- Service port name
-  servicePortName: "http" # http
-
-  serviceAccount:
-    # -- Create a service account for the server
-    create: true
-    # -- Service account name
-    name: ""
-    # -- Labels applied to created service account
-    labels: {}
-    # -- Annotations applied to created service account
-    annotations: {}
-
-  # -- Annotations to be applied to the UI Service
-  serviceAnnotations: {}
-  # -- Optional labels to add to the UI Service
-  serviceLabels: {}
-  # -- Static IP address to assign to loadBalancer service type `LoadBalancer`
-  loadBalancerIP: ""
-  # -- Source ranges to allow access to service from. Only applies to service type `LoadBalancer`
-  loadBalancerSourceRanges: []
-  # -- Resource limits and requests for the server
-  resources: {}
-  # -- The number of server pods to run
-  replicas: 1
-  ## Argo Server Horizontal Pod Autoscaler
-  autoscaling:
-    # -- Enable Horizontal Pod Autoscaler ([HPA]) for the Argo Server
-    enabled: false
-    # -- Minimum number of replicas for the Argo Server [HPA]
-    minReplicas: 1
-    # -- Maximum number of replicas for the Argo Server [HPA]
-    maxReplicas: 5
-    # -- Average CPU utilization percentage for the Argo Server [HPA]
-    targetCPUUtilizationPercentage: 50
-    # -- Average memory utilization percentage for the Argo Server [HPA]
-    targetMemoryUtilizationPercentage: 50
-    # -- Configures the scaling behavior of the target in both Up and Down directions.
-    # This is only available on HPA apiVersion `autoscaling/v2beta2` and newer
-    behavior: {}
-      # scaleDown:
-      #  stabilizationWindowSeconds: 300
-      #  policies:
-      #   - type: Pods
-      #     value: 1
-      #     periodSeconds: 180
-      # scaleUp:
-      #   stabilizationWindowSeconds: 300
-      #   policies:
-      #   - type: Pods
-    #     value: 2
-  pdb:
-    # -- Configure [Pod Disruption Budget] for the server pods
-    enabled: false
-    # minAvailable: 1
-    # maxUnavailable: 1
-
-  # -- [Node selector]
-  nodeSelector:
-    kubernetes.io/os: linux
-
-  # -- [Tolerations] for use with node taints
-  tolerations: []
-
-  # -- Assign custom [affinity] rules
-  affinity: {}
-
-  # -- Assign custom [TopologySpreadConstraints] rules to the argo server
-  ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
-  ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
-  topologySpreadConstraints: []
-  # - maxSkew: 1
-  #   topologyKey: topology.kubernetes.io/zone
-  #   whenUnsatisfiable: DoNotSchedule
-
-  # -- Leverage a PriorityClass to ensure your pods survive resource shortages
-  ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
-  priorityClassName: ""
-
-  # -- Run the argo server in "secure" mode. Configure this value instead of `--secure` in extraArgs.
-  ## See the following documentation for more details on secure mode:
-  ## https://argoproj.github.io/argo-workflows/tls/
-  secure: false
-
-  # -- Extra environment variables to provide to the argo-server container
-  extraEnv: []
-    # - name: FOO
-  #   value: "bar"
-
-  # -- Auth Mode is available from `server` , `client` or `sso`. If you chose `sso` , please configure `.Values.server.sso` as well.
-  ## Ref: https://argoproj.github.io/argo-workflows/argo-server-auth-mode/
-  authMode: "server"
-
-  # -- Extra arguments to provide to the Argo server binary.
-  ## Ref: https://argoproj.github.io/argo-workflows/argo-server/#options
-  extraArgs: []
-
-  logging:
-    # -- Set the logging level (one of: `debug`, `info`, `warn`, `error`)
-    level: info
-    # -- Set the glog logging level
-    globallevel: "0"
-    # -- Set the logging format (one of: `text`, `json`)
-    format: "text"
-
-  # -- Additional volume mounts to the server main container.
-  volumeMounts: []
-  # -- Additional volumes to the server pod.
-  volumes: []
-
-  ## Ingress configuration.
-  # ref: https://kubernetes.io/docs/user-guide/ingress/
-  ingress:
-    # -- Enable an ingress resource
-    enabled: false
-    # -- Additional ingress annotations
-    annotations: {}
-    # -- Additional ingress labels
-    labels: {}
-    # -- Defines which ingress controller will implement the resource
-    ingressClassName: ""
-
-    # -- List of ingress hosts
-    ## Hostnames must be provided if Ingress is enabled.
-    ## Secrets must be manually created in the namespace
-    hosts: []
-    # - argoworkflows.example.com
-
-    # -- List of ingress paths
-    paths:
-      - /
-
-    # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
-    pathType: Prefix
-    # -- Additional ingress paths
-    extraPaths: []
-      # - path: /*
-      #   backend:
-      #     serviceName: ssl-redirect
-      #     servicePort: use-annotation
-      ## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used)
-      # - path: /*
-      #   pathType: Prefix
-      #   backend:
-      #     service
-      #       name: ssl-redirect
-      #       port:
-    #         name: use-annotation
-
-    # -- Ingress TLS configuration
-    tls: []
-      # - secretName: argoworkflows-example-tls
-      #   hosts:
-    #     - argoworkflows.example.com
-
-  ## Create a Google Backendconfig  for use with the GKE Ingress Controller
-  ## https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_backendconfig_parameters
-  GKEbackendConfig:
-    # -- Enable BackendConfig custom resource for Google Kubernetes Engine
-    enabled: false
-    # -- [BackendConfigSpec]
-    spec: {}
-  #  spec:
-  #    iap:
-  #      enabled: true
-  #      oauthclientCredentials:
-  #        secretName: argoworkflows-secret
-
-  ## Create a Google Managed Certificate for use with the GKE Ingress Controller
-  ## https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs
-  GKEmanagedCertificate:
-    # -- Enable ManagedCertificate custom resource for Google Kubernetes Engine.
-    enabled: false
-    # -- Domains for the Google Managed Certificate
-    domains:
-      - argoworkflows.example.com
-
-  ## Create a Google FrontendConfig Custom Resource, for use with the GKE Ingress Controller
-  ## https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
-  GKEfrontendConfig:
-    # -- Enable FrontConfig custom resource for Google Kubernetes Engine
-    enabled: false
-    # -- [FrontendConfigSpec]
-    spec: {}
-  # spec:
-  #   redirectToHttps:
-  #     enabled: true
-  #     responseCodeName: RESPONSE_CODE
-
-  clusterWorkflowTemplates:
-    # -- Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates.
-    enabled: true
-    # -- Give the server permissions to edit ClusterWorkflowTemplates.
-    enableEditing: true
-
-  # SSO configuration when SSO is specified as a server auth mode.
-  sso:
-    # -- Create SSO configuration. If you set `true` , please also set `.Values.server.authMode` as `sso`.
-    enabled: false
-    # -- The root URL of the OIDC identity provider
-    issuer: https://accounts.google.com
-    clientId:
-      # -- Name of secret to retrieve the app OIDC client ID
-      name: argo-server-sso
-      # -- Key of secret to retrieve the app OIDC client ID
-      key: client-id
-    clientSecret:
-      # -- Name of a secret to retrieve the app OIDC client secret
-      name: argo-server-sso
-      # -- Key of a secret to retrieve the app OIDC client secret
-      key: client-secret
-    # - The OIDC redirect URL. Should be in the form <argo-root-url>/oauth2/callback.
-    redirectUrl: https://argo/oauth2/callback
-    rbac:
-      # -- Adds ServiceAccount Policy to server (Cluster)Role.
-      enabled: true
-      # -- Whitelist to allow server to fetch Secrets
-      ## When present, restricts secrets the server can read to a given list.
-      ## You can use it to restrict the server to only be able to access the
-      ## service account token secrets that are associated with service accounts
-      ## used for authorization.
-      secretWhitelist: []
-    # -- Scopes requested from the SSO ID provider
-    ## The 'groups' scope requests group membership information, which is usually used for authorization decisions.
-    scopes: []
-    # - groups
-    # -- Define how long your login is valid for (in hours)
-    ## If omitted, defaults to 10h.
-    sessionExpiry: ""
-    # -- Alternate root URLs that can be included for some OIDC providers
-    issuerAlias: ""
-    # -- Override claim name for OIDC groups
-    customGroupClaimName: ""
-    # -- Specify the user info endpoint that contains the groups claim
-    ## Configure this if your OIDC provider provides groups information only using the user-info endpoint (e.g. Okta)
-    userInfoPath: ""
-    # -- Skip TLS verification for the HTTP client
-    insecureSkipVerify: false
-
-  # -- Extra containers to be added to the server deployment
-  extraContainers: []
-
-  # -- Enables init containers to be added to the server deployment
-  extraInitContainers: []
-
-# -- Array of extra K8s manifests to deploy
-extraObjects: []
-  # - apiVersion: secrets-store.csi.x-k8s.io/v1
-  #   kind: SecretProviderClass
-  #   metadata:
-  #     name: argo-server-sso
-  #   spec:
-  #     provider: aws
-  #     parameters:
-  #       objects: |
-  #         - objectName: "argo/server/sso"
-  #           objectType: "secretsmanager"
-  #           jmesPath:
-  #               - path: "client_id"
-  #                 objectAlias: "client_id"
-  #               - path: "client_secret"
-  #                 objectAlias: "client_secret"
-  #     secretObjects:
-  #     - data:
-  #       - key: client_id
-  #         objectName: client_id
-  #       - key: client_secret
-  #         objectName: client_secret
-  #       secretName: argo-server-sso-secrets-store
-#       type: Opaque
-
-# -- Use static credentials for S3 (eg. when not using AWS IRSA)
-useStaticCredentials: true
-artifactRepository:
-  # -- Archive the main container logs as an artifact
-  archiveLogs: true
-  # -- Store artifact in a S3-compliant object store
-  # @default -- See [values.yaml]
-  s3: 
-    # # Note the `key` attribute is not the actual secret, it's the PATH to
-    # # the contents in the associated secret, as defined by the `name` attribute.
-    accessKeySecret:
-      name: argo-workflow-log-fakes3
-      key: AWS_ACCESS_KEY_ID
-    secretKeySecret:
-      name: argo-workflow-log-fakes3
-      key: AWS_SECRET_ACCESS_KEY
-    # # insecure will disable TLS. Primarily used for minio installs not configured with TLS
-    insecure: true
-    keyFormat: "{{workflow.namespace}}/{{workflow.name}}/{{pod.name}}"
-    bucket: mongo-backup
-    # endpoint: workflow-archivelog-s3:4568
-    # region:
-    # roleARN:
-    # useSDKCreds: true
-    # encryptionOptions:
-  #    enableEncryption: true
-  # -- Store artifact in a GCS object store
-  # @default -- `{}` (See [values.yaml])
-  gcs: {}
-  # bucket: <project>-argo
-  # keyFormat: "{{ \"{{workflow.namespace}}/{{workflow.name}}/{{pod.name}}\" }}"
-  # serviceAccountKeySecret is a secret selector.
-  # It references the k8s secret named 'my-gcs-credentials'.
-  # This secret is expected to have have the key 'serviceAccountKey',
-  # containing the base64 encoded credentials
-  # to the bucket.
-  #
-  # If it's running on GKE and Workload Identity is used,
-  # serviceAccountKeySecret is not needed.
-  # serviceAccountKeySecret:
-  # name: my-gcs-credentials
-  # key: serviceAccountKey
-  # -- Store artifact in Azure Blob Storage
-  # @default -- `{}` (See [values.yaml])
-  azure: {}
-  # endpoint: https://mystorageaccountname.blob.core.windows.net
-  # container: my-container-name
-  # blobNameFormat: path/in/container
-  ## accountKeySecret is a secret selector.
-  ## It references the k8s secret named 'my-azure-storage-credentials'.
-  ## This secret is expected to have have the key 'account-access-key',
-  ## containing the base64 encoded credentials to the storage account.
-  ## If a managed identity has been assigned to the machines running the
-  ## workflow (e.g., https://docs.microsoft.com/en-us/azure/aks/use-managed-identity)
-  ## then accountKeySecret is not needed, and useSDKCreds should be
-  ## set to true instead:
-  # useSDKCreds: true
-  # accountKeySecret:
-  #  name: my-azure-storage-credentials
-  #  key: account-access-key
-
-# -- The section of custom artifact repository.
-# Utilize a custom artifact repository that is not one of the current base ones (s3, gcs, azure)
-customArtifactRepository: {}
-# artifactory:
-#   repoUrl: https://artifactory.example.com/raw
-#   usernameSecret:
-#     name: artifactory-creds
-#     key: username
-#   passwordSecret:
-#     name: artifactory-creds
-#     key: password
-
-# -- The section of [artifact repository ref](https://argoproj.github.io/argo-workflows/artifact-repository-ref/).
-# Each map key is the name of configmap
-# @default -- `{}` (See [values.yaml])
-artifactRepositoryRef: {}
-  # # -- 1st ConfigMap
-  # # If you want to use this config map by default, name it "artifact-repositories".
-  # # Otherwise, you can provide a reference to a
-  # # different config map in `artifactRepositoryRef.configMap`.
-  # artifact-repositories:
-  #   # -- v3.0 and after - if you want to use a specific key, put that key into this annotation.
-  #   annotations:
-  #     workflows.argoproj.io/default-artifact-repository: default-v1-s3-artifact-repository
-  #   # 1st data of configmap. See above artifactRepository or customArtifactRepository.
-  #   default-v1-s3-artifact-repository:
-  #     archiveLogs: false
-  #     s3:
-  #       bucket: my-bucket
-  #       endpoint: minio:9000
-  #       insecure: true
-  #       accessKeySecret:
-  #         name: my-minio-cred
-  #         key: accesskey
-  #       secretKeySecret:
-  #         name: my-minio-cred
-  #         key: secretkey
-  #    # 2nd data
-  #    oss-artifact-repository:
-  #      archiveLogs: false
-  #      oss:
-  #        endpoint: http://oss-cn-zhangjiakou-internal.aliyuncs.com
-  #        bucket: $mybucket
-  #        # accessKeySecret and secretKeySecret are secret selectors.
-  #        # It references the k8s secret named 'bucket-workflow-artifect-credentials'.
-  #        # This secret is expected to have have the keys 'accessKey'
-  #        # and 'secretKey', containing the base64 encoded credentials
-  #        # to the bucket.
-  #        accessKeySecret:
-  #          name: $mybucket-credentials
-  #          key: accessKey
-  #        secretKeySecret:
-  #          name: $mybucket-credentials
-  #          key: secretKey
-  # # 2nd ConfigMap
-  # another-artifact-repositories:
-  #   annotations:
-  #     workflows.argoproj.io/default-artifact-repository: gcs
-  #   gcs:
-  #     bucket: my-bucket
-  #     keyFormat: prefix/in/bucket/{{workflow.name}}/{{pod.name}}
-  #     serviceAccountKeySecret:
-  #       name: my-gcs-credentials
-#       key: serviceAccountKey
-
-emissary:
-  # -- The command/args for each image on workflow, needed when the command is not specified and the emissary executor is used.
-  ## See more: https://argoproj.github.io/argo-workflows/workflow-executors/#emissary-emissary
-  images: []
-  #  argoproj/argosay:v2:
-  #    cmd: [/argosay]
-  #  docker/whalesay:latest:
-  #    cmd: [/bin/bash]

apps/argo/config/user/helm-charts/argo/templates/argo_deployment.yaml

@@ -1,174 +1,4 @@
-{{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
-{{- $rss_secret := (lookup "v1" "Secret" $namespace "rss-secrets") -}}
-{{- $password := "" -}}
-{{ if $rss_secret -}}
-{{ $password = (index $rss_secret "data" "pg_password") }}
-{{ else -}}
-{{ $password = randAlphaNum 16 | b64enc }}
-{{- end -}}
 
-{{- $redis_password := "" -}}
-{{ if $rss_secret -}}
-{{ $redis_password = (index $rss_secret "data" "redis_password") }}
-{{ else -}}
-{{ $redis_password = randAlphaNum 16 | b64enc }}
-{{- end -}}
-
-
-{{- $redis_password_data := "" -}}
-{{ $redis_password_data = $redis_password | b64dec }}
-
-{{- $pg_password_data := "" -}}
-{{ $pg_password_data = $password | b64dec }}
-
-{{- $mongo_secret := (lookup "v1" "Secret" .Release.Namespace "knowledge-mongodb") -}}
-{{- $mongo_password := randAlphaNum 16 | b64enc -}}
-
-{{- $mongo_password_data := "" -}}
-{{ if $mongo_secret -}}
-  {{ $mongo_password_data = (index $mongo_secret "data" "mongodb-passwords" ) | b64dec }}
-{{ else -}}
-  {{ $mongo_password_data = $mongo_password | b64dec }}
-{{- end -}}
-
-{{- $pg_user :=  printf "%s%s" "rss_" .Values.bfl.username -}}
-{{- $pg_user = $pg_user | b64enc -}}
-
----
-
-apiVersion: v1
-kind: Secret
-metadata:
-  name: rss-secrets
-  namespace: user-system-{{ .Values.bfl.username }}
-type: Opaque
-data:
-  pg_password: {{ $password }}
-  redis_password: {{ $redis_password }}
-
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: rss-secrets
-  namespace: {{ .Release.Namespace }}
-type: Opaque
-data:
-  pg_user: {{ $pg_user }}
-  pg_password: {{ $password }}
-  redis_password: {{ $redis_password }}
-
-
----
-
-apiVersion: v1
-kind: Secret
-metadata:
-  name: knowledge-mongodb
-  namespace: {{ .Release.Namespace }}
-type: Opaque
-
-{{ if $mongo_secret -}}
-data:
-  mongodb-passwords: {{ index $mongo_secret "data" "mongodb-passwords" }}
-{{ else -}}
-data:
-  mongodb-passwords: {{ $mongo_password }}
-{{ end }}
-
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: knowledge-mongodb
-  namespace: user-system-{{ .Values.bfl.username }}
-type: Opaque
-
-{{ if $mongo_secret -}}
-data:
-  mongodb-passwords: {{ index $mongo_secret "data" "mongodb-passwords" }}
-{{ else -}}
-data:
-  mongodb-passwords: {{ $mongo_password }}
-{{ end }}
-
----
-
-
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: rss-secrets-auth
-  namespace: {{ .Release.Namespace }}
-data:
-  redis_password: "{{ $redis_password_data }}"
-  redis_addr: redis-cluster-proxy.user-system-{{ .Values.bfl.username }}:6379
-  redis_host: redis-cluster-proxy.user-system-{{ .Values.bfl.username }}
-  redis_port: '6379'
-  pg_url: postgres://rss_{{ .Values.bfl.username }}:{{ $pg_password_data }}@citus-master-svc.user-system-{{ .Values.bfl.username }}/user_space_{{ .Values.bfl.username }}_rss_v1?sslmode=disable
-  mongo_url: mongodb://knowledge-{{ .Values.bfl.username }}:{{ $mongo_password_data }}@mongo-cluster-mongos.user-system-{{ .Values.bfl.username }}:27017/{{ .Release.Namespace }}_knowledge
-  mongo_db: {{ .Release.Namespace }}_knowledge
-  postgres_host: citus-master-svc.user-system-{{ .Values.bfl.username }}
-  postgres_user: knowledge_{{ .Values.bfl.username }}
-  postgres_password: "{{ $pg_password_data }}"
-  postgres_db: user_space_{{ .Values.bfl.username }}_knowledge
-  postgres_port: '5432'
-
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: rss-userspace-data
-  namespace: {{ .Release.Namespace }}
-data:
-  appData: "{{ .Values.userspace.appData }}"
-  appCache: "{{ .Values.userspace.appCache }}"
-  username: "{{ .Values.bfl.username }}"
-
-
-
----
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
-metadata:
-  name: rss-pg
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: rss
-  appNamespace: {{ .Release.Namespace }}
-  middleware: postgres
-  postgreSQL:
-    user: rss_{{ .Values.bfl.username }}
-    password: 
-      valueFrom:
-        secretKeyRef:
-          key: pg_password
-          name: rss-secrets
-    databases:
-    - name: rss
-    - name: rss_v1
-    - name: argo
-
----
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
-metadata:
-  name: knowledge-redis
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: rss
-  appNamespace: {{ .Release.Namespace }}
-  middleware: redis
-  redis:
-    password:
-      valueFrom:
-        secretKeyRef:
-          key: redis_password
-          name: rss-secrets
-    namespace: knowledge
-
----
-    
 apiVersion: v1
 kind: Service
 metadata:
@@ -183,3 +13,22 @@ spec:
       name: fakes3
       port: 4568
       targetPort: 4568
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: knowledge-base-api
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  type: ClusterIP
+  selector:
+    app: systemserver
+  ports:
+    - protocol: TCP
+      name: knowledge-api
+      port: 3010
+      targetPort: 3010  
+
+
+

apps/argo/config/user/helm-charts/argo/values.yaml

@@ -1,4 +1,3 @@
-
 bfl:
   nodeport: 30883
   nodeport_ingress_http: 30083
@@ -40,4 +39,4 @@ os:
     appKey: '${ks[0]}'
     appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""

apps/argo/config/user/helm-charts/recommend/.helmignore

@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/

apps/argo/config/user/helm-charts/recommend/Chart.yaml

@@ -1,24 +0,0 @@
-apiVersion: v2
-name: recommend
-description: A Helm chart for Kubernetes
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.1
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "1.16.0"

apps/argo/config/user/helm-charts/recommend/templates/_helpers.tpl

@@ -1,62 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "recommend.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "recommend.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "recommend.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "recommend.labels" -}}
-helm.sh/chart: {{ include "recommend.chart" . }}
-{{ include "recommend.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "recommend.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "recommend.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "recommend.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "recommend.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}

apps/argo/config/user/helm-charts/recommend/templates/argo_fe_deploy.yaml

@@ -1,117 +0,0 @@
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: recommend
-  namespace: {{ .Release.Namespace }}
-spec:
-  type: ExternalName
-  externalName: argoworkflows-svc.{{ .Release.Namespace }}.svc.cluster.local
-  ports:
-    - name: http
-      port: 2746
-      protocol: TCP
-      targetPort: 2746
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: argoworkflows-ui
-  namespace: {{ .Release.Namespace }}
-spec:
-  ports:
-    - port: 80
-      protocol: TCP
-      targetPort: 8080
-  selector:
-    app: recommend
-  type: ClusterIP
-
----
-{{ if (eq .Values.debugVersion true) }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: recommend
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: recommend
-    applications.app.bytetrade.io/author: bytetrade.io
-
-    applications.app.bytetrade.io/name: recommend
-    applications.app.bytetrade.io/owner: '{{ .Values.bfl.username }}'
-  annotations:
-    applications.app.bytetrade.io/icon: https://file.bttcdn.com/appstore/recommend/icon.png
-    applications.app.bytetrade.io/title: recommend
-    applications.app.bytetrade.io/version: '0.0.1'
-    applications.app.bytetrade.io/entrances: '[{"name":"recommend", "host":"argoworkflows-ui", "port":80,"title":"recommend"}]'
-
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: recommend
-  template:
-    metadata:
-      labels:
-        app: recommend
-        io.bytetrade.app: "true"
-    spec:
-      containers:
-        - name: recommend-proxy
-          image: nginx:stable-alpine3.17-slim
-          imagePullPolicy: IfNotPresent
-          ports:
-            - name: proxy
-              containerPort: 8080
-          volumeMounts:
-            - name: nginx-config
-              readOnly: true
-              mountPath: /etc/nginx/nginx.conf
-              subPath: nginx.conf
-      volumes:
-        - name: nginx-config
-          configMap:
-            name: recommend-nginx-configs
-            items:
-              - key: nginx.conf
-                path: nginx.conf
-{{ end }}
-
-
-
----
-apiVersion: v1
-data:
-  nginx.conf: |
-    # Configuration checksum:
-
-    pid /var/run/nginx.pid;
-
-    worker_processes auto;
-
-    events {
-      worker_connections 1024;
-    }
-
-    http {
-      server {
-        listen 8080;
-
-        location / {
-          proxy_pass http://recommend:2746;
-          proxy_set_header Host $host;
-          proxy_set_header X-Real-IP $remote_addr;
-          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        }
-      }
-    }
-kind: ConfigMap
-metadata:
-  name: recommend-nginx-configs
-  namespace: {{ .Release.Namespace }}
-

apps/desktop/config/user/helm-charts/desktop/templates/desktop_deploy.yaml

@@ -23,6 +23,7 @@ spec:
         runAsUser: 1000
         runAsGroup: 1000
         fsGroup: 1000
+      priorityClassName: "system-cluster-critical"
       initContainers:
       - args:
         - -it
@@ -65,7 +66,7 @@ spec:
 
       containers:
       - name: edge-desktop
-        image: beclab/desktop:v0.2.45
+        image: beclab/desktop:v0.2.59
         imagePullPolicy: IfNotPresent
         securityContext:
           runAsNonRoot: false
@@ -77,7 +78,7 @@ spec:
             value: http://bfl.{{ .Release.Namespace }}:8080
 
       - name: desktop-server
-        image: beclab/desktop-server:v0.2.45
+        image: beclab/desktop-server:v0.2.59
         imagePullPolicy: IfNotPresent
         securityContext:
           allowPrivilegeEscalation: false
@@ -139,7 +140,7 @@ spec:
             fieldRef:
               fieldPath: status.podIP
       - name: terminus-ws-sidecar
-        image: 'beclab/ws-gateway:v1.0.3'
+        image: 'beclab/ws-gateway:v1.0.5'
         imagePullPolicy: IfNotPresent
         command:
           - /ws-gateway
@@ -155,7 +156,7 @@ spec:
       - name: userspace-dir
         hostPath:
           type: Directory
-          path: {{ .Values.userspace.userData }}
+          path: '{{ .Values.userspace.userData }}'
       - name: terminus-sidecar-config
         configMap:
           name: sidecar-ws-configs
@@ -449,6 +450,7 @@ data:
                               - prefix: x-unauth-
                               - exact: x-authorization
                               - exact: x-bfl-user
+                              - exact: x-real-ip
                               - exact: terminus-nonce
                           headers_to_add:
                             - key: X-Forwarded-Method
@@ -516,9 +518,11 @@ data:
         
       clusters:
       - name: original_dst
-        connect_timeout: 5000s
+        connect_timeout: 120s
         type: ORIGINAL_DST
         lb_policy: CLUSTER_PROVIDED
+        common_http_protocol_options:
+          idle_timeout: 10s
       - name: authelia
         connect_timeout: 2s
         type: LOGICAL_DNS
@@ -623,6 +627,7 @@ data:
                               - prefix: x-unauth-
                               - exact: x-authorization
                               - exact: x-bfl-user
+                              - exact: x-real-ip
                               - exact: terminus-nonce
                           headers_to_add:
                             - key: X-Forwarded-Method
@@ -691,6 +696,8 @@ data:
         connect_timeout: 5000s
         type: ORIGINAL_DST
         lb_policy: CLUSTER_PROVIDED
+        common_http_protocol_options:
+          idle_timeout: 10s
       - name: ws_original_dst
         connect_timeout: 5000s
         type: LOGICAL_DNS

apps/desktop/config/user/helm-charts/desktop/values.yaml

@@ -1,4 +1,3 @@
-
 bfl:
   username: 'test'
   url: 'test'

apps/download/README.md

@@ -1,3 +0,0 @@
-# vault
-
-https://github.com/beclab/analytic

apps/download/config/user/helm-charts/download/.helmignore

@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/

apps/download/config/user/helm-charts/download/Chart.yaml

@@ -1,26 +0,0 @@
-apiVersion: v2
-name: download
-description: A Helm chart for Kubernetes
-maintainers:
-- name: bytetrade
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.1
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "1.16.0"

apps/download/config/user/helm-charts/download/templates/download_deploy.yaml

@@ -1,319 +0,0 @@
-{{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
-{{- $download_secret := (lookup "v1" "Secret" $namespace "rss-secrets") -}}
-
-{{- $pg_password := "" -}}
-{{ if $download_secret -}}
-{{ $pg_password = (index $download_secret "data" "pg_password") }}
-{{ else -}}
-{{ $pg_password = randAlphaNum 16 | b64enc }}
-{{- end -}}
-
-{{- $redis_password := "" -}}
-{{ if $download_secret -}}
-{{ $redis_password = (index $download_secret "data" "redis_password") }}
-{{ else -}}
-{{ $redis_password = randAlphaNum 16 | b64enc }}
-{{- end -}}
-
-{{- $download_nats_secret := (lookup "v1" "Secret" $namespace "download-secrets") -}}
-{{- $nat_password := "" -}}
-{{ if $download_nats_secret -}}
-{{ $nat_password = (index $download_nats_secret "data" "nat_password") }}
-{{ else -}}
-{{ $nat_password = randAlphaNum 16 | b64enc }}
-{{- end -}}
-
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: download-secrets
-  namespace: user-system-{{ .Values.bfl.username }}
-type: Opaque
-data:
-  pg_password: {{ $pg_password }}
-  redis_password: {{ $redis_password }}
-  nat_password: {{ $nat_password }}
----
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
-metadata:
-  name: download-pg
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: download
-  appNamespace: {{ .Release.Namespace }}
-  middleware: postgres
-  postgreSQL:
-    user: knowledge_{{ .Values.bfl.username }}
-    password:
-      valueFrom:
-        secretKeyRef:
-          key: pg_password
-          name: download-secrets
-    databases:
-    - name: knowledge
----
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
-metadata:
-  name: download-nat
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: download
-  appNamespace: {{ .Release.Namespace }}
-  middleware: nats
-  nats:
-    password:
-      valueFrom:
-        secretKeyRef:
-          key: nat_password
-          name: download-secrets
-    refs: []
-    subjects:
-    - name: download_status
-      permission:
-        pub: allow
-        sub: allow
-      export:
-      - appName: knowledge
-        sub: allow
-        pub: allow
-    user: user-system-{{ .Values.bfl.username }}-download
----
-
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: download
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: download
-    applications.app.bytetrade.io/author: bytetrade.io
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: download
-  template:
-    metadata:
-      labels:
-        app: download
-    spec:
-      securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
-
-      initContainers:
-      - name: init-data
-        image: busybox:1.28
-        securityContext:
-          privileged: true
-          runAsNonRoot: false
-          runAsUser: 0
-        volumeMounts:
-        - name: config-dir
-          mountPath: /config
-        - name: download-dir
-          mountPath: /downloads
-        command:
-        - sh
-        - -c
-        - |
-          chown -R 1000:1000 /config && \
-          chown -R 1000:1000 /downloads
-      - name: init-container
-        image: 'postgres:16.0-alpine3.18'
-        command:
-          - sh
-          - '-c'
-          - >-
-            echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
-        env:
-          - name: PGHOST
-            value: citus-master-svc.user-system-{{ .Values.bfl.username }}
-          - name: PGPORT
-            value: "5432"
-          - name: PGUSER
-            value: knowledge_{{ .Values.bfl.username }}
-          - name: PGPASSWORD
-            value: {{ $pg_password | b64dec }}
-          - name: PGDB
-            value: user_space_{{ .Values.bfl.username }}_knowledge
-      containers:
-      - name: aria2
-        image: "beclab/aria2:v0.0.3"
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          runAsNonRoot: false
-          runAsUser: 0
-        ports:
-        - containerPort: 6800
-        - containerPort: 6888
-        env:
-        - name: RPC_SECRET
-          value: kubespider
-        - name: PUID
-          value: "1000"
-        - name: PGID
-          value: "1000"
-        volumeMounts:
-        - name: download-dir
-          mountPath: /downloads
-        resources:
-          requests:
-            cpu: 20m
-            memory: 50Mi
-          limits:
-            cpu: "1"
-            memory: 300Mi
-      - name: yt-dlp
-        image: "beclab/yt-dlp:v0.0.16"
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          allowPrivilegeEscalation: false
-          runAsUser: 1000
-
-        ports:
-        - containerPort: 3082
-        env:
-        - name: PG_USERNAME
-          value: knowledge_{{ .Values.bfl.username }}
-        - name: PG_PASSWORD
-          value: {{ $pg_password | b64dec }}
-        - name: PG_HOST
-          value: citus-master-svc.user-system-{{ .Values.bfl.username }}
-        - name: PG_PORT
-          value: "5432"
-        - name: PG_DATABASE
-          value: user_space_{{ .Values.bfl.username }}_knowledge
-        - name: SETTING_URL
-          value: http://system-server.user-system-{{ .Values.bfl.username }}/legacy/v1alpha1/service.settings/v1/api/cookie/retrieve
-        - name: REDIS_HOST
-          value: redis-cluster-proxy.user-system-{{ .Values.bfl.username }}
-        - name: REDIS_PASSWORD
-          value: {{ $redis_password | b64dec }}
-        - name: NATS_HOST
-          value: nats.user-system-{{ .Values.bfl.username }}
-        - name: NATS_PORT
-          value: "4222"
-        - name: NATS_USERNAME
-          value: user-system-{{ .Values.bfl.username }}-download
-        - name: NATS_PASSWORD
-          value: {{ $nat_password | b64dec }}
-        - name: NATS_SUBJECT
-          value: "terminus.{{ .Release.Namespace }}.download_status"
-        volumeMounts:
-        - name: config-dir
-          mountPath: /app/config
-        - name: download-dir
-          mountPath: /app/downloads
-        resources:
-          requests:
-            cpu: 20m
-            memory: 50Mi
-          limits:
-            cpu: "1"
-            memory: 300Mi
-      - name: download-spider
-        image: "beclab/download-spider:v0.0.15"
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          allowPrivilegeEscalation: false
-          runAsUser: 1000
-
-        env:
-        - name: PG_USERNAME
-          value: knowledge_{{ .Values.bfl.username }}
-        - name: PG_PASSWORD
-          value: {{ $pg_password | b64dec }}
-        - name: PG_HOST
-          value: citus-master-svc.user-system-{{ .Values.bfl.username }}
-        - name: PG_PORT
-          value: "5432"
-        - name: PG_DATABASE
-          value: user_space_{{ .Values.bfl.username }}_knowledge
-        - name: REDIS_HOST
-          value: redis-cluster-proxy.user-system-{{ .Values.bfl.username }}
-        - name: REDIS_PASSWORD
-          value: {{ $redis_password | b64dec }}
-        - name: NATS_HOST
-          value: nats.user-system-{{ .Values.bfl.username }}
-        - name: NATS_PORT
-          value: "4222"
-        - name: NATS_USERNAME
-          value: user-system-{{ .Values.bfl.username }}-download
-        - name: NATS_PASSWORD
-          value: {{ $nat_password | b64dec }}
-        - name: NATS_SUBJECT
-          value: "terminus.{{ .Release.Namespace }}.download_status"
-        volumeMounts:
-        - name: download-dir
-          mountPath: /downloads
-        
-        ports:
-        - containerPort: 3080
-        resources:
-          requests:
-            cpu: 20m
-            memory: 50Mi
-          limits:
-            cpu: "1"
-            memory: 300Mi
-
-      volumes:
-      - name: config-dir
-        hostPath: 
-          type: DirectoryOrCreate
-          path: {{ .Values.userspace.appData}}/Downloads/config
-      - name: download-dir
-        hostPath:
-          type: DirectoryOrCreate
-          path: {{ .Values.userspace.userData }}
-
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: download-svc
-  namespace: {{ .Release.Namespace }}
-spec:
-  type: ClusterIP
-  selector:
-    app: download
-  ports:
-    - name: "download-spider"
-      protocol: TCP
-      port: 3080
-      targetPort: 3080
-    - name: "aria2-server"
-      protocol: TCP
-      port: 6800
-      targetPort: 6800
-    - name: ytdlp-server
-      protocol: TCP
-      port: 3082
-      targetPort: 3082
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: download-api
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  type: ClusterIP
-  selector:
-    app: systemserver
-  ports:
-    - protocol: TCP
-      name: download-api
-      port: 3080
-      targetPort: 3080  
-
-

apps/files/config/cluster/deploy/files_deploy.yaml

@@ -1,11 +1,12 @@
 
 {{- $namespace := printf "%s" "os-system" -}}
 {{- $files_secret := (lookup "v1" "Secret" $namespace "files-secrets") -}}
-{{- $password := "" -}}
+
+{{- $files_postgres_password := "" -}}
 {{ if $files_secret -}}
-{{ $password = (index $files_secret "data" "password") }}
+{{ $files_postgres_password = (index $files_secret "data" "files_postgres_password") }}
 {{ else -}}
-{{ $password = randAlphaNum 16 | b64enc }}
+{{ $files_postgres_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 
 {{- $files_redis_password := "" -}}
@@ -15,6 +16,14 @@
 {{ $files_redis_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 
+{{- $files_nats_secret := (lookup "v1" "Secret" "os-system" "files-nats-secrets") -}}
+{{- $files_nats_password := "" -}}
+{{ if $files_nats_secret -}}
+{{ $files_nats_password = (index $files_nats_secret "data" "files_nats_password") }}
+{{ else -}}
+{{ $files_nats_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -33,13 +42,18 @@ spec:
     metadata:
       labels:
         app: files
+      annotations:
+        instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
+        instrumentation.opentelemetry.io/inject-nginx-container-names: "nginx"    
+        instrumentation.opentelemetry.io/inject-go: "olares-instrumentation"
+        instrumentation.opentelemetry.io/go-container-names: "gateway,files,uploader"    
+        instrumentation.opentelemetry.io/otel-go-auto-target-exe: "/filebrowser"
     spec:
       serviceAccount: os-internal
       serviceAccountName: os-internal
       securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
+        runAsUser: 0
+        runAsNonRoot: false
       initContainers:
         - name: init-data
           image: busybox:1.28
@@ -59,18 +73,40 @@ spec:
           - -c
           - |
             chown -R 1000:1000 /appdata; chown -R 1000:1000 /appcache; chown -R 1000:1000 /data
+        - name: init-container
+          image: 'postgres:16.0-alpine3.18'
+          command:
+            - sh
+            - '-c'
+            - >-
+              echo -e "Checking for the availability of PostgreSQL Server
+              deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB1
+              -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >>
+              PostgreSQL DB Server has started";
+          env:
+            - name: PGHOST
+              value: citus-headless.os-system
+            - name: PGPORT
+              value: '5432'
+            - name: PGUSER
+              value: files_os_system
+            - name: PGPASSWORD
+              value: {{ $files_postgres_password | b64dec }}
+            - name: PGDB1
+              value: os_system_files
+
       containers:
         - name: gateway
-          image: beclab/appdata-gateway:0.1.15
+          image: beclab/appdata-gateway:0.1.18
           imagePullPolicy: IfNotPresent
           securityContext:
             allowPrivilegeEscalation: false
-            runAsUser: 1000
+            runAsUser: 0
           ports:
             - containerPort: 8080
           env:
             - name: FILES_SERVER_TAG
-              value: 'beclab/files-server:v0.2.45'
+              value: 'beclab/files-server:v0.2.69'
             - name: NAMESPACE
               valueFrom:
                 fieldRef:
@@ -88,6 +124,10 @@ spec:
             value: seafile
           image: beclab/media-server:v0.1.10
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: true
+            runAsUser: 0
+            privileged: true
           ports:
           - containerPort: 9090
           volumeMounts:
@@ -98,14 +138,15 @@ spec:
 {{ if .Values.sharedlib }}
           - name: shared-lib
             mountPath: /data/External
+            mountPropagation: Bidirectional
 {{ end }}
 
         - name: files
-          image: beclab/files-server:v0.2.45
+          image: beclab/files-server:v0.2.69
           imagePullPolicy: IfNotPresent
           securityContext:
             allowPrivilegeEscalation: true
-            runAsUser: 1000
+            runAsUser: 0
             privileged: true
           volumeMounts:
             - name: fb-data
@@ -157,7 +198,7 @@ spec:
 #            - name: ZINC_USER
 #              value: zincuser-files-os-system
 #            - name: ZINC_PASSWORD
-#              value: {{ $password | b64dec }}
+#              value: {{ $files_postgres_password | b64dec }}
 #            - name: ZINC_HOST
 #              value: zinc-server-svc.os-system
 #            - name: ZINC_PORT
@@ -191,6 +232,32 @@ spec:
               # use redis db 0 for redis cache
             - name: REDIS_DB
               value: '0'
+            - name: NATS_HOST
+              value: nats
+            - name: NATS_PORT
+              value: '4222'
+            - name: NATS_USERNAME
+              value: os-system-files-server
+            - name: NATS_PASSWORD
+              value: {{ $files_nats_password | b64dec }}
+            - name: NATS_SUBJECT
+              value: terminus.os-system.files-notify
+            - name: RESERVED_SPACE
+              value: '1000'
+            - name: OLARES_VERSION
+              value: '1.12'
+            - name: FILE_CACHE_DIR
+              value: '/data/file_cache'
+            - name: PGHOST
+              value: citus-headless.os-system
+            - name: PGPORT
+              value: '5432'
+            - name: PGUSER
+              value: files_os_system
+            - name: PGPASSWORD
+              value: {{ $files_postgres_password | b64dec }}
+            - name: PGDB1
+              value: os_system_files
             - name: POD_NAME
               valueFrom:
                 fieldRef:
@@ -207,12 +274,14 @@ spec:
             - /filebrowser
             - --noauth
         - name: uploader
-          image: beclab/upload:v1.0.7
+          image: beclab/upload:v1.0.14
           env:
             - name: UPLOAD_FILE_TYPE
               value: '*'
             - name: UPLOAD_LIMITED_SIZE
-              value: '21474836481'
+              value: '118111600640'
+            - name: RESERVED_SPACE
+              value: '1000'
           volumeMounts:
             - name: fb-data
               mountPath: /appdata
@@ -223,13 +292,18 @@ spec:
 {{ if .Values.sharedlib }}
             - name: shared-lib
               mountPath: /data/External
+              mountPropagation: Bidirectional
 {{ end }}
           resources: { }
           terminationMessagePath: /dev/termination-log
           terminationMessagePolicy: File
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: true
+            runAsUser: 0
+            privileged: true
         - name: nginx
-          image: 'beclab/nginx-lua:n0.0.4'
+          image: 'beclab/docker-nginx-headers-more:ubuntu-v0.1.0'
           securityContext:
             runAsNonRoot: false
             runAsUser: 0
@@ -237,6 +311,10 @@ spec:
             - containerPort: 80
               protocol: TCP
           volumeMounts:
+            - name: files-nginx-config
+              readOnly: true
+              mountPath: /etc/nginx/nginx.conf
+              subPath: nginx.conf
             - name: files-nginx-config
               mountPath: /etc/nginx/conf.d/default.conf
               subPath: default.conf
@@ -248,31 +326,33 @@ spec:
         - name: userspace-dir
           hostPath:
             type: Directory
-            path: {{ .Values.rootPath }}/rootfs/userspace
+            path: '{{ .Values.rootPath }}/rootfs/userspace'
         - name: fb-data
           hostPath:
             type: DirectoryOrCreate
-            path: {{ .Values.rootPath }}/userdata/Cache/files
+            path: '{{ .Values.rootPath }}/userdata/Cache/files'
         - name: upload-appdata
           hostPath:
-            path: {{ .Values.rootPath }}/userdata/Cache
+            path: '{{ .Values.rootPath }}/userdata/Cache'
             type: DirectoryOrCreate
         - name: files-nginx-config
           configMap:
             name: files-nginx-config
             items:
+              - key: nginx.conf
+                path: nginx.conf
               - key: default.conf
                 path: default.conf
             defaultMode: 420
         - name: user-appdata-dir
           hostPath:
-            path: {{ .Values.rootPath }}/userdata/Cache
+            path: '{{ .Values.rootPath }}/userdata/Cache'
             type: Directory
         
 {{ if .Values.sharedlib }}        
         - name: shared-lib
           hostPath:
-            path: {{ .Values.sharedlib }}
+            path: "{{ .Values.sharedlib }}"
             type: Directory
 {{ end }}            
 
@@ -345,14 +425,21 @@ spec:
           - sh
           - -c
           - |
-            chown -R 1000:1000 /appdata 
+            chown -R 1000:1000 /appdata
+        - args:
+          - -it
+          - nats.os-system:4222
+          image: owncloudci/wait-for:latest
+          imagePullPolicy: IfNotPresent
+          name: check-nats
       containers:
         - name: files
-          image: beclab/files-server:v0.2.45
+          image: beclab/files-server:v0.2.69
           imagePullPolicy: IfNotPresent
           securityContext:
-            allowPrivilegeEscalation: false
-            runAsUser: 1000
+            allowPrivilegeEscalation: true
+            runAsUser: 0
+            runAsNonRoot: false
           volumeMounts:
             - name: fb-data
               mountPath: /appdata
@@ -361,12 +448,16 @@ spec:
           ports:
             - containerPort: 8110
           env:
-            - name: FB_DATABASE
-              value: /appdata/database/filebrowser.db
-            - name: FB_CONFIG
-              value: /appdata/config/settings.json
-            - name: FB_ROOT
+            - name: ROOT_PREFIX
               value: /data
+#            - name: FB_DATABASE
+#              value: /appdata/database/filebrowser.db
+#            - name: FB_CONFIG
+#              value: /appdata/config/settings.json
+#            - name: FB_ROOT
+#              value: /data
+            - name: OLARES_VERSION
+              value: '1.12'
             - name: NODE_NAME
               valueFrom:
                 fieldRef:
@@ -378,11 +469,11 @@ spec:
         - name: user-appdata-dir
           hostPath:
             type: Directory
-            path: {{ .Values.rootPath }}/userdata/Cache
+            path: '{{ .Values.rootPath }}/userdata/Cache'
         - name: fb-data
           hostPath:
             type: DirectoryOrCreate
-            path: {{ .Values.rootPath }}/userdata/Cache/files-appdata
+            path: '{{ .Values.rootPath }}/userdata/Cache/files-appdata'
 
 ---
 apiVersion: v1
@@ -409,9 +500,39 @@ metadata:
   namespace: os-system
 type: Opaque
 data:
-  password: {{ $password }}
+  files_postgres_password: {{ $files_postgres_password }}
   files_redis_password: {{ $files_redis_password }}
 
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: files-nats-secrets
+  namespace: os-system
+data:
+  files_nats_password: {{ $files_nats_password }}
+type: Opaque
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: files-pg
+  namespace: os-system
+spec:
+  app: files
+  appNamespace: os-system
+  middleware: postgres
+  postgreSQL:
+    user: files_os_system
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: files_postgres_password
+          name: files-secrets
+    databases:
+      - name: files
+
 ---
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
@@ -430,6 +551,37 @@ spec:
           name: files-secrets
     namespace: files-redis
 
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: files-server-nat
+  namespace: os-system
+spec:
+  app: files-server
+  appNamespace: os-system
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: files_nats_password
+          name: files-nats-secrets
+    refs: []
+    subjects:
+      - export:
+          - appName: files-frontend
+            pub: allow
+            sub: allow
+          - appName: vault
+            pub: allow
+            sub: allow
+        name: files-notify
+        permission:
+          pub: allow
+          sub: allow
+    user: os-system-files-server
+
 ---
 kind: ConfigMap
 apiVersion: v1
@@ -439,6 +591,37 @@ metadata:
   annotations:
     kubesphere.io/creator: bytetrade.io
 data:
+  nginx.conf: |-
+    user  nginx;
+    worker_processes  auto;
+
+    error_log  /var/log/nginx/error.log notice;
+    pid        /var/run/nginx.pid;
+
+    events {
+        worker_connections  1024;
+    }
+
+    http {
+        include       /etc/nginx/mime.types;
+        default_type  application/octet-stream;
+
+        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                          '$status $body_bytes_sent "$http_referer" '
+                          '"$http_user_agent" "$http_x_forwarded_for"';
+
+        access_log  /var/log/nginx/access.log  main;
+
+        sendfile        on;
+        #tcp_nopush     on;
+
+        keepalive_timeout  2700;
+
+        #gzip  on;
+        client_max_body_size 4000M;
+
+        include /etc/nginx/conf.d/*.conf;
+    }
   default.conf: |-
     server {
     	listen 80 default_server;
@@ -488,12 +671,12 @@ data:
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Host $host;
 
-            client_body_timeout 60s;
+            client_body_timeout 600s;
             client_max_body_size 2000M;
             proxy_request_buffering off;
-            keepalive_timeout 75s;
-            proxy_read_timeout 60s;
-            proxy_send_timeout 60s;
+            keepalive_timeout 750s;
+            proxy_read_timeout 600s;
+            proxy_send_timeout 600s;
         }
 
         location /api/raw/AppData {
@@ -505,12 +688,77 @@ data:
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Host $host;
 
-            client_body_timeout 60s;
-            client_max_body_size 2000M;
+            client_body_timeout 1800s;
+            client_max_body_size 4000M;
             proxy_request_buffering off;
-            keepalive_timeout 75s;
-            proxy_read_timeout 60s;
-            proxy_send_timeout 60s;
+            keepalive_timeout 2700s;
+            proxy_read_timeout 1800s;
+            proxy_send_timeout 1800s;
+        }
+
+        location /api/raw {
+            proxy_pass http://127.0.0.1:8080;
+            # rewrite ^/server(.*)$ $1 break;
+
+            # Add original-request-related headers
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+
+            client_body_timeout 1800s;
+            client_max_body_size 4000M;
+            proxy_request_buffering off;
+            keepalive_timeout 2700s;
+            proxy_read_timeout 1800s;
+            proxy_send_timeout 1800s;
+        }
+
+        location /api/md5 {
+            proxy_pass http://127.0.0.1:8080;
+            # rewrite ^/server(.*)$ $1 break;
+            # Add original-request-related headers
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+            add_header Accept-Ranges bytes;
+            client_body_timeout 1800s;
+            client_max_body_size 4000M;
+            proxy_request_buffering off;
+            keepalive_timeout 2700s;
+            proxy_read_timeout 1800s;
+            proxy_send_timeout 1800s;
+        }
+
+        location /api/paste {
+            proxy_pass http://127.0.0.1:8080;
+            # rewrite ^/server(.*)$ $1 break;
+            # Add original-request-related headers
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+            add_header Accept-Ranges bytes;
+            client_body_timeout 1800s;
+            client_max_body_size 4000M;
+            proxy_request_buffering off;
+            keepalive_timeout 2700s;
+            proxy_read_timeout 1800s;
+            proxy_send_timeout 1800s;
+        }
+
+        location /api/cache {
+            proxy_pass http://127.0.0.1:8080;
+            # rewrite ^/server(.*)$ $1 break;
+            # Add original-request-related headers
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+            add_header Accept-Ranges bytes;
+            client_body_timeout 1800s;
+            client_max_body_size 4000M;
+            proxy_request_buffering off;
+            keepalive_timeout 2700s;
+            proxy_read_timeout 1800s;
+            proxy_send_timeout 1800s;
         }
 
         location /provider {
@@ -562,7 +810,7 @@ data:
 
             client_body_timeout 600s;
             client_max_body_size 4000M;
-            proxy_request_buffering off;
+            proxy_request_buffering on;
             keepalive_timeout 750s;
             proxy_read_timeout 600s;
             proxy_send_timeout 600s;
@@ -598,12 +846,12 @@ data:
 
             add_header Accept-Ranges bytes;
 
-            client_body_timeout 60s;
+            client_body_timeout 600s;
             client_max_body_size 2000M;
             proxy_request_buffering off;
-            keepalive_timeout 75s;
-            proxy_read_timeout 60s;
-            proxy_send_timeout 60s;
+            keepalive_timeout 750s;
+            proxy_read_timeout 600s;
+            proxy_send_timeout 600s;
         }
 
         location /seafhttp/ {
@@ -617,12 +865,12 @@ data:
 
             add_header Accept-Ranges bytes;
 
-            client_body_timeout 60s;
+            client_body_timeout 600s;
             client_max_body_size 2000M;
             proxy_request_buffering off;
-            keepalive_timeout 75s;
-            proxy_read_timeout 60s;
-            proxy_send_timeout 60s;
+            keepalive_timeout 750s;
+            proxy_read_timeout 600s;
+            proxy_send_timeout 600s;
         }
     	# files
     	# for all routes matching a dot, check for files and return 404 if not found

apps/files/config/user/helm-charts/files/templates/files_fe_deploy.yaml

@@ -27,6 +27,14 @@
 {{ $pg_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 
+{{- $files_frontend_nats_secret := (lookup "v1" "Secret" $namespace "files-frontend-nats-secrets") -}}
+{{- $files_frontend_nats_password := "" -}}
+{{ if $files_frontend_nats_secret -}}
+{{ $files_frontend_nats_password = (index $files_frontend_nats_secret "data" "files_frontend_nats_password") }}
+{{ else -}}
+{{ $files_frontend_nats_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
 
 ---
 apiVersion: v1
@@ -104,6 +112,13 @@ spec:
       labels:
         app: files
         io.bytetrade.app: "true"
+      annotations:
+        # support nginx 1.24.3 1.25.3
+        instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
+        instrumentation.opentelemetry.io/inject-nginx-container-names: "files-frontend"    
+        instrumentation.opentelemetry.io/inject-go: "olares-instrumentation"
+        instrumentation.opentelemetry.io/go-container-names: "driver-server"    
+        instrumentation.opentelemetry.io/otel-go-auto-target-exe: "drive"
     spec:
       serviceAccountName: bytetrade-controller
       securityContext:
@@ -134,6 +149,12 @@ spec:
         image: owncloudci/wait-for:latest
         imagePullPolicy: IfNotPresent
         name: check-auth
+      - args:
+        - -it
+        - nats.user-system-{{ .Values.bfl.username }}:4222
+        image: owncloudci/wait-for:latest
+        imagePullPolicy: IfNotPresent
+        name: check-nats
       - name: terminus-sidecar-init
         image: openservicemesh/init:v1.2.3
         imagePullPolicy: IfNotPresent
@@ -185,6 +206,20 @@ spec:
             value: "{{ $pg_password | b64dec }}"
           - name: PGDB
             value: user_space_{{ .Values.bfl.username }}_cloud_drive_integration
+      - name: files-frontend-init
+        image: beclab/files-frontend:v1.3.61
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+          - name: app
+            mountPath: /cp_app
+          - name: nginx-confd
+            mountPath: /confd
+        command:
+        - sh
+        - -c
+        - |
+          cp -rf /app/* /cp_app/. && cp -rf /etc/nginx/conf.d/* /confd/.
+
       containers:
 #      - name: gateway
 #        image: beclab/appdata-gateway:0.1.12
@@ -283,18 +318,33 @@ spec:
 #        - /filebrowser
 #        - --noauth
       - name: files-frontend
-        image: beclab/files-frontend:v1.2.69
+        image: beclab/docker-nginx-headers-more:ubuntu-v0.1.0
         imagePullPolicy: IfNotPresent
         securityContext:
           runAsNonRoot: false
           runAsUser: 0
         ports:
         - containerPort: 80
+        env:
+          - name: NATS_HOST
+            value: nats.user-system-{{ .Values.bfl.username }}
+          - name: NATS_PORT
+            value: '4222'
+          - name: NATS_USERNAME
+            value: user-system-{{ .Values.bfl.username }}-files-frontend
+          - name: NATS_PASSWORD
+            value: {{ $files_frontend_nats_password | b64dec }}
+          - name: NATS_SUBJECT
+            value: terminus.os-system.files-notify
         volumeMounts:
         - name: userspace-dir
           mountPath: /data
+        - name: app
+          mountPath: /app
+        - name: nginx-confd
+          mountPath: /etc/nginx/conf.d
       - name: drive-server
-        image: beclab/drive:v0.0.29
+        image: beclab/drive:v0.0.72
         imagePullPolicy: IfNotPresent
         env:
         - name: OS_SYSTEM_SERVER
@@ -314,8 +364,10 @@ spec:
           mountPath: /appdata/
         - name: userspace-app-dir
           mountPath: /data/Application
+        - name: data-dir
+          mountPath: /data
       - name: task-executor
-        image: beclab/driveexecutor:v0.0.29
+        image: beclab/driveexecutor:v0.0.72
         imagePullPolicy: IfNotPresent
         env:
         - name: OS_SYSTEM_SERVER
@@ -335,6 +387,8 @@ spec:
           mountPath: /appdata/
         - name: userspace-app-dir
           mountPath: /data/Application
+        - name: data-dir
+          mountPath: /data
 #      - name: terminus-upload-sidecar
 #        image: beclab/upload:v1.0.3
 #        env:
@@ -397,40 +451,48 @@ spec:
               fieldPath: status.podIP
 
       volumes:
+      - name: data-dir
+        hostPath:
+          path: '{{ .Values.rootPath }}/rootfs/userspace'
+          type: Directory
       - name: watch-dir
         hostPath:
           type: Directory
-          path: {{ .Values.userspace.userData }}/Documents
+          path: '{{ .Values.userspace.userData }}/Documents'
       - name: userspace-dir
         hostPath:
           type: Directory
-          path: {{ .Values.userspace.userData }}
+          path: '{{ .Values.userspace.userData }}'
       - name: userspace-app-dir
         hostPath:
           type: Directory
-          path: {{ .Values.userspace.appData }}
+          path: '{{ .Values.userspace.appData }}'
       - name: fb-data
         hostPath:
           type: DirectoryOrCreate
-          path: {{ .Values.userspace.appCache}}/files
+          path: '{{ .Values.userspace.appCache}}/files'
       - name: upload-data
         hostPath:
           type: Directory
-          path: {{ .Values.userspace.userData }}
+          path: '{{ .Values.userspace.userData }}'
       - name: upload-appdata
         hostPath:
           type: Directory
-          path: {{ .Values.userspace.appCache}}
+          path: '{{ .Values.userspace.appCache}}'
       - name: uploads-temp
         hostPath:
           type: DirectoryOrCreate
-          path: {{ .Values.userspace.appCache }}/files/uploadstemp
+          path: '{{ .Values.userspace.appCache }}/files/uploadstemp'
       - name: terminus-sidecar-config
         configMap:
           name: sidecar-upload-configs
           items:
           - key: envoy.yaml
             path: envoy.yaml
+      - name: app
+        emptyDir: {}
+      - name: nginx-confd
+        emptyDir: {}
 
    
 
@@ -606,6 +668,16 @@ data:
   redis_password: {{ $redis_password }}
   pg_password: {{ $pg_password }}
 
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: files-frontend-nats-secrets
+  namespace: user-system-{{ .Values.bfl.username }}
+data:
+  files_frontend_nats_password: {{ $files_frontend_nats_password }}
+type: Opaque
+
 #---
 #apiVersion: apr.bytetrade.io/v1alpha1
 #kind: MiddlewareRequest
@@ -646,6 +718,31 @@ spec:
           name: zinc-files-secrets
     namespace: zinc-files
 
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: files-frontend-nat
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  app: files-frontend
+  appNamespace: user-space-{{ .Values.bfl.username }}
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: files_frontend_nats_password
+          name: files-frontend-nats-secrets
+    refs:
+      - appName: files-server
+        appNamespace: os-system
+        subjects:
+          - name: files-notify
+            perm:
+              - pub
+              - sub
+    user: user-system-{{ .Values.bfl.username }}-files-frontend
 
 ---
 apiVersion: v1
@@ -690,11 +787,14 @@ data:
                                 prefix: "/upload"
                               route:
                                 cluster: upload_original_dst
+                                timeout: 1800s
+                                idle_timeout: 1800s
                             - match:
                                 prefix: "/"
                               route:
                                 cluster: original_dst
-                                timeout: 600s
+                                timeout: 1800s
+                                idle_timeout: 1800s
                     http_protocol_options:
                       accept_http_10: true
                     http_filters:
@@ -716,6 +816,7 @@ data:
                                   - prefix: x-unauth-
                                   - exact: x-authorization
                                   - exact: x-bfl-user
+                                  - exact: x-real-ip
                                   - exact: terminus-nonce
                               headers_to_add:
                                 - key: X-Forwarded-Method
@@ -781,9 +882,11 @@ data:
 
       clusters:
         - name: original_dst
-          connect_timeout: 5000s
+          connect_timeout: 120s
           type: ORIGINAL_DST
           lb_policy: CLUSTER_PROVIDED
+          common_http_protocol_options:
+            idle_timeout: 10s
         - name: upload_original_dst
           connect_timeout: 5000s
           type: LOGICAL_DNS

apps/files/config/user/helm-charts/files/values.yaml

@@ -1,4 +1,3 @@
-
 bfl:
   nodeport: 30883
   nodeport_ingress_http: 30083
@@ -46,4 +45,4 @@ os:
     appKey: '${ks[0]}'
     appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""

apps/knowledge/config/cluster/deploy/knowledge_deployment.yaml

@@ -0,0 +1,646 @@
+{{- $share_secret := (lookup "v1" "Secret" "os-system" "knowledge-share-secrets") -}}
+
+{{- $redis_password := "" -}}
+{{ if $share_secret -}}
+{{ $redis_password = (index $share_secret "data" "redis_password") }}
+{{ else -}}
+{{ $redis_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+{{- $redis_password_data := "" -}}
+{{ $redis_password_data = $redis_password | b64dec }}
+
+
+{{- $pg_password := "" -}}
+{{ if $share_secret -}}
+{{ $pg_password = (index $share_secret "data" "pg_password") }}
+{{ else -}}
+{{ $pg_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+{{- $knowledge_nats_secret := (lookup "v1" "Secret" "os-system" "knowledge-secrets") -}}
+{{- $nat_password := "" -}}
+{{ if $knowledge_nats_secret -}}
+{{ $nat_password = (index $knowledge_nats_secret "data" "nat_password") }}
+{{ else -}}
+{{ $nat_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: knowledge-secrets
+  namespace: os-system
+type: Opaque
+data:
+  nat_password: {{ $nat_password }}
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: knowledge-share-secrets
+  namespace: os-system
+type: Opaque
+data:
+  pg_password: {{ $pg_password }}
+  redis_password: {{ $redis_password }}
+---  
+
+
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: knowledge-pg
+  namespace: os-system
+spec:
+  app: knowledge
+  appNamespace: os-system
+  middleware: postgres
+  postgreSQL:
+    user: knowledge_os_system
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: pg_password
+          name: knowledge-share-secrets
+    databases:
+    - name: knowledge
+      extensions:
+      - pg_trgm
+      - btree_gin
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: knowledge-redis
+  namespace: os-system
+spec:
+  app: rss
+  appNamespace: os-system
+  middleware: redis
+  redis:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: redis_password
+          name: knowledge-share-secrets
+    namespace: knowledge
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: knowledge-nat
+  namespace: os-system
+spec:
+  app: knowledge
+  appNamespace: os-system
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: nat_password
+          name: knowledge-secrets
+    refs:
+    - appName: download
+      appNamespace: os-system
+      subjects:
+      - name: download_status
+        perm:
+        - pub
+        - sub
+    user: os-system-knowledge
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: knowledge
+  namespace: os-system
+  labels:
+    app: knowledge
+    applications.app.bytetrade.io/author: bytetrade.io
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: knowledge
+  template:
+    metadata:
+      labels:
+        app: knowledge
+    spec:
+      serviceAccount: os-internal
+      serviceAccountName: os-internal
+      securityContext:
+        runAsUser: 0
+        runAsNonRoot: false
+      initContainers:
+      - name: init-data
+        image: busybox:1.28
+        securityContext:
+          privileged: true
+          runAsNonRoot: false
+          runAsUser: 0
+        volumeMounts:
+        - name: userspace-dir
+          mountPath: /data
+        - name: cache-dir
+          mountPath: /appCache
+        command:
+        - sh
+        - -c
+        - |
+          chown -R 1000:1000 /data && \
+          chown -R 1000:1000 /appCache
+      - name: init-container
+        image: 'postgres:16.0-alpine3.18'
+        command:
+          - sh
+          - '-c'
+          - >-
+            echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
+        env:
+          - name: PGHOST
+            value: citus-headless.os-system
+          - name: PGPORT
+            value: "5432"
+          - name: PGUSER
+            value: knowledge_os_system
+          - name: PGPASSWORD
+            value: {{ $pg_password | b64dec }}
+          - name: PGDB
+            value: os_system_knowledge
+      containers:
+      - name: knowledge
+        image: "beclab/knowledge-base-api:v0.12.5"
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1000
+        ports:
+        - containerPort: 3010
+        env:
+        - name: BACKEND_URL
+          value: http://127.0.0.1:8080
+        - name: RSSHUB_URL
+          value: 'http://rss-server.os-system:1200'
+        - name: UPLOAD_SAVE_PATH
+          value: '/data/'
+        - name: SEARCH_URL
+          value: 'http://search3.os-system:80'
+        - name: REDIS_PASSWORD
+          value: {{ $redis_password_data }}
+        - name: REDIS_ADDR
+          value: redis-cluster-proxy.os-system
+        - name: PG_USERNAME
+          value: knowledge_os_system
+        - name: PG_PASSWORD
+          value: {{ $pg_password | b64dec }}
+        - name: PG_HOST
+          value: citus-headless.os-system
+        - name: PG_PORT
+          value: "5432"
+        - name: PG_DATABASE
+          value: os_system_knowledge
+        - name: DOWNLOAD_URL
+          value: http://download-svc.os-system:3080
+        - name: YTDLP_DOWNLOAD_URL
+          value: http://download-svc.os-system:3082
+        - name: NATS_HOST
+          value: nats
+        - name: NATS_PORT
+          value: "4222"
+        - name: NATS_USERNAME
+          value: os-system-knowledge
+        - name: NATS_PASSWORD
+          value: {{ $nat_password | b64dec }}
+        - name: NATS_SUBJECT
+          value: terminus.os-system.download_status
+        - name: SOCKET_URL
+          value: 'http://localhost:40010'
+        volumeMounts:
+          - name: userspace-dir
+            mountPath: /data
+        resources:
+          requests:
+            cpu: 20m
+            memory: 50Mi
+          limits:
+            cpu: "1"
+            memory: 1Gi
+
+      - name: backend-server
+        image: "beclab/recommend-backend:v0.12.0"
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1000
+        env:
+        - name: LISTEN_ADDR
+          value: 127.0.0.1:8080
+        - name: REDIS_PASSWORD
+          value: {{ $redis_password_data }}
+        - name: REDIS_ADDR
+          value: redis-cluster-proxy.os-system:6379
+        - name: RSS_HUB_URL
+          value: 'http://rss-server.os-system:1200/'
+        - name: WE_CHAT_REFRESH_FEED_URL
+          value: https://recommend-wechat-prd.bttcdn.com/api/wechat/entries
+        - name: WECHAT_ENTRY_CONTENT_GET_API_URL
+          value: https://recommend-wechat-prd.bttcdn.com/api/wechat/entry/content
+        - name: PG_USERNAME
+          value: knowledge_os_system
+        - name: PG_PASSWORD
+          value: {{ $pg_password | b64dec }}
+        - name: PG_HOST
+          value: citus-headless.os-system
+        - name: PG_PORT
+          value: "5432"
+        - name: PG_DATABASE
+          value: os_system_knowledge
+        - name: WATCH_DIR
+          value: /data/
+        - name: YT_DLP_API_URL
+          value: http://download-svc.os-system:3082/api/v1/get_metadata
+        - name: DOWNLOAD_API_URL
+          value: http://download-svc.os-system:3080/api
+        volumeMounts:
+          - name: userspace-dir
+            mountPath: /data
+        ports:
+        - containerPort: 8080
+        resources:
+          requests:
+            cpu: 20m
+            memory: 50Mi
+          limits:
+            cpu: "800m"
+            memory: 400Mi
+
+      - name: sync
+        image: "beclab/recommend-sync:v0.12.0"
+        securityContext:
+          runAsUser: 0
+          runAsNonRoot: false
+        env:
+        - name: USERSPACE_DIRECTORY
+          value: /data
+        - name: KNOWLEDGE_BASE_API_URL
+          value: http://127.0.0.1:3010
+        - name: PG_HOST
+          value: citus-headless.os-system
+        - name: PG_USERNAME
+          value: knowledge_os_system
+        - name: PG_PASSWORD
+          value: {{ $pg_password | b64dec }}
+        - name: PG_DATABASE
+          value: os_system_knowledge
+        - name: PG_PORT
+          value: "5432"
+        - name: TERMINUS_RECOMMEND_REDIS_ADDR
+          value: redis-cluster-proxy.os-system:6379
+        - name: TERMINUS_RECOMMEND_REDIS_PASSOWRD
+          value: {{ $redis_password_data }}
+        volumeMounts:
+          - name: userspace-dir
+            mountPath: /data
+       
+      - name: crawler
+        image: "beclab/recommend-crawler:v0.12.1"
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1000
+        env:
+        - name: KNOWLEDGE_BASE_API_URL
+          value: http://127.0.0.1:3010
+        resources:
+          requests:
+            cpu: 20m
+            memory: 50Mi
+          limits:
+            cpu: "800m"
+            memory: 800Mi
+        volumeMounts:
+          - name: cache-dir
+            mountPath: /appCache
+
+      - name: terminus-ws-sidecar
+        image: 'beclab/ws-gateway:v1.0.4'
+        imagePullPolicy: IfNotPresent
+        command:
+          - /ws-gateway
+        env:
+          - name: WS_PORT
+            value: '3010'
+          - name: WS_URL
+            value: /knowledge/websocket/message
+        resources: {}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+
+      
+      volumes:
+      - name: userspace-dir
+        hostPath:
+          type: Directory
+          path: '{{ .Values.rootPath }}/rootfs/userspace'
+      - name: cache-dir
+        hostPath:
+          path: '{{ .Values.rootPath }}/userdata/Cache/rss'
+          type: DirectoryOrCreate
+      - name: terminus-sidecar-config
+        configMap:
+          name: sidecar-ws-configs
+          items:
+          - key: envoy.yaml
+            path: envoy.yaml
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: rss-svc
+  namespace: os-system
+spec:
+  type: ClusterIP
+  selector:
+    app: knowledge
+  ports:
+    - name: "backend-server"
+      protocol: TCP
+      port: 8080
+      targetPort: 8080
+    - name: "knowledge-base-api"
+      protocol: TCP
+      port: 3010
+      targetPort: 3010
+    - name: "knowledge-websocket"
+      protocol: TCP
+      port: 40010
+      targetPort: 40010
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: knowledge-base-api
+  namespace: os-system
+spec:
+  type: ClusterIP
+  selector:
+    app: systemserver
+  ports:
+    - protocol: TCP
+      name: knowledge-api
+      port: 3010
+      targetPort: 3010  
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: download-nat
+  namespace: os-system
+spec:
+  app: download
+  appNamespace: os-system
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: nat_password
+          name: knowledge-secrets
+    refs: []
+    subjects:
+    - name: download_status
+      permission:
+        pub: allow
+        sub: allow
+      export:
+      - appName: knowledge
+        sub: allow
+        pub: allow
+    user: os-system-download
+---
+
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: download
+  namespace: os-system
+  labels:
+    app: download
+    applications.app.bytetrade.io/author: bytetrade.io
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: download
+  template:
+    metadata:
+      labels:
+        app: download
+    spec:
+      serviceAccount: os-internal
+      serviceAccountName: os-internal
+      securityContext:
+        runAsUser: 0
+        runAsNonRoot: false
+
+      initContainers:
+      - name: init-data
+        image: busybox:1.28
+        securityContext:
+          privileged: true
+          runAsNonRoot: false
+          runAsUser: 0
+        volumeMounts:
+        - name: config-dir
+          mountPath: /config
+        - name: download-dir
+          mountPath: /downloads
+        command:
+        - sh
+        - -c
+        - |
+          chown -R 1000:1000 /config && \
+          chown -R 1000:1000 /downloads
+      - name: init-container
+        image: 'postgres:16.0-alpine3.18'
+        command:
+          - sh
+          - '-c'
+          - >-
+            echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
+        env:
+          - name: PGHOST
+            value: citus-headless.os-system
+          - name: PGPORT
+            value: "5432"
+          - name: PGUSER
+            value: knowledge_os_system
+          - name: PGPASSWORD
+            value: {{ $pg_password | b64dec }}
+          - name: PGDB
+            value: os_system_knowledge
+      containers:
+      - name: aria2
+        image: "beclab/aria2:v0.0.4"
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          runAsNonRoot: false
+          runAsUser: 0
+        ports:
+        - containerPort: 6800
+        - containerPort: 6888
+        env:
+        - name: RPC_SECRET
+          value: kubespider
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        volumeMounts:
+        - name: download-dir
+          mountPath: /downloads
+        resources:
+          requests:
+            cpu: 20m
+            memory: 50Mi
+          limits:
+            cpu: "1"
+            memory: 300Mi
+      - name: yt-dlp
+        image: "beclab/yt-dlp:v0.12.2"
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1000
+
+        ports:
+        - containerPort: 3082
+        env:
+        - name: PG_USERNAME
+          value: knowledge_os_system
+        - name: PG_PASSWORD
+          value: {{ $pg_password | b64dec }}
+        - name: PG_HOST
+          value: citus-headless.os-system
+        - name: PG_PORT
+          value: "5432"
+        - name: PG_DATABASE
+          value: os_system_knowledge
+        - name: REDIS_HOST
+          value: redis-cluster-proxy.os-system
+        - name: REDIS_PASSWORD
+          value: {{ $redis_password | b64dec }}
+        - name: NATS_HOST
+          value: nats
+        - name: NATS_PORT
+          value: "4222"
+        - name: NATS_USERNAME
+          value: os-system-download
+        - name: NATS_PASSWORD
+          value: {{ $nat_password | b64dec }}
+        - name: NATS_SUBJECT
+          value: terminus.os-system.download_status
+        volumeMounts:
+        - name: config-dir
+          mountPath: /app/config
+        - name: download-dir
+          mountPath: /app/downloads
+        resources:
+          requests:
+            cpu: 20m
+            memory: 50Mi
+          limits:
+            cpu: "1"
+            memory: 300Mi
+      - name: download-spider
+        image: "beclab/download-spider:v0.12.2"
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1000
+
+        env:
+        - name: PG_USERNAME
+          value: knowledge_os_system
+        - name: PG_PASSWORD
+          value: {{ $pg_password | b64dec }}
+        - name: PG_HOST
+          value: citus-headless.os-system
+        - name: PG_PORT
+          value: "5432"
+        - name: PG_DATABASE
+          value: os_system_knowledge
+        - name: REDIS_HOST
+          value: redis-cluster-proxy.os-system
+        - name: REDIS_PASSWORD
+          value: {{ $redis_password | b64dec }}
+        - name: NATS_HOST
+          value: nats
+        - name: NATS_PORT
+          value: "4222"
+        - name: NATS_USERNAME
+          value: os-system-download
+        - name: NATS_PASSWORD
+          value: {{ $nat_password | b64dec }}
+        - name: NATS_SUBJECT
+          value: terminus.os-system.download_status
+        volumeMounts:
+        - name: download-dir
+          mountPath: /downloads
+        
+        ports:
+        - containerPort: 3080
+        resources:
+          requests:
+            cpu: 20m
+            memory: 50Mi
+          limits:
+            cpu: "1"
+            memory: 300Mi
+
+      volumes:
+      - name: config-dir
+        hostPath: 
+          type: DirectoryOrCreate
+          path: '{{ .Values.rootPath }}/userdata/Cache/download'
+      - name: download-dir
+        hostPath:
+          type: DirectoryOrCreate
+          path: '{{ .Values.rootPath }}/rootfs/userspace'
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: download-svc
+  namespace: os-system
+spec:
+  type: ClusterIP
+  selector:
+    app: download
+  ports:
+    - name: "download-spider"
+      protocol: TCP
+      port: 3080
+      targetPort: 3080
+    - name: "aria2-server"
+      protocol: TCP
+      port: 6800
+      targetPort: 6800
+    - name: ytdlp-server
+      protocol: TCP
+      port: 3082
+      targetPort: 3082

apps/knowledge/config/user/helm-charts/knowledge/.helmignore

@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/

apps/knowledge/config/user/helm-charts/knowledge/Chart.yaml

@@ -1,26 +0,0 @@
-apiVersion: v2
-name: knowledge
-description: A Helm chart for Kubernetes
-maintainers:
-- name: bytetrade
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.1
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "1.16.0"

apps/knowledge/config/user/helm-charts/knowledge/templates/_helpers.tpl

@@ -1,62 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "knowledge.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "knowledge.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "knowledge.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "knowledge.labels" -}}
-helm.sh/chart: {{ include "knowledge.chart" . }}
-{{ include "knowledge.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "knowledge.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "knowledge.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "knowledge.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "knowledge.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}

apps/knowledge/config/user/helm-charts/knowledge/templates/knowledge_deployment.yaml

@@ -1,548 +0,0 @@
-{{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
-{{- $knowledge_secret := (lookup "v1" "Secret" $namespace "rss-secrets") -}}
-
-{{- $redis_password := "" -}}
-{{ if $knowledge_secret -}}
-{{ $redis_password = (index $knowledge_secret "data" "redis_password") }}
-{{ else -}}
-{{ $redis_password = randAlphaNum 16 | b64enc }}
-{{- end -}}
-
-{{- $redis_password_data := "" -}}
-{{ $redis_password_data = $redis_password | b64dec }}
-
-
-{{- $pg_password := "" -}}
-{{ if $knowledge_secret -}}
-{{ $pg_password = (index $knowledge_secret "data" "pg_password") }}
-{{ else -}}
-{{ $pg_password = randAlphaNum 16 | b64enc }}
-{{- end -}}
-
-{{- $knowledge_nats_secret := (lookup "v1" "Secret" $namespace "knowledge-secrets") -}}
-{{- $nat_password := "" -}}
-{{ if $knowledge_nats_secret -}}
-{{ $nat_password = (index $knowledge_nats_secret "data" "nat_password") }}
-{{ else -}}
-{{ $nat_password = randAlphaNum 16 | b64enc }}
-{{- end -}}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: knowledge-secrets
-  namespace: user-system-{{ .Values.bfl.username }}
-type: Opaque
-data:
-  pg_password: {{ $pg_password }}
-  nat_password: {{ $nat_password }}
----
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
-metadata:
-  name: knowledge-pg
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: knowledge
-  appNamespace: {{ .Release.Namespace }}
-  middleware: postgres
-  postgreSQL:
-    user: knowledge_{{ .Values.bfl.username }}
-    password:
-      valueFrom:
-        secretKeyRef:
-          key: pg_password
-          name: knowledge-secrets
-    databases:
-    - name: knowledge
-      extensions:
-      - pg_trgm
-      - btree_gin
----
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
-metadata:
-  name: knowledge-nat
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: knowledge
-  appNamespace: {{ .Release.Namespace }}
-  middleware: nats
-  nats:
-    password:
-      valueFrom:
-        secretKeyRef:
-          key: nat_password
-          name: knowledge-secrets
-    refs:
-    - appName: download
-      appNamespace: {{ .Release.Namespace }}
-      subjects:
-      - name: download_status
-        perm:
-        - pub
-        - sub
-    user: user-system-{{ .Values.bfl.username }}-knowledge
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: knowledge-secrets-auth
-  namespace: {{ .Release.Namespace }}
-data:
-  redis_password: {{ $redis_password_data }}
-  redis_addr: redis-cluster-proxy.user-system-{{ .Values.bfl.username }}:6379
-  redis_host: redis-cluster-proxy.user-system-{{ .Values.bfl.username }}
-  redis_port: '6379'
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: knowledge-userspace-data
-  namespace: {{ .Release.Namespace }}
-data:
-  appData: "{{ .Values.userspace.appData }}"
-  appCache: "{{ .Values.userspace.appCache }}"
-  username: "{{ .Values.bfl.username }}"
-
----
-
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: knowledge
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: knowledge
-    applications.app.bytetrade.io/author: bytetrade.io
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: knowledge
-  template:
-    metadata:
-      labels:
-        app: knowledge
-    spec:
-      securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
-
-      initContainers:
-      - name: init-data
-        image: busybox:1.28
-        securityContext:
-          privileged: true
-          runAsNonRoot: false
-          runAsUser: 0
-        volumeMounts:
-        - name: juicefs
-          mountPath: /juicefs
-        command:
-        - sh
-        - -c
-        - |
-          chown -R 1000:1000 /juicefs
-      - name: init-container
-        image: 'postgres:16.0-alpine3.18'
-        command:
-          - sh
-          - '-c'
-          - >-
-            echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
-        env:
-          - name: PGHOST
-            value: citus-master-svc.user-system-{{ .Values.bfl.username }}
-          - name: PGPORT
-            value: "5432"
-          - name: PGUSER
-            value: knowledge_{{ .Values.bfl.username }}
-          - name: PGPASSWORD
-            value: {{ $pg_password | b64dec }}
-          - name: PGDB
-            value: user_space_{{ .Values.bfl.username }}_knowledge
-      containers:
-      - name: knowledge
-        image: "beclab/knowledge-base-api:v0.1.56"
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          allowPrivilegeEscalation: false
-          runAsUser: 1000
-
-        ports:
-        - containerPort: 3010
-        env:
-        - name: BACKEND_URL
-          value: http://127.0.0.1:8080
-        - name: RSSHUB_URL
-          value: 'http://rss-server.os-system:1200'
-        - name: SEARCH_URL
-          value: 'http://search3.os-system:80'
-        - name: REDIS_PASSWORD
-          valueFrom:
-            configMapKeyRef:
-              name: knowledge-secrets-auth
-              key: redis_password
-        - name: REDIS_ADDR
-          valueFrom:
-            configMapKeyRef:
-              name: knowledge-secrets-auth
-              key: redis_addr
-        - name: PDF_SAVE_PATH
-          value: /data/Home/Documents/Pdf/
-        - name: PG_USERNAME
-          value: knowledge_{{ .Values.bfl.username }}
-        - name: PG_PASSWORD
-          value: {{ $pg_password | b64dec }}
-        - name: PG_HOST
-          value: citus-master-svc.user-system-{{ .Values.bfl.username }}
-        - name: PG_PORT
-          value: "5432"
-        - name: PG_DATABASE
-          value: user_space_{{ .Values.bfl.username }}_knowledge
-        - name: DOWNLOAD_URL
-          value: http://download-svc.user-space-{{ .Values.bfl.username }}:3080
-        - name: BFL_USER_NAME
-          value: "{{ .Values.bfl.username }}"
-        - name: SETTING_URL
-          value: http://system-server.user-system-{{ .Values.bfl.username }}
-        - name: NATS_HOST
-          value: nats.user-system-{{ .Values.bfl.username }}
-        - name: NATS_PORT
-          value: "4222"
-        - name: NATS_USERNAME
-          value: user-system-{{ .Values.bfl.username }}-knowledge
-        - name: NATS_PASSWORD
-          value: {{ $nat_password | b64dec }}
-        - name: NATS_SUBJECT
-          value: "terminus.{{ .Release.Namespace }}.download_status"
-        - name: SOCKET_URL
-          value: 'http://localhost:40010'
-        volumeMounts:
-        - name: watch-dir
-          mountPath: /data/Home/Documents
-
-        resources:
-          requests:
-            cpu: 20m
-            memory: 50Mi
-          limits:
-            cpu: "1"
-            memory: 1Gi
-
-      - name: backend-server
-        image: "beclab/recommend-backend:v0.0.24"
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          allowPrivilegeEscalation: false
-          runAsUser: 1000
-
-        env:
-        - name: LISTEN_ADDR
-          value: 127.0.0.1:8080
-        - name: REDIS_PASSWORD
-          valueFrom:
-            configMapKeyRef:
-              name: knowledge-secrets-auth
-              key: redis_password
-        - name: REDIS_ADDR
-          valueFrom:
-            configMapKeyRef:
-              name: knowledge-secrets-auth
-              key: redis_addr
-        - name: OS_SYSTEM_SERVER
-          value: system-server.user-system-{{ .Values.bfl.username }}
-        - name: OS_APP_SECRET
-          value: '{{ .Values.os.wise.appSecret }}'
-        - name: OS_APP_KEY
-          value: {{ .Values.os.wise.appKey }}
-        - name: RSS_HUB_URL
-          value: 'http://rss-server.os-system:1200/'
-        - name: WE_CHAT_REFRESH_FEED_URL
-          value: https://recommend-wechat-prd.bttcdn.com/api/wechat/entries
-        - name: WECHAT_ENTRY_CONTENT_GET_API_URL
-          value: https://recommend-wechat-prd.bttcdn.com/api/wechat/entry/content
-        - name: PG_USERNAME
-          value: knowledge_{{ .Values.bfl.username }}
-        - name: PG_PASSWORD
-          value: {{ $pg_password | b64dec }}
-        - name: PG_HOST
-          value: citus-master-svc.user-system-{{ .Values.bfl.username }}
-        - name: PG_PORT
-          value: "5432"
-        - name: PG_DATABASE
-          value: user_space_{{ .Values.bfl.username }}_knowledge
-        - name: WATCH_DIR
-          value: /data/Home/Downloads
-        - name: NOTIFY_SERVER
-          value: fsnotify-svc.user-system-{{ .Values.bfl.username }}:5079
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.name
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.namespace
-        - name: CONTAINER_NAME
-          value: backend-server
-        - name: YT_DLP_API_URL
-          value: http://download-svc.user-space-{{ .Values.bfl.username }}:3082/api/v1/get_metadata
-        - name: DOWNLOAD_API_URL
-          value: http://download-svc.user-space-{{ .Values.bfl.username }}:3080/api/termius/download
-        - name: SETTING_API_URL
-          value: http://system-server.user-system-{{ .Values.bfl.username }}/legacy/v1alpha1/service.settings/v1/api/cookie/retrieve
-        volumeMounts:
-          - name: watch-dir
-            mountPath: /data/Home/Downloads
-        ports:
-        - containerPort: 8080
-        resources:
-          requests:
-            cpu: 20m
-            memory: 50Mi
-          limits:
-            cpu: "800m"
-            memory: 400Mi
-
-      - name: sync
-        image: "beclab/recommend-sync:v0.0.15"
-        securityContext:
-          allowPrivilegeEscalation: false
-          runAsUser: 1000
-        env:
-        - name: TERMIUS_USER_NAME
-          value: "{{ .Values.bfl.username }}"
-        - name: JUICEFS_ROOT_DIRECTORY
-          value: /juicefs
-        - name: KNOWLEDGE_BASE_API_URL
-          value: http://127.0.0.1:3010
-        - name: PG_HOST
-          value: citus-master-svc.user-system-{{ .Values.bfl.username }}
-        - name: PG_USERNAME
-          value: knowledge_{{ .Values.bfl.username }}
-        - name: PG_PASSWORD
-          value: {{ $pg_password | b64dec }}
-        - name: PG_DATABASE
-          value: user_space_{{ .Values.bfl.username }}_knowledge
-        - name: PG_PORT
-          value: "5432"
-        - name: TERMINUS_RECOMMEND_REDIS_ADDR
-          valueFrom:
-            configMapKeyRef:
-              name: knowledge-secrets-auth
-              key: redis_addr
-        - name: TERMINUS_RECOMMEND_REDIS_PASSOWRD
-          valueFrom:
-            configMapKeyRef:
-              name: knowledge-secrets-auth
-              key: redis_password
-        volumeMounts:
-        - name: juicefs
-          mountPath: /juicefs
-       
-      - name: crawler
-        image: "beclab/recommend-crawler:v0.0.14"
-        securityContext:
-          allowPrivilegeEscalation: false
-          runAsUser: 1000
-        env:
-        - name: TERMIUS_USER_NAME
-          value: "{{ .Values.bfl.username }}"
-        - name: KNOWLEDGE_BASE_API_URL
-          value: http://127.0.0.1:3010
-        resources:
-          requests:
-            cpu: 20m
-            memory: 50Mi
-          limits:
-            cpu: "800m"
-            memory: 800Mi
-
-      - name: terminus-ws-sidecar
-        image: 'beclab/ws-gateway:v1.0.3'
-        imagePullPolicy: IfNotPresent
-        command:
-          - /ws-gateway
-        env:
-          - name: WS_PORT
-            value: '3010'
-          - name: WS_URL
-            value: /knowledge/websocket/message
-        resources: {}
-        terminationMessagePath: /dev/termination-log
-        terminationMessagePolicy: File
-
-      volumes:
-      - name: watch-dir
-        hostPath:
-          type: Directory
-          path: {{ .Values.userspace.userData }}
-      - name: juicefs
-        hostPath:
-          type: DirectoryOrCreate
-          path: {{ .Values.userspace.appData }}/rss/data
-          
-      - name: terminus-sidecar-config
-        configMap:
-          name: sidecar-ws-configs
-          items:
-          - key: envoy.yaml
-            path: envoy.yaml
-      
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: rss-svc
-  namespace: {{ .Release.Namespace }}
-spec:
-  type: ClusterIP
-  selector:
-    app: knowledge
-  ports:
-    - name: "backend-server"
-      protocol: TCP
-      port: 8080
-      targetPort: 8080
-    # - name: "rss-sdk"
-    #   protocol: TCP
-    #   port: 3000
-    #   targetPort: 3000
-    - name: "knowledge-base-api"
-      protocol: TCP
-      port: 3010
-      targetPort: 3010
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: knowledge-base-api
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  type: ClusterIP
-  selector:
-    app: systemserver
-  ports:
-    - protocol: TCP
-      name: knowledge-api
-      port: 3010
-      targetPort: 3010  
----
-#apiVersion: v1
-#data:
-#  mappings: |
-#    {
-#      "properties": {
-#        "@timestamp": {
-#          "type": "date",
-#          "index": true,
-#          "store": false,
-#          "sortable": true,
-#          "aggregatable": true,
-#          "highlightable": false
-#        },
-#        "_id": {
-#          "type": "keyword",
-#          "index": true,
-#          "store": false,
-#          "sortable": true,
-#          "aggregatable": true,
-#          "highlightable": false
-#        },
-#        "content": {
-#          "type": "text",
-#          "index": true,
-#          "store": true,
-#          "sortable": false,
-#          "aggregatable": false,
-#          "highlightable": true
-#        },
-#        "created": {
-#          "type": "numeric",
-#          "index": true,
-#          "store": false,
-#          "sortable": true,
-#          "aggregatable": true,
-#          "highlightable": false
-#        },
-#        "format_name": {
-#          "type": "text",
-#          "index": true,
-#          "store": false,
-#          "sortable": false,
-#          "aggregatable": false,
-#          "highlightable": false
-#        },
-#        "md5": {
-#          "type": "text",
-#          "analyzer": "keyword",
-#          "index": true,
-#          "store": false,
-#          "sortable": false,
-#          "aggregatable": false,
-#          "highlightable": false
-#        },
-#        "meta": {
-#          "type": "text",
-#          "index": true,
-#          "store": false,
-#          "sortable": false,
-#          "aggregatable": false,
-#          "highlightable": false
-#        },
-#        "name": {
-#          "type": "text",
-#          "index": true,
-#          "store": false,
-#          "sortable": false,
-#          "aggregatable": false,
-#          "highlightable": false
-#        },
-#        "where": {
-#          "type": "text",
-#          "analyzer": "keyword",
-#          "index": true,
-#          "store": false,
-#          "sortable": false,
-#          "aggregatable": false,
-#          "highlightable": false
-#        }
-#      }
-#    }
-#kind: ConfigMap
-#metadata:
-#  name: zinc-knowledge
-#  namespace: user-system-{{ .Values.bfl.username }}
-#---
-
-
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: SysEventRegistry
-metadata:
-  name: konwledgebase-recommend-install-cb
-  namespace: {{ .Release.Namespace }}
-spec:
-  type: subscriber
-  event: recommend.install
-  callback: http://rss-svc.{{ .Release.Namespace }}:3010/knowledge/algorithm/recommend/install
-  
----
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: SysEventRegistry
-metadata:
-  name: konwledgebase-recommend-uninstall-cb
-  namespace: {{ .Release.Namespace }}
-spec:
-  type: subscriber
-  event: recommend.uninstall
-  callback: http://rss-svc.{{ .Release.Namespace }}:3010/knowledge/algorithm/recommend/uninstall

apps/knowledge/config/user/helm-charts/knowledge/values.yaml

@@ -1,43 +0,0 @@
-
-bfl:
-  nodeport: 30883
-  nodeport_ingress_http: 30083
-  nodeport_ingress_https: 30082
-  username: 'test'
-  url: 'test'
-  nodeName: test
-pvc:
-  userspace: test
-userspace:
-  userData: test/Home
-  appData: test/Data
-  appCache: test
-  dbdata: test
-docs:
-  nodeport: 30881
-desktop:
-  nodeport: 30180
-os:
-  portfolio:
-    appKey: '${ks[0]}'
-    appSecret: test
-  vault:
-    appKey: '${ks[0]}'
-    appSecret: test
-  desktop:
-    appKey: '${ks[0]}'
-    appSecret: test
-  message:
-    appKey: '${ks[0]}'
-    appSecret: test
-  wise:
-    appKey: '${ks[0]}'
-    appSecret: test
-  search:
-    appKey: '${ks[0]}'
-    appSecret: test
-  search2:
-    appKey: '${ks[0]}'
-    appSecret: test
-kubesphere:
-  redis_password: ""

apps/market/config/user/helm-charts/market/templates/market_deploy.yaml

@@ -3,7 +3,7 @@
 
 {{- $redis_password := "" -}}
 {{ if $market_secret -}}
-{{ $redis_password = (index $market_secret "data" "redis_password") }}
+{{ $redis_password = (index $market_secret "data" "redis-passwords") }}
 {{ else -}}
 {{ $redis_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
@@ -43,7 +43,14 @@ spec:
       labels:
         app: appstore
         io.bytetrade.app: "true"
+      annotations:
+        instrumentation.opentelemetry.io/inject-go: "olares-instrumentation"
+        instrumentation.opentelemetry.io/go-container-names: "appstore-backend"    
+        instrumentation.opentelemetry.io/otel-go-auto-target-exe: "/opt/app/market"
+        instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
+        instrumentation.opentelemetry.io/inject-nginx-container-names: "appstore"    
     spec:
+      priorityClassName: "system-cluster-critical"
       initContainers:
         - args:
           - -it
@@ -83,14 +90,33 @@ spec:
               fieldRef:
                 apiVersion: v1
                 fieldPath: status.podIP
+        - name: nginx-init
+          image: beclab/market-frontend:v0.3.11
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - name: app
+              mountPath: /cp_app
+            - name: nginx-confd
+              mountPath: /confd
+          command:
+          - sh
+          - -c
+          - |
+            cp -rf /app/* /cp_app/. && cp -rf /etc/nginx/conf.d/* /confd/.            
       containers:
       - name: appstore
-        image: beclab/market-frontend:v0.2.30
+        image: beclab/docker-nginx-headers-more:ubuntu-v0.1.0
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 80
+        volumeMounts:
+        - name: app
+          mountPath: /app
+        - name: nginx-confd
+          mountPath: /etc/nginx/conf.d
+        
       - name: appstore-backend
-        image: beclab/market-backend:v0.2.30
+        image: beclab/market-backend:v0.3.11
         imagePullPolicy: IfNotPresent
         ports:
           - containerPort: 81
@@ -170,7 +196,7 @@ spec:
             fieldRef:
               fieldPath: status.podIP
       - name: terminus-ws-sidecar
-        image: 'beclab/ws-gateway:v1.0.3'
+        image: 'beclab/ws-gateway:v1.0.5'
         command:
           - /ws-gateway
         env:
@@ -191,8 +217,12 @@ spec:
             path: envoy.yaml
       - name: opt-data
         hostPath:
-          path: {{ .Values.userspace.appData}}/appstore/data
+          path: '{{ .Values.userspace.appData}}/appstore/data'
           type: DirectoryOrCreate
+      - name: app
+        emptyDir: {}
+      - name: nginx-confd
+        emptyDir: {}
 
 ---
 apiVersion: v1

apps/market/config/user/helm-charts/market/values.yaml

@@ -1,4 +1,3 @@
-
 bfl:
   nodeport: 30883
   nodeport_ingress_http: 30083
@@ -42,4 +41,4 @@ os:
   appstore:
     marketProvider: ''
 kubesphere:
-  redis_password: ""
+  redis_password: ""

apps/notifications/config/cluster/deploy/notification_deploy.yaml

@@ -0,0 +1,230 @@
+
+
+{{- $namespace := printf "%s" "os-system" -}}
+{{- $notifications_secret := (lookup "v1" "Secret" $namespace "notifications-secrets") -}}
+
+{{- $pg_password := "" -}}
+{{ if $notifications_secret -}}
+{{ $pg_password = (index $notifications_secret "data" "pg_password") }}
+{{ else -}}
+{{ $pg_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+{{- $nats_password := "" -}}
+{{ if $notifications_secret -}}
+{{ $nats_password = (index $notifications_secret "data" "nats_password") }}
+{{ else -}}
+{{ $nats_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: notifications-secrets
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  pg_password: {{ $pg_password }}
+  nats_password: {{ $nats_password }}
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: notifications-pg
+  namespace: {{ .Release.Namespace }}
+spec:
+  app: notifications
+  appNamespace: {{ .Release.Namespace }}
+  middleware: postgres
+  postgreSQL:
+    user: notifications_os_system
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: pg_password
+          name: notifications-secrets
+    databases:
+    - name: notifications   
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: notifications-nats
+  namespace: {{ .Release.Namespace }}
+spec:
+  app: notifications
+  appNamespace: {{ .Release.Namespace }}
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: nats_password
+          name: notifications-secrets
+    refs: []   # TODO: refs to notifications-proxy's subject
+    subjects:
+      - export:
+          - appName: notifications-proxy
+            pub: allow
+            sub: allow
+          - appName: lldap
+            pub: allow
+            sub: allow
+          - appName: ks-component
+            pub: allow
+            sub: allow
+          - appName: authelia
+            pub: allow
+            sub: allow
+        name: system.notification
+        permission:
+          pub: allow
+          sub: allow
+      - export:
+          - appName: lldap
+            pub: allow
+            sub: allow
+          - appName: vault-server
+            pub: deny
+            sub: allow
+          - appName: seahub
+            pub: deny
+            sub: allow
+          - appName: knowledge
+            pub: deny
+            sub: allow
+        name: system.users
+        permission:
+          pub: allow
+          sub: allow
+    user: os-system-notifications
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: notifications-server
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: notifications-server
+    applications.app.bytetrade.io/author: bytetrade.io
+  annotations:
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: notifications-server
+  template:
+    metadata:
+      labels:
+        app: notifications-server
+    spec:
+      initContainers:
+      - name: init-container
+        image: 'postgres:16.0-alpine3.18'
+        command:
+          - sh
+          - '-c'
+          - >-
+            echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
+        env:
+          - name: PGHOST
+            value: citus-headless.os-system
+          - name: PGPORT
+            value: "5432"
+          - name: PGUSER
+            value: notifications_os_system
+          - name: PGPASSWORD
+            valueFrom:
+              secretKeyRef:
+                key: pg_password
+                name: notifications-secrets
+          - name: PGDB
+            value: os_system_notifications
+      containers:
+      - name: notifications-api
+        image: beclab/notifications-api:v1.12.3
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 3010
+          protocol: TCP
+        env:
+        - name: DATABASE_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: pg_password
+              name: notifications-secrets
+
+        - name: PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING
+          value: '1'
+        - name: DATABASE_URL
+          value: postgres://notifications_os_system:$(DATABASE_PASSWORD)@citus-headless.os-system/os_system_notifications?sslmode=disable
+        - name: NATS_HOST
+          value: nats
+        - name: NATS_PORT
+          value: "4222"
+        - name: NATS_USERNAME
+          value: os-system-notifications
+        - name: NATS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: nats_password
+              name: notifications-secrets
+        - name: NATS_SUBJECT
+          value: "terminus.{{ .Release.Namespace }}.system.notification"
+        - name: NATS_SUBJECT_SYSTEM_USERS
+          value: "terminus.{{ .Release.Namespace }}.system.users"
+
+        livenessProbe:
+          tcpSocket:
+            port: 3010
+          initialDelaySeconds: 25
+          timeoutSeconds: 15
+          periodSeconds: 10
+          successThreshold: 1
+          failureThreshold: 8
+        readinessProbe:
+          tcpSocket:
+            port: 3010
+          initialDelaySeconds: 25
+          periodSeconds: 10
+
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: notifications-service
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: ClusterIP
+  selector:
+    app: notifications-server
+  ports:
+  - name: "notifications-server"
+    protocol: TCP
+    port: 80
+    targetPort: 3010
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: notifications-server
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: ClusterIP
+  selector:
+    app: notifications-server
+  ports:
+  - name: "server"
+    protocol: TCP
+    port: 80
+    targetPort: 3010
+

apps/notifications/config/user/helm-charts/notification/templates/notification_deploy.yaml

@@ -1,413 +1 @@
-
-
-{{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
-{{- $notifications_secret := (lookup "v1" "Secret" $namespace "notifications-secrets") -}}
-{{- $password := "" -}}
-{{ if $notifications_secret -}}
-{{ $password = (index $notifications_secret "data" "pg_password") }}
-{{ else -}}
-{{ $password = randAlphaNum 16 | b64enc }}
-{{- end -}}
-
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: notifications-secrets
-  namespace: user-system-{{ .Values.bfl.username }}
-type: Opaque
-data:
-  pg_password: {{ $password }}
----
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
-metadata:
-  name: notifications-pg
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: notifications
-  appNamespace: {{ .Release.Namespace }}
-  middleware: postgres
-  postgreSQL:
-    user: notifications_{{ .Values.bfl.username }}
-    password:
-      valueFrom:
-        secretKeyRef:
-          key: pg_password
-          name: notifications-secrets
-    databases:
-    - name: notifications   
-
-{{ if (eq .Values.debugVersion true) }}
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: notifications-deployment
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: notifications
-    applications.app.bytetrade.io/author: bytetrade.io
-
-    applications.app.bytetrade.io/name: notifications
-    applications.app.bytetrade.io/owner: '{{ .Values.bfl.username }}'
-  annotations:
-    applications.app.bytetrade.io/icon: https://file.bttcdn.com/appstore/notifications/icon.png
-    applications.app.bytetrade.io/title: Notifications
-    applications.app.bytetrade.io/version: '0.0.1'
-    applications.app.bytetrade.io/entrances: '[{"name":"notifications", "host":"notifications-service", "port":80,"title":"Notifications"}]'
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: notifications
-  template:
-    metadata:
-      labels:
-        app: notifications
-        io.bytetrade.app: "true"
-    spec:
-      initContainers:
-      - args:
-        - -it
-        - authelia-backend.os-system:9091
-        image: owncloudci/wait-for:latest
-        imagePullPolicy: IfNotPresent
-        name: check-auth
-      - name: terminus-sidecar-init
-        image: openservicemesh/init:v1.2.3
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          privileged: true
-          capabilities: 
-            add:
-            - NET_ADMIN
-          runAsNonRoot: false
-          runAsUser: 0
-        command:
-        - /bin/sh
-        - -c
-        - |
-          iptables-restore --noflush <<EOF
-          # sidecar interception rules
-          *nat
-          :PROXY_IN_REDIRECT - [0:0]
-          :PROXY_INBOUND - [0:0]
-          -A PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15003
-          -A PROXY_INBOUND -p tcp --dport 15000 -j RETURN
-          -A PROXY_INBOUND -p tcp -j PROXY_IN_REDIRECT
-          -A PREROUTING -p tcp -j PROXY_INBOUND
-          COMMIT
-          EOF
-        
-        env:
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: status.podIP
-      containers:
-      - name: notifications-frontend
-        image: beclab/notifications-frontend:v0.1.22
-        imagePullPolicy: IfNotPresent
-        ports:
-        - containerPort: 80
-      - name: terminus-envoy-sidecar
-        image: bytetrade/envoy:v1.25.11
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          allowPrivilegeEscalation: false
-          runAsUser: 1000
-        ports:
-        - name: proxy-admin
-          containerPort: 15000
-        - name: proxy-inbound
-          containerPort: 15003
-        volumeMounts:
-        - name: terminus-sidecar-config
-          readOnly: true
-          mountPath: /etc/envoy/envoy.yaml
-          subPath: envoy.yaml
-        command:
-        - /usr/local/bin/envoy
-        - --log-level
-        - debug
-        - -c
-        - /etc/envoy/envoy.yaml
-        env:
-        - name: POD_UID
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.uid
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              fieldPath: status.podIP
-      volumes:
-      - name: terminus-sidecar-config
-        configMap:
-          name: sidecar-configs
-          items:
-          - key: envoy.yaml
-            path: envoy.yaml
-        # - name: REDIS_HOST
-        #   value: localhost
-        # - name: REDIS_PORT
-        #   value: "6379"
-      # - name: notifications-worker
-      #   image: aboveos/notifications-worker:v0.1.2
-      #   imagePullPolicy: IfNotPresent
-      #   env:
-      #   - name: MONGO_URL
-      #     value: mongodb://admin:123456@localhost:27017
-      #   - name: REDIS_HOST
-      #     value: localhost
-      #   - name: REDIS_CACHE_SERVICE_HOST
-      #     value: localhost
-      #   - name: REDIS_PORT
-      #     value: "6379"
-      # - name: mongodb
-      #   image: mongo:4.4.5
-      #   env:
-      #   - name: MONGO_INITDB_ROOT_USERNAME
-      #     value: admin
-      #   - name: MONGO_INITDB_ROOT_PASSWORD
-      #     value: '123456'
-      #   imagePullPolicy: IfNotPresent
-      #   ports:
-      #   - containerPort: 27017
-      #   volumeMounts:
-      #   - name: mongo-data
-      #     mountPath: /data/db
-      # - name: redis
-      #   image: redis:7.0.5-alpine3.16
-      #   imagePullPolicy: IfNotPresent
-      #   volumeMounts:
-      #   - name: redis-data
-      #     mountPath: /data
-      # volumes:
-      # - name: mongo-data
-      #   hostPath:
-      #     type: DirectoryOrCreate
-      #     path: {{ .Values.userspace.appCache}}/notification/db
-      # - name: redis-data
-      #   hostPath:
-      #     type: DirectoryOrCreate
-      #     path: {{ .Values.userspace.appCache}}/notification/redisdata
-{{ end }}
-
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: notifications-server
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: notifications-server
-    applications.app.bytetrade.io/author: bytetrade.io
-  annotations:
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: notifications-server
-  template:
-    metadata:
-      labels:
-        app: notifications-server
-    spec:
-      initContainers:
-      - name: init-container
-        image: 'postgres:16.0-alpine3.18'
-        command:
-          - sh
-          - '-c'
-          - >-
-            echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
-        env:
-          - name: PGHOST
-            value: citus-master-svc.user-system-{{ .Values.bfl.username }}
-          - name: PGPORT
-            value: "5432"
-          - name: PGUSER
-            value: notifications_{{ .Values.bfl.username }}
-          - name: PGPASSWORD
-            value: {{ $password | b64dec }}
-          - name: PGDB
-            value: user_space_{{ .Values.bfl.username }}_notifications
-      containers:
-      - name: notifications-api
-        image: beclab/notifications-api:v0.1.25
-        imagePullPolicy: IfNotPresent
-        ports:
-        - containerPort: 3010
-          protocol: TCP
-        env:
-        - name: OS_SYSTEM_SERVER
-          value: system-server.user-system-{{ .Values.bfl.username }}
-        - name: OS_APP_SECRET
-          value: '{{ .Values.os.notification.appSecret }}'
-        - name: OS_APP_KEY
-          value: {{ .Values.os.notification.appKey }}
-        - name: DATABASE_PASSWORD
-          value: {{ $password | b64dec }}
-        - name: PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING
-          value: '1'
-        - name: DATABASE_URL
-          value: postgres://notifications_{{ .Values.bfl.username }}:$(DATABASE_PASSWORD)@citus-master-svc.user-system-{{ .Values.bfl.username }}/user_space_{{ .Values.bfl.username }}_notifications?sslmode=disable
-        livenessProbe:
-          tcpSocket:
-            port: 3010
-          initialDelaySeconds: 25
-          timeoutSeconds: 15
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 8
-        readinessProbe:
-          tcpSocket:
-            port: 3010
-          initialDelaySeconds: 25
-          periodSeconds: 10
-
-
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: notifications-service
-  namespace: {{ .Release.Namespace }}
-{{ if (eq .Values.debugVersion true) }}
-spec:
-  type: ClusterIP
-  selector:
-    app: notifications
-  ports:
-  - name: "notifications-frontend"
-    protocol: TCP
-    port: 80
-    targetPort: 80
-{{ else }}    
-spec:
-  type: ClusterIP
-  selector:
-    app: notifications-server
-  ports:
-  - name: "notifications-server"
-    protocol: TCP
-    port: 80
-    targetPort: 3010
-{{ end }}
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: notifications-server
-  namespace: {{ .Release.Namespace }}
-spec:
-  type: ClusterIP
-  selector:
-    app: notifications-server
-  ports:
-  - name: "server"
-    protocol: TCP
-    port: 80
-    targetPort: 3010
-
----
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: notifications-token-provider
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: token
-  deployment: notifications-server
-  description: notifications provider
-  endpoint: notifications-server.{{ .Release.Namespace }}
-  group: service.notification
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  opApis:
-  - name: Create
-    uri: /termipass/create_token
-  version: v1
-status:
-  state: active
- 
----
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: notifications-message-provider
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: message
-  deployment: notifications-server
-  description: notifications provider
-  endpoint: notifications-server.{{ .Release.Namespace }}
-  group: service.notification
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  opApis:
-  - name: SendMassage
-    uri: /notification/create_job
-  - name: SystemMessage
-    uri: /notification/system/push
-  version: v1
-status:
-  state: active
-
----
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ApplicationPermission
-metadata:
-  name: notification-call-vault
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: notifications
-  appid: notifications
-  key: {{ .Values.os.notification.appKey }}
-  secret: {{ .Values.os.notification.appSecret }}
-  permissions:
-  - dataType: notification
-    group: service.vault
-    ops:
-    - Create
-    - Query
-    version: v1
-  - dataType: notification
-    group: service.desktop
-    ops:
-    - Create
-    - Query
-    version: v1
-  - dataType: secret
-    group: secret.infisical
-    ops:
-    - RetrieveSecret?workspace=notification
-    - CreateSecret?workspace=notification
-    - DeleteSecret?workspace=notification
-    - UpdateSecret?workspace=notification
-    - ListSecret?workspace=notification
-    version: v1
-  - dataType: app
-    group: service.bfl
-    ops:
-    - UserApps
-    version: v1
-status:
-  state: active
+# TODO: deploy a notification proxy

apps/notifications/config/user/helm-charts/notification/values.yaml

@@ -1,4 +1,3 @@
-
 bfl:
   nodeport: 30883
   nodeport_ingress_http: 30083
@@ -40,4 +39,4 @@ os:
     appKey: '${ks[0]}'
     appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""

apps/rss/config/cluster/deploy/rss_deploy.yaml

@@ -24,7 +24,7 @@ spec:
     spec:
       containers:
         - name: rss-server
-          image: beclab/rsshub-server:v0.0.2
+          image: beclab/rsshub-server:v0.0.5
           imagePullPolicy: IfNotPresent
           ports:
           - containerPort: 1200

apps/search3/config/cluster/deploy/search3_server_deploy.yaml

@@ -199,7 +199,7 @@ spec:
             value: os_system_search3
       containers:
       - name: search3
-        image: beclab/search3:v0.0.24
+        image: beclab/search3:v0.0.30
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 8080

apps/studio/README.md

@@ -0,0 +1,4 @@
+# devbox
+Terminus App development management tools
+
+https://github.com/beclab/devbox

apps/studio/config/user/helm-charts/studio/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
-name: gpu
-description: A Helm chart for Kubernetes
+name: studio
+description: A Terminus app development tool
 maintainers:
 - name: bytetrade
 
@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.1.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.1.12"
+appVersion: "4.9.1"

apps/studio/config/user/helm-charts/studio/templates/deployment.yaml

@@ -0,0 +1,549 @@
+{{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
+{{- $studio_secret := (lookup "v1" "Secret" $namespace "studio-secrets") -}}
+
+{{- $pg_password := "" -}}
+{{ if $studio_secret -}}
+{{ $pg_password = (index $studio_secret "data" "pg_password") }}
+{{ else -}}
+{{ $pg_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: studio-secrets
+  namespace: user-system-{{ .Values.bfl.username }}
+type: Opaque
+data:
+  pg_password: {{ $pg_password }}
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: studio-pg
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  app: studio
+  appNamespace: {{ .Release.Namespace }}
+  middleware: postgres
+  postgreSQL:
+    user: studio_{{ .Values.bfl.username }}
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: pg_password
+          name: studio-secrets
+    databases:
+      - name: studio
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: studio-server
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    app: studio-server
+  ports:
+    - protocol: TCP
+      port: 8080
+      targetPort: 8088
+      name: http
+    - protocol: TCP
+      port: 8083
+      targetPort: 8083
+      name: https
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: chartmuseum-studio
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+    - name: http
+      protocol: TCP
+      port: 8080
+      targetPort: 8888
+  selector:
+    app: studio-server
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: studio-san-cnf
+  namespace: {{ .Release.Namespace }}
+data:
+  san.cnf: |
+    [req]
+    distinguished_name = req_distinguished_name
+    req_extensions = v3_req
+    prompt = no
+
+    [req_distinguished_name]
+    countryName = CN
+    stateOrProvinceName = Beijing
+    localityName = Beijing
+    0.organizationName = bytetrade
+    commonName = studio-server.{{ .Release.Namespace }}.svc
+
+    [v3_req]
+    basicConstraints = CA:FALSE
+    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+    subjectAltName = @bytetrade
+
+    [bytetrade]
+    DNS.1 = studio-server.{{ .Release.Namespace }}.svc
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: studio-server
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: studio-server
+    applications.app.bytetrade.io/author: bytetrade.io
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: studio-server
+  template:
+    metadata:
+      labels:
+        app: studio-server
+    spec:
+      serviceAccountName: bytetrade-controller
+      volumes:
+        - name: chart
+          hostPath:
+            type: DirectoryOrCreate
+            path: '{{ .Values.userspace.appData}}/studio/Chart'
+        - name: data
+          hostPath:
+            type: DirectoryOrCreate
+            path: '{{ .Values.userspace.appData }}/studio/Data'
+        - name: storage-volume
+          hostPath:
+            path: '{{ .Values.userspace.appData }}/studio/helm-repo-dev'
+            type: DirectoryOrCreate
+        - name: config-san
+          configMap:
+            name: studio-san-cnf
+            items:
+              - key: san.cnf
+                path: san.cnf
+        - name: sidecar-configs-studio
+          configMap:
+            name: sidecar-configs-studio
+            items:
+              - key: envoy.yaml
+                path: envoy.yaml
+        - name: certs
+          emptyDir: {}
+      initContainers:
+        - name: init-chmod-data
+          image: busybox:1.28
+          imagePullPolicy: IfNotPresent
+          command:
+            - sh
+            - '-c'
+            - |
+              chown -R 1000:1000 /home/coder
+              chown -R 65532:65532 /charts
+              chown -R 65532:65532 /data
+          securityContext:
+            runAsUser: 0
+          resources: { }
+          volumeMounts:
+            - name: storage-volume
+              mountPath: /home/coder
+            - name: chart
+              mountPath: /charts
+            - name: data
+              mountPath: /data
+        - name: terminus-sidecar-init
+          image: aboveos/openservicemesh-init:v1.2.3
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+            - -c
+            - |
+              iptables-restore --noflush <<EOF
+              # sidecar interception rules
+              *nat
+              :PROXY_IN_REDIRECT - [0:0]
+              :PROXY_INBOUND - [0:0]
+              :PROXY_OUTBOUND - [0:0]
+              :PROXY_OUT_REDIRECT - [0:0]
+
+              -A PREROUTING -p tcp -j PROXY_INBOUND
+              -A OUTPUT -p tcp -j PROXY_OUTBOUND
+              -A PROXY_INBOUND -p tcp --dport 15000 -j RETURN
+              -A PROXY_INBOUND -p tcp --dport 8083 -j RETURN
+              -A PROXY_INBOUND -p tcp -j PROXY_IN_REDIRECT
+              -A PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15003
+
+
+              -A PROXY_OUTBOUND -p tcp --dport 5432 -j RETURN
+              -A PROXY_OUTBOUND -p tcp --dport 6379 -j RETURN
+              -A PROXY_OUTBOUND -p tcp --dport 27017 -j RETURN
+              -A PROXY_OUTBOUND -p tcp --dport 443 -j RETURN
+              -A PROXY_OUTBOUND -p tcp --dport 8080 -j RETURN
+
+              -A PROXY_OUTBOUND -d ${POD_IP}/32 -j RETURN
+
+              -A PROXY_OUTBOUND -o lo ! -d 127.0.0.1/32 -m owner --uid-owner 1555 -j PROXY_IN_REDIRECT
+              -A PROXY_OUTBOUND -o lo -m owner ! --uid-owner 1555 -j RETURN
+              -A PROXY_OUTBOUND -m owner --uid-owner 1555 -j RETURN
+              -A PROXY_OUTBOUND -d 127.0.0.1/32 -j RETURN
+
+              -A PROXY_OUTBOUND -j PROXY_OUT_REDIRECT
+              -A PROXY_OUT_REDIRECT -p tcp -j REDIRECT --to-port 15001
+
+              COMMIT
+              EOF
+          env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: status.podIP
+          securityContext:
+            privileged: true
+            capabilities:
+              add:
+                - NET_ADMIN
+            runAsNonRoot: false
+            runAsUser: 0
+
+        - name: generate-certs
+          image: beclab/openssl:v3
+          imagePullPolicy: IfNotPresent
+          command: [ "/bin/sh", "-c" ]
+          args:
+            - |
+              openssl genrsa -out /etc/certs/ca.key 2048
+              openssl req -new -x509 -days 3650 -key /etc/certs/ca.key -out /etc/certs/ca.crt \
+                -subj "/CN=bytetrade CA/O=bytetrade/C=CN"
+              openssl req -new -newkey rsa:2048 -nodes \
+                -keyout /etc/certs/server.key -out /etc/certs/server.csr \
+                -config /etc/san/san.cnf
+              openssl x509 -req -days 3650 -in /etc/certs/server.csr \
+                -CA /etc/certs/ca.crt -CAkey /etc/certs/ca.key \
+                -CAcreateserial -out /etc/certs/server.crt \
+                -extensions v3_req -extfile /etc/san/san.cnf
+              chown -R 65532 /etc/certs/*
+          volumeMounts:
+            - name: config-san
+              mountPath: /etc/san
+            - name: certs
+              mountPath: /etc/certs
+
+      containers:
+        - name: studio
+          image: beclab/studio-server:v0.1.50
+          imagePullPolicy: IfNotPresent
+          args:
+            - server
+          ports:
+            - name: port
+              containerPort: 8088
+              protocol: TCP
+            - name: ssl-port
+              containerPort: 8083
+              protocol: TCP
+          volumeMounts:
+            - name: chart
+              mountPath: /charts
+            - name: data
+              mountPath: /data
+            - mountPath: /etc/certs
+              name: certs
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - "/studio"
+                  - "clean"
+          env:
+            - name: BASE_DIR
+              value: /charts
+            - name: OS_API_KEY
+              value: {{ .Values.os.studio.appKey }}
+            - name: OS_API_SECRET
+              value: {{ .Values.os.studio.appSecret }}
+            - name: OS_SYSTEM_SERVER
+              value: system-server.user-system-{{ .Values.bfl.username }}
+            - name: NAME_SPACE
+              value: {{ .Release.Namespace }}
+            - name: OWNER
+              value: '{{ .Values.bfl.username }}'
+            - name: DB_HOST
+              value: citus-master-svc.user-system-{{ .Values.bfl.username }}
+            - name: DB_USERNAME
+              value: studio_{{ .Values.bfl.username }}
+            - name: DB_PASSWORD
+              value: "{{ $pg_password | b64dec }}"
+            - name: DB_NAME
+              value: user_space_{{ .Values.bfl.username }}_studio
+            - name: DB_PORT
+              value: "5432"
+          resources:
+            requests:
+              cpu: "50m"
+              memory: 100Mi
+            limits:
+              cpu: "0.5"
+              memory: 1000Mi
+        - name: terminus-envoy-sidecar
+          image: bytetrade/envoy:v1.25.11.1
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsUser: 1555
+          ports:
+            - name: proxy-admin
+              containerPort: 15000
+            - name: proxy-inbound
+              containerPort: 15003
+            - name: proxy-outbound
+              containerPort: 15001
+          resources:
+            requests:
+              cpu: "50m"
+              memory: 100Mi
+            limits:
+              cpu: "0.5"
+              memory: 200Mi
+          volumeMounts:
+            - name: sidecar-configs-studio
+              readOnly: true
+              mountPath: /etc/envoy/envoy.yaml
+              subPath: envoy.yaml
+          command:
+            - /usr/local/bin/envoy
+            - --log-level
+            - debug
+            - -c
+            - /etc/envoy/envoy.yaml
+          env:
+            - name: POD_UID
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.uid
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: APP_KEY
+              value: {{ .Values.os.studio.appKey }}
+            - name: APP_SECRET
+              value: {{ .Values.os.studio.appSecret }}
+        - name: chartmuseum
+          image: aboveos/helm-chartmuseum:v0.15.0
+          args:
+            - '--port=8888'
+            - '--storage-local-rootdir=/storage'
+          ports:
+            - name: http
+              containerPort: 8888
+              protocol: TCP
+          env:
+            - name: CHART_POST_FORM_FIELD_NAME
+              value: chart
+            - name: DISABLE_API
+              value: 'false'
+            - name: LOG_JSON
+              value: 'true'
+            - name: PROV_POST_FORM_FIELD_NAME
+              value: prov
+            - name: STORAGE
+              value: local
+          resources:
+            requests:
+              cpu: "50m"
+              memory: 100Mi
+            limits:
+              cpu: 1000m
+              memory: 512Mi
+          volumeMounts:
+            - name: storage-volume
+              mountPath: /storage
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+              scheme: HTTP
+            initialDelaySeconds: 5
+            timeoutSeconds: 1
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: http
+              scheme: HTTP
+            initialDelaySeconds: 5
+            timeoutSeconds: 1
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 3
+
+---
+apiVersion: v1
+data:
+  envoy.yaml: |
+    admin:
+      access_log_path: "/dev/stdout"
+      address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: 15000
+    static_resources:
+      listeners:
+        - name: listener_0
+          address:
+            socket_address:
+              address: 0.0.0.0
+              port_value: 15003
+          listener_filters:
+            - name: envoy.filters.listener.original_dst
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst
+          filter_chains:
+            - filters:
+                - name: envoy.filters.network.http_connection_manager
+                  typed_config:
+                    "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                    stat_prefix: desktop_http
+                    upgrade_configs:
+                      - upgrade_type: websocket
+                      - upgrade_type: tailscale-control-protocol
+                    skip_xff_append: false
+                    codec_type: AUTO
+                    route_config:
+                      name: local_route
+                      virtual_hosts:
+                        - name: service
+                          domains: ["*"]
+                          routes:
+                            - match:
+                                prefix: "/"
+                              route:
+                                cluster: original_dst
+                                timeout: 1800s
+                    http_protocol_options:
+                      accept_http_10: true
+                    http_filters:
+                      - name: envoy.filters.http.router
+                        typed_config:
+                          "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+        - name: listener_1
+          address:
+            socket_address:
+              address: 0.0.0.0
+              port_value: 15001
+          listener_filters:
+            - name: envoy.filters.listener.original_dst
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst
+          filter_chains:
+            - filters:
+                - name: envoy.filters.network.http_connection_manager
+                  typed_config:
+                    "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                    stat_prefix: studio_out_http
+                    skip_xff_append: false
+                    codec_type: AUTO
+                    route_config:
+                      name: local_route
+                      virtual_hosts:
+                        - name: service
+                          domains: ["*"]
+                          routes:
+                            - match:
+                                prefix: "/server/intent/send"
+                              request_headers_to_add:
+                                - header:
+                                    key: X-App-Key
+                                    value: {{ .Values.os.studio.appKey }}
+                              route:
+                                cluster: system-server
+                                prefix_rewrite: /system-server/v2/legacy_api/api.intent/v2/server/intent/send
+                            - match:
+                                prefix: "/"
+                              route:
+                                cluster: original_dst
+                                timeout: 1800s
+                              typed_per_filter_config:
+                                envoy.filters.http.lua:
+                                  "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.LuaPerRoute
+                                  disabled: true
+
+                    http_protocol_options:
+                      accept_http_10: true
+                    http_filters:
+                      - name: envoy.filters.http.lua
+                        typed_config:
+                          "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
+                          inline_code:
+                            local sha = require("lib.sha2")
+                            function envoy_on_request(request_handle)
+                            local app_key = os.getenv("APP_KEY")
+                            local app_secret = os.getenv("APP_SECRET")
+                            local current_time = os.time()
+                            local minute_level_time = current_time - (current_time % 60)
+                            local time_string = tostring(minute_level_time)
+                            local s = app_key .. app_secret .. time_string
+                            request_handle:logInfo("originstring:" .. s)
+                            local hash = sha.sha256(s)
+                            request_handle:logInfo("Hello World.")
+                            request_handle:logInfo(hash)
+                            request_handle:headers():add("X-Auth-Signature",hash)
+                            end
+                      - name: envoy.filters.http.router
+                        typed_config:
+                          "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+
+
+      clusters:
+        - name: original_dst
+          connect_timeout: 5000s
+          type: ORIGINAL_DST
+          lb_policy: CLUSTER_PROVIDED
+        - name: system-server
+          connect_timeout: 2s
+          type: LOGICAL_DNS
+          dns_lookup_family: V4_ONLY
+          dns_refresh_rate: 600s
+          lb_policy: ROUND_ROBIN
+          load_assignment:
+            cluster_name: system-server
+            endpoints:
+              - lb_endpoints:
+                  - endpoint:
+                      address:
+                        socket_address:
+                          address: system-server.user-system-{{ .Values.bfl.username }}
+                          port_value: 80
+kind: ConfigMap
+metadata:
+  name: sidecar-configs-studio
+  namespace: {{ .Release.Namespace }}

apps/studio/config/user/helm-charts/studio/values.yaml

@@ -1,4 +1,3 @@
-
 bfl:
   nodeport: 30883
   nodeport_ingress_http: 30083
@@ -30,14 +29,14 @@ os:
   message:
     appKey: '${ks[0]}'
     appSecret: test
-  wise:
+  rss:
     appKey: '${ks[0]}'
     appSecret: test
   search:
     appKey: '${ks[0]}'
     appSecret: test
-  search2:
+  studio:
     appKey: '${ks[0]}'
     appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""

apps/system-apps/config/cluster/deploy/ks_server_deploy.yaml

@@ -22,7 +22,7 @@ spec:
     spec:
       containers:
       - name: monitoring-server
-        image: beclab/monitoring-server-v1:v0.2.3
+        image: beclab/monitoring-server-v1:v0.2.5
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 8000

apps/system-apps/config/user/helm-charts/monitoring/templates/system-frontend.yaml

@@ -109,6 +109,19 @@ spec:
       port: 3010
       targetPort: 3010
 ---
+apiVersion: v1
+kind: Service
+metadata:
+  name: studio-svc
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    app: system-frontend
+  ports:
+    - protocol: TCP
+      port: 8080
+      targetPort: 87
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -121,11 +134,11 @@ metadata:
     applications.app.bytetrade.io/group: 'true'
     applications.app.bytetrade.io/author: bytetrade.io
   annotations:
-    applications.app.bytetrade.io/icon: '{"dashboard":"https://file.bttcdn.com/appstore/dashboard/icon.png","control-hub":"https://file.bttcdn.com/appstore/control-hub/icon.png","profile":"https://file.bttcdn.com/appstore/profile/icon.png","wise":"https://file.bttcdn.com/appstore/rss/icon.png","headscale": "https://file.bttcdn.com/appstore/headscale/icon.png","settings": "https://file.bttcdn.com/appstore/settings/icon.png"}'
-    applications.app.bytetrade.io/title: '{"dashboard": "Dashboard","control-hub":"Control Hub","profile":"Profile","wise":"Wise","headscale":"Headscale","settings":"Settings"}'
-    applications.app.bytetrade.io/version: '{"dashboard": "0.0.1","control-hub":"0.0.1","profile":"0.0.1","wise":"0.0.1","headscale":"0.0.1","settings":"0.0.1"}'
+    applications.app.bytetrade.io/icon: '{"dashboard":"https://file.bttcdn.com/appstore/dashboard/icon.png","control-hub":"https://file.bttcdn.com/appstore/control-hub/icon.png","profile":"https://file.bttcdn.com/appstore/profile/icon.png","wise":"https://file.bttcdn.com/appstore/rss/icon.png","headscale": "https://file.bttcdn.com/appstore/headscale/icon.png","settings": "https://file.bttcdn.com/appstore/settings/icon.png","studio":"https://file.bttcdn.com/appstore/devbox/icon.png"}'
+    applications.app.bytetrade.io/title: '{"dashboard": "Dashboard","control-hub":"Control Hub","profile":"Profile","wise":"Wise","headscale":"Headscale","settings":"Settings","studio":"Studio"}'
+    applications.app.bytetrade.io/version: '{"dashboard": "0.0.1","control-hub":"0.0.1","profile":"0.0.1","wise":"0.0.1","headscale":"0.0.1","settings":"0.0.1","studio":"0.0.1"}'
     applications.app.bytetrade.io/policies: '{"dashboard":{"policies":[{"entranceName":"dashboard","uriRegex":"/js/script.js", "level":"public"},{"entranceName":"dashboard","uriRegex":"/js/api/send", "level":"public"}]}}'
-    applications.app.bytetrade.io/entrances: '{"dashboard":[{"name":"dashboard","host":"dashboard-service","port":80,"title":"Dashboard","windowPushState":true}],"control-hub":[{"name":"control-hub","host":"control-hub-service","port":80,"title":"Control Hub","windowPushState":true}],"profile":[{"name":"profile", "host":"profile-service", "port":80,"title":"Profile","windowPushState":true}],"wise":[{"name":"wise", "host":"wise-svc", "port":80,"title":"Wise","windowPushState":true}],"headscale":[{"name":"headscale", "host":"headscale-svc", "port":80,"title":"Headscale","invisible": true}],"settings":[{"name":"settings", "host":"settings-service", "port":80,"title":"Settings"}]}'
+    applications.app.bytetrade.io/entrances: '{"dashboard":[{"name":"dashboard","host":"dashboard-service","port":80,"title":"Dashboard","windowPushState":true}],"control-hub":[{"name":"control-hub","host":"control-hub-service","port":80,"title":"Control Hub","windowPushState":true}],"profile":[{"name":"profile", "host":"profile-service", "port":80,"title":"Profile","windowPushState":true}],"wise":[{"name":"wise", "host":"wise-svc", "port":80,"title":"Wise","windowPushState":true}],"headscale":[{"name":"headscale", "host":"headscale-svc", "port":80,"title":"Headscale","invisible": true}],"settings":[{"name":"settings", "host":"settings-service", "port":80,"title":"Settings"}],"studio":[{"name":"studio","host":"studio-svc","port":8080,"title":"Studio","openMethod":"window"}]}'
 spec:
   replicas: 1
   selector:
@@ -136,7 +149,13 @@ spec:
       labels:
         app: system-frontend
         io.bytetrade.app: "true"
+      annotations:
+        instrumentation.opentelemetry.io/inject-nodejs: "olares-instrumentation"
+        instrumentation.opentelemetry.io/nodejs-container-names: "settings-server"    
+        instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
+        instrumentation.opentelemetry.io/inject-nginx-container-names: "system-frontend"    
     spec:
+      priorityClassName: "system-cluster-critical"
       initContainers:
         - args:
             - -it
@@ -177,7 +196,7 @@ spec:
                   apiVersion: v1
                   fieldPath: status.podIP
         - name: dashboard-init
-          image: beclab/dashboard-frontend-v1:v0.4.4
+          image: beclab/dashboard-frontend-v1:v0.4.9
           imagePullPolicy: IfNotPresent
           command:
             - /bin/sh
@@ -189,7 +208,7 @@ spec:
             - mountPath: /www
               name: www-dir
         - name: control-hub-init
-          image: beclab/admin-console-frontend-v1:v0.4.8
+          image: beclab/admin-console-frontend-v1:v0.5.8
           imagePullPolicy: IfNotPresent
           command:
             - /bin/sh
@@ -201,7 +220,7 @@ spec:
             - mountPath: /www
               name: www-dir
         - name: profile-editor-init
-          image: beclab/profile-editor:v0.2.0
+          image: beclab/profile-editor:v0.2.21
           imagePullPolicy: IfNotPresent
           command:
             - /bin/sh
@@ -213,7 +232,7 @@ spec:
             - mountPath: /www
               name: www-dir
         - name: profile-preview-init
-          image: beclab/profile-preview:v0.2.0
+          image: beclab/profile-preview:v0.2.21
           imagePullPolicy: IfNotPresent
           command:
             - /bin/sh
@@ -225,7 +244,7 @@ spec:
             - mountPath: /www
               name: www-dir
         - name: wise-init
-          image: beclab/wise:v1.2.69
+          image: beclab/wise:v1.3.55
           imagePullPolicy: IfNotPresent
           command:
             - /bin/sh
@@ -237,7 +256,7 @@ spec:
             - mountPath: /www
               name: www-dir
         - name: settings-init
-          image: beclab/settings:v0.2.0
+          image: beclab/settings:v1.3.62
           imagePullPolicy: IfNotPresent
           command:
             - /bin/sh
@@ -248,6 +267,18 @@ spec:
           volumeMounts:
             - mountPath: /www
               name: www-dir
+        - name: studio-init
+          image: beclab/studio:v0.2.16
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+            - -c
+            - |
+              mkdir -p /www/studio
+              cp -r /app/* /www/studio
+          volumeMounts:
+            - mountPath: /www
+              name: www-dir
       containers:
         - name: terminus-envoy-sidecar
           image: bytetrade/envoy:v1.25.11
@@ -274,7 +305,7 @@ spec:
             - -c
             - /etc/envoy/envoy.yaml
         - name: system-frontend
-          image: beclab/docker-nginx-headers-more:v0.1.0
+          image: beclab/docker-nginx-headers-more:ubuntu-v0.1.0
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 81
@@ -298,7 +329,7 @@ spec:
             - name: www-dir
               mountPath: /www
             - name: wise-download-dir
-              mountPath: /data/Home/Downloads
+              mountPath: /data/Home
             - name: system-frontend-nginx-config
               mountPath: /etc/nginx/nginx.conf
               subPath: nginx.conf
@@ -320,6 +351,9 @@ spec:
             - name: system-frontend-nginx-config
               mountPath: /etc/nginx/conf.d/settings.conf
               subPath: settings.conf
+            - name: system-frontend-nginx-config
+              mountPath: /etc/nginx/conf.d/studio.conf
+              subPath: studio.conf
           env:
             - name: POD_UID
               valueFrom:
@@ -338,7 +372,7 @@ spec:
                 fieldRef:
                   fieldPath: status.podIP
         - name: terminus-ws-sidecar
-          image: 'beclab/ws-gateway:v1.0.3'
+          image: 'beclab/ws-gateway:v1.0.5'
           imagePullPolicy: IfNotPresent
           command:
             - /ws-gateway
@@ -351,7 +385,7 @@ spec:
           terminationMessagePath: /dev/termination-log
           terminationMessagePolicy: File
         - name: settings-server
-          image: beclab/settings-server:v0.2.0
+          image: beclab/settings-server:v0.2.23
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 3000
@@ -391,10 +425,10 @@ spec:
         - name: userspace-dir
           hostPath:
             type: Directory
-            path: {{ .Values.userspace.userData }}
+            path: '{{ .Values.userspace.userData }}'
         - name: terminus-sidecar-config
           configMap:
-            name: sidecar-ws-configs
+            name: sidecar-configs
             items:
               - key: envoy.yaml
                 path: envoy.yaml
@@ -403,7 +437,7 @@ spec:
         - name: wise-download-dir
           hostPath:
             type: Directory
-            path: {{ .Values.userspace.userData }}/Downloads
+            path: '{{ .Values.userspace.userData }}'
         - name: system-frontend-nginx-config
           configMap:
             name: system-frontend-nginx-config
@@ -422,6 +456,8 @@ spec:
                 path: headscale.conf
               - key: settings.conf
                 path: settings.conf
+              - key: studio.conf
+                path: studio.conf
 
 
 ---
@@ -477,6 +513,31 @@ status:
 ---
 apiVersion: sys.bytetrade.io/v1alpha1
 kind: ApplicationPermission
+metadata:
+  name: studio
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  app: studio
+  appid: studio
+  key: {{ .Values.os.studio.appKey }}
+  secret: {{ .Values.os.studio.appSecret }}
+  permissions:
+    - dataType: app
+      group: service.appstore
+      ops:
+        - InstallDevApp
+        - UninstallDevApp
+      version: v1
+    - dataType: legacy_api
+      group: api.intent
+      ops:
+        - POST
+      version: v2
+status:
+  state: active
+---
+apiVersion: sys.bytetrade.io/v1alpha1
+kind: ApplicationPermission
 metadata:
   name: settings
   namespace: user-system-{{ .Values.bfl.username }}
@@ -612,6 +673,16 @@ metadata:
   namespace: user-system-{{ .Values.bfl.username }}
 spec:
   callbacks:
+    - filters:
+        type:
+          - backup-state-event
+      op: Create
+      uri: /api/event/backup_state_event
+    - filters:
+        type:
+          - restore-state-event
+      op: Create
+      uri: /api/event/restore_state_event
     - filters:
         type:
           - app-installation-event
@@ -622,6 +693,11 @@ spec:
           - settings-event
       op: Create
       uri: /api/event/app_installation_event
+    - filters:
+        type:
+          - entrance-state-event
+      op: Create
+      uri: /api/event/entrance_state_event
     - filters:
         type:
           - system-upgrade-event
@@ -748,6 +824,10 @@ data:
         server anayltic2-server.os-system:3010;
     }
 
+    upstream HamiServer {
+        server hami-webui.kube-system:3000;
+    }
+
     server {
       listen 81;
       gzip off;
@@ -766,6 +846,14 @@ data:
         expires 0;
       }
 
+      location /ws {
+        proxy_pass http://127.0.0.1:40010;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+      }
+
       location /bfl {
         add_header 'Access-Control-Allow-Headers' 'x-api-nonce,x-api-ts,x-api-ver,x-api-source';
         proxy_pass http://bfl;
@@ -780,6 +868,18 @@ data:
         proxy_pass http://SettingsServer;
       }
 
+      location /hami/ {
+        proxy_pass http://HamiServer/;
+      }
+
+    
+      location /api/profile/init {
+        proxy_pass http://127.0.0.1:3010;
+        proxy_set_header            Host $host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+      }
+
       location /api {
         proxy_pass http://SettingsServer;
       }
@@ -1013,7 +1113,7 @@ data:
     }
   wise.conf: |-
     upstream KnowledgeServer {
-        server rss-svc:3010;
+        server rss-svc.os-system:3010;
     }
 
     upstream RSSServer {
@@ -1021,7 +1121,7 @@ data:
     }
 
     upstream ArgoworkflowsSever {
-        server argoworkflows-svc:2746;
+        server argoworkflows-svc.os-system:2746;
     }
 
     server {
@@ -1048,6 +1148,15 @@ data:
         expires 0;
       }
 
+      location /ws {
+        proxy_pass http://rss-svc.os-system:40010;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+      }
+
+
         location /knowledge {
           proxy_pass http://KnowledgeServer;
 
@@ -1079,9 +1188,9 @@ data:
             proxy_pass http://ArgoworkflowsSever;
         }
 
-        location ~ ^/download/preview/Downloads/(.*)$
+        location ~ ^/download/preview/(.*)$
         {
-          alias /data/Home/Downloads/$1;
+          alias /data/Home/$1;
         }
 
         location /videos/ {
@@ -1102,6 +1211,44 @@ data:
             proxy_pass http://media-server-service.os-system:9090;
         }
 
+        location /api {
+            proxy_pass http://files-service.os-system:80;
+            # rewrite ^/server(.*)$ $1 break;
+
+            # Add original-request-related headers
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+
+            add_header Accept-Ranges bytes;
+
+            client_body_timeout 600s;
+            client_max_body_size 4000M;
+            proxy_request_buffering off;
+            keepalive_timeout 750s;
+            proxy_read_timeout 600s;
+            proxy_send_timeout 600s;
+        }
+
+        location /upload {
+            proxy_pass http://files-service.os-system:80;
+            # rewrite ^/server(.*)$ $1 break;
+
+            # Add original-request-related headers
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+
+            add_header Accept-Ranges bytes;
+
+            client_body_timeout 600s;
+            client_max_body_size 4000M;
+            proxy_request_buffering off;
+            keepalive_timeout 750s;
+            proxy_read_timeout 600s;
+            proxy_send_timeout 600s;
+        }
+
         # # files
         # # for all routes matching a dot, check for files and return 404 if not found
         # # e.g. /file.js returns a 404 if not found
@@ -1146,8 +1293,8 @@ data:
         server infisical-service:8080;
     }
 
-    upstream NotificationServer {
-        server notifications-server;
+    upstream BackupServer {
+        server backup-server.os-system:8082;
     }
 
     server {
@@ -1173,6 +1320,15 @@ data:
             expires 0;
         }
 
+        location /ws {
+          proxy_pass http://127.0.0.1:40010;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "upgrade";
+          proxy_set_header Host $host;
+        }
+
+
         location /kapis {
             proxy_pass http://SettingsServer_Monitoring;
             # rewrite ^/server(.*)$ $1 break;
@@ -1198,6 +1354,31 @@ data:
             proxy_set_header X-Forwarded-Host $host;
         }
 
+        location /apis/backup {
+            proxy_pass http://backup-server.os-system:8082;
+           add_header Accept "application/json, text/plain, */*";
+           add_header Content-Type "application/json; charset=utf-8";
+        }
+
+        location /api/resources {
+           proxy_pass http://files-service.os-system:80;
+           # rewrite ^/server(.*)$ $1 break;
+
+           # Add original-request-related headers
+           proxy_set_header X-Real-IP $remote_addr;
+           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+           proxy_set_header X-Forwarded-Host $host;
+
+           add_header Accept-Ranges bytes;
+
+           client_body_timeout 600s;
+           client_max_body_size 4000M;
+           proxy_request_buffering off;
+           keepalive_timeout 750s;
+           proxy_read_timeout 600s;
+           proxy_send_timeout 600s;
+        }
+
         location /drive {
             proxy_pass http://127.0.0.1:8080;
 
@@ -1236,11 +1417,193 @@ data:
             proxy_set_header X-Forwarded-Host $host;
         }
 
-        location /notification {
-            proxy_pass http://NotificationServer;
-        }
-
         location ~.*\.(js|css|png|jpg|svg|woff|woff2)$ {
             add_header Cache-Control "public, max-age=2678400";
         }
     }
+  studio.conf: |-
+    upstream SettingsServerStudio {
+        server monitoring-server.os-system;
+    }
+
+    upstream MiddlewareStudio {
+        server middleware-service.os-system;
+    }
+
+    upstream AnalyticsStudio {
+      server anayltic2-server.os-system:3010;
+    }
+
+    server {
+        listen 87;
+        # Gzip Settings
+        gzip off;
+        gzip_disable "msie6";
+        gzip_min_length 1k;
+        gzip_buffers 16 64k;
+        gzip_http_version 1.1;
+        gzip_comp_level 6;
+        gzip_types *;
+        root /www/studio;
+
+        location / {
+          try_files $uri $uri/index.html /index.html;
+          add_header Cache-Control "private,no-cache";
+          add_header Last-Modified "Oct, 03 Jan 2022 13:46:41 GMT";
+          expires 0;
+        }
+
+       location /api/command {
+          proxy_pass http://studio-server:8080;
+          proxy_set_header            Host $http_host;
+          proxy_set_header            X-real-ip $remote_addr;
+          proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection $http_connection;
+          proxy_set_header Accept-Encoding gzip;
+          proxy_read_timeout 180;
+      }
+      location /api/apps {
+          proxy_pass http://studio-server:8080;
+          proxy_set_header            Host $http_host;
+          proxy_set_header            X-real-ip $remote_addr;
+          proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection $http_connection;
+          proxy_set_header Accept-Encoding gzip;
+          proxy_read_timeout 180;
+      }
+      location /api/app-cfg {
+        proxy_pass http://studio-server:8080;
+        proxy_set_header            Host $http_host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+        proxy_set_header Accept-Encoding gzip;
+        proxy_read_timeout 180;
+      }
+      location /api/app-state {
+        proxy_pass http://studio-server:8080;
+        proxy_set_header            Host $http_host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+        proxy_set_header Accept-Encoding gzip;
+        proxy_read_timeout 180;
+      }
+      location /api/app-status {
+        proxy_pass http://studio-server:8080;
+        proxy_set_header            Host $http_host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+        proxy_set_header Accept-Encoding gzip;
+        proxy_read_timeout 180;
+      }
+      location /api/list-my-containers {
+        proxy_pass http://studio-server:8080;
+        proxy_set_header            Host $http_host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+        proxy_set_header Accept-Encoding gzip;
+        proxy_read_timeout 180;
+      }
+      location /api/files {
+        proxy_pass http://studio-server:8080;
+        proxy_set_header            Host $http_host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+        proxy_set_header Accept-Encoding gzip;
+        proxy_read_timeout 180;
+      }
+
+      location /ws {
+        proxy_pass http://127.0.0.1:40010;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+      }
+
+      location /bfl {
+        add_header 'Access-Control-Allow-Headers' 'x-api-nonce,x-api-ts,x-api-ver,x-api-source';
+        proxy_pass http://bfl;
+        proxy_set_header            Host $host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        add_header X-Frame-Options SAMEORIGIN;
+      }
+
+      location /kapis {
+        proxy_pass http://SettingsServerStudio;
+      }
+
+      location /api/profile/init {
+        proxy_pass http://127.0.0.1:3010;
+        proxy_set_header            Host $host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+      }
+
+      location /api {
+        proxy_pass http://SettingsServerStudio;
+      }
+
+      location /capi {
+        proxy_pass http://SettingsServerStudio;
+        proxy_set_header            Host $host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+      }
+
+      location = /js/api/send {
+        proxy_pass http://AnalyticsStudio;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        rewrite ^/js(.*)$ $1 break;
+      }
+
+      location /analytics_service {
+        proxy_pass http://AnalyticsStudio;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+        rewrite ^/analytics_service(.*)$ $1 break;
+      }
+
+      location ~ /(kapis/terminal|api/v1/watch|apis/apps/v1/watch) {
+        proxy_pass http://SettingsServerStudio;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+      }
+
+
+      location = /js/script.js {
+        add_header Access-Control-Allow-Origin "*";
+      }
+
+      location ~.*\.(js|css|png|jpg|svg|woff|woff2)$ {
+        add_header Cache-Control "public, max-age=2678400";
+      }
+    }

apps/system-apps/config/user/helm-charts/monitoring/values.yaml

@@ -1,4 +1,3 @@
-
 bfl:
   nodeport: 30883
   nodeport_ingress_http: 30083
@@ -18,10 +17,10 @@ docs:
 desktop:
   nodeport: 30180
 os:
-  portfolio:
+  profile:
     appKey: '${ks[0]}'
     appSecret: test
-  vault:
+  studio:
     appKey: '${ks[0]}'
     appSecret: test
   desktop:
@@ -39,5 +38,11 @@ os:
   search2:
     appKey: '${ks[0]}'
     appSecret: test
+  settings:
+    appKey: '${ks[0]}'
+    appSecret: test
+  dashboard:
+    appKey: '${ks[0]}'
+    appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""

apps/vault/config/cluster/deploy/vault_server_deploy.yaml

@@ -83,7 +83,7 @@ spec:
             value: os_system_vault
       containers:
       - name: vault-server
-        image: beclab/vault-server:v1.2.69
+        image: beclab/vault-server:v1.3.55
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 3000
@@ -114,7 +114,7 @@ spec:
         - name: vault-attach
           mountPath: /padloc/packages/server/attachments
       - name: vault-admin
-        image: beclab/vault-admin:v1.2.69
+        image: beclab/vault-admin:v1.3.55
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 3010
@@ -135,11 +135,11 @@ spec:
       - name: vault-data
         hostPath:
           type: DirectoryOrCreate
-          path: {{ $vault_rootpath }}/data
+          path: '{{ $vault_rootpath }}/data'
       - name: vault-attach
         hostPath:
           type: DirectoryOrCreate
-          path: {{ $vault_rootpath }}/attachments
+          path: '{{ $vault_rootpath }}/attachments'
 ---
 apiVersion: v1
 kind: Service

apps/vault/config/user/helm-charts/vault/templates/vault_deploy.yaml

@@ -1,3 +1,13 @@
+{{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
+
+{{- $vault_nats_secret := (lookup "v1" "Secret" $namespace "vault-nats-secrets") -}}
+{{- $vault_nats_password := "" -}}
+{{ if $vault_nats_secret -}}
+{{ $vault_nats_password = (index $vault_nats_secret "data" "vault_nats_password") }}
+{{ else -}}
+{{ $vault_nats_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
 
 
 ---
@@ -36,6 +46,12 @@ spec:
         image: owncloudci/wait-for:latest
         imagePullPolicy: IfNotPresent
         name: check-auth
+      - args:
+        - -it
+        - nats.user-system-{{ .Values.bfl.username }}:4222
+        image: owncloudci/wait-for:latest
+        imagePullPolicy: IfNotPresent
+        name: check-nats
       - name: terminus-sidecar-init
         image: openservicemesh/init:v1.2.3
         imagePullPolicy: IfNotPresent
@@ -72,13 +88,13 @@ spec:
 
       containers:
       - name: vault-frontend
-        image: beclab/vault-frontend:v1.2.69
+        image: beclab/vault-frontend:v1.3.55
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 80
       
       - name: notification-server
-        image: beclab/vault-notification:v1.2.69
+        image: beclab/vault-notification:v1.3.55
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 3010
@@ -93,6 +109,17 @@ spec:
             value: '{{ .Values.os.vault.appSecret }}'
           - name: OS_APP_KEY
             value: {{ .Values.os.vault.appKey }}
+          - name: NATS_HOST
+            value: nats.user-system-{{ .Values.bfl.username }}
+          - name: NATS_PORT
+            value: '4222'
+          - name: NATS_USERNAME
+            value: user-system-{{ .Values.bfl.username }}-vault
+          - name: NATS_PASSWORD
+            value: {{ $vault_nats_password | b64dec }}
+          - name: NATS_SUBJECT
+            value: terminus.os-system.files-notify
+          
 
       - name: terminus-envoy-sidecar
         image: bytetrade/envoy:v1.25.11
@@ -238,3 +265,38 @@ spec:
     version: v1
 status:
   state: active
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vault-nats-secrets
+  namespace: user-system-{{ .Values.bfl.username }}
+data:
+  vault_nats_password: {{ $vault_nats_password }}
+type: Opaque
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: vault-nat
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  app: vault
+  appNamespace: user-space-{{ .Values.bfl.username }}
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: vault_nats_password
+          name: vault-nats-secrets
+    refs:
+      - appName: files-server
+        appNamespace: os-system
+        subjects:
+          - name: files-notify
+            perm:
+              - pub
+              - sub
+    user: user-system-{{ .Values.bfl.username }}-vault

apps/vault/config/user/helm-charts/vault/values.yaml

@@ -1,4 +1,3 @@
-
 bfl:
   nodeport: 30883
   nodeport_ingress_http: 30083
@@ -40,4 +39,4 @@ os:
     appKey: '${ks[0]}'
     appSecret: test
 kubesphere:
-  redis_password: ""
+  redis_password: ""

apps/wizard/config/user/helm-charts/wizard/templates/wizard_deploy.yaml

@@ -61,7 +61,7 @@ spec:
 
       containers:
       - name: wizard
-        image: beclab/wizard:v0.5.11
+        image: beclab/wizard:v1.3.57
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 80
@@ -132,7 +132,7 @@ spec:
       - name: userspace-dir
         hostPath:
           type: Directory
-          path: {{ .Values.userspace.userData }}
+          path: "{{ .Values.userspace.userData }}"
       # - name: terminus-sidecar-config
       #   configMap:
       #     name: sidecar-configs

apps/wizard/config/user/helm-charts/wizard/values.yaml

@@ -1,4 +1,3 @@
-
 bfl:
   username: 'test'
   url: 'test'

build/installer/deploy/device-plugin.yaml

@@ -28,6 +28,8 @@ spec:
     spec:
       runtimeClassName: nvidia # Explicitly request the runtime
       priorityClassName: system-node-critical
+      nodeSelector:
+        gpu.bytetrade.io/cuda-supported: 'true'
       initContainers:
       - name: init-dir
         image: busybox:1.28
@@ -40,7 +42,7 @@ spec:
         - "[ -d /var/run/nvshare/libnvshare.so ] && rm -rf /var/run/nvshare/libnvshare.so || true"
       containers:
       - name: nvshare-lib
-        image: beclab/nvshare:libnvshare-v0.0.2
+        image: beclab/nvshare:libnvshare-v0.0.1
         command:
         - sleep
         - infinity
@@ -50,7 +52,7 @@ spec:
               command:
               - "/bin/sh"
               - "-c"
-              - "test -f /host-var-run-nvshare/libnvshare.so || touch /host-var-run-nvshare/libnvshare.so && mount -v --bind /libnvshare.so /host-var-run-nvshare/libnvshare.so"
+              - "test -f /host-var-run-nvshare/libnvshare.so || ( test -d /host-var-run-nvshare/libnvshare.so && rm -rf /host-var-run-nvshare/libnvshare.so && false ) || touch /host-var-run-nvshare/libnvshare.so && mount -v --bind /libnvshare.so /host-var-run-nvshare/libnvshare.so"
           preStop:
             exec:
               command:

build/installer/deploy/nvidia-device-plugin.yml

@@ -44,6 +44,8 @@ spec:
       # be rescheduled after a failure.
       # See https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/
       priorityClassName: "system-node-critical"
+      nodeSelector:
+        gpu.bytetrade.io/cuda-supported: 'true'
       containers:
       - image: nvcr.io/nvidia/k8s-device-plugin:v0.16.1
         name: nvidia-device-plugin-ctr

build/installer/deploy/scheduler.yaml

@@ -26,8 +26,9 @@ spec:
       labels:
         name: nvshare-scheduler
     spec:
-      runtimeClassName: nvidia # Explicitly request the runtime
       priorityClassName: system-node-critical
+      nodeSelector:
+        gpu.bytetrade.io/cuda-supported: 'true'
       initContainers:
       - name: init-dir
         image: busybox:1.28
@@ -46,6 +47,10 @@ spec:
           allowPrivilegeEscalation: false
           capabilities:
             drop: ["ALL"]
+        command:
+        - sh
+        - -c
+        - "test -f /var/run/nvshare/scheduler.sock && rm -rf /var/run/nvshare/scheduler.sock; pid1 nvshare-scheduler"
         volumeMounts:
           - name: nvshare-socket-directory
             mountPath: /var/run/nvshare

build/installer/install.ps1

@@ -1,6 +1,8 @@
 $currentPath = Get-Location
 $architecture = $env:PROCESSOR_ARCHITECTURE
+$downloadCdnUrlFromEnv = $env:DOWNLOAD_CDN_URL
 $version = "#__VERSION__"
+$downloadUrl = "https://dc3p1870nn3cj.cloudfront.net"
 
 function Test-Wait {
   while ($true) {
@@ -8,42 +10,78 @@ function Test-Wait {
   }
 }
 
+$runAsAdmin = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
+if (-not $runAsAdmin.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
+    Write-Host "`n`nThe installation script needs to be run as an administrator.`n"
+    Write-Host "Please try the following methods:`n"
+    Write-Host "1. Search for 'PowerShell' in the Start menu, right-click it, and select 'Run as administrator'. "
+    Write-Host "   Navigate to the directory where the installation script is located and run the installation script.`n"
+    Write-Host "2. Press Win + R, type 'powershell', and then press Ctrl + Shift + Enter. "
+    Write-Host "   Navigate to the directory where the installation script is located and run the installation script.`n"
+    Write-Host "`nPress Ctrl+C to exit.`n"
+    Test-Wait
+}
+
 $process = Get-Process -Name olares-cli -ErrorAction SilentlyContinue
 if ($process) {
   Write-Host "olares-cli.exe is running, Press Ctrl+C to exit."
   Test-Wait
 }
 
+$distro = wsl --list | Select-String -Pattern "^Ubuntu$"
+if (-not $distro -eq "") {
+  Write-Host "Distro Olares exists, please unregister it first."
+  exit 1
+}
+
 $arch = "amd64"
 if ($architecture -like "ARM") {
   $arch = "arm64"
 }
 
-$CLI_VERSION = "0.1.75"
+if (-Not $downloadCdnUrlFromEnv -eq "") {
+  $downloadUrl = $downloadCdnUrlFromEnv
+}
+
+$CLI_PROGRAM_PATH = "{0}\" -f $currentPath
+if (-Not (Test-Path $CLI_PROGRAM_PATH)) {
+  New-Item -Path $CLI_PROGRAM_PATH -ItemType Directory
+}
+
+$CLI_VERSION = "0.2.35"
 $CLI_FILE = "olares-cli-v{0}_windows_{1}.tar.gz" -f $CLI_VERSION, $arch
-$CLI_URL = "https://dc3p1870nn3cj.cloudfront.net/{0}" -f $CLI_FILE
-$CLI_PATH = "{0}\{1}"  -f $currentPath, $CLI_FILE
-if (-Not (Test-Path $CLI_FILE)) {
+$CLI_URL = "{0}/{1}" -f $downloadUrl, $CLI_FILE
+$CLI_PATH = "{0}{1}" -f $CLI_PROGRAM_PATH, $CLI_FILE
+
+$download = 0
+if (Test-Path $CLI_PATH) {
+  tar -xzf $CLI_PATH -C $CLI_PROGRAM_PATH *> $null
+  if (-Not ($LASTEXITCODE -eq 0)) {
+    Remove-Item -Path $CLI_PATH
+    $download = 1
+  }
+} else {
+  $download = 1
+}
+
+if ($download -eq 1) {
   curl -Uri $CLI_URL -OutFile $CLI_PATH
+  Write-Host "Downloading olares-cli.exe..."
+  if (-Not (Test-Path $CLI_PATH)) {
+    Write-Host "Download olares-cli.exe failed."
+    exit 1
+  }
+  tar -xzf $CLI_PATH -C $CLI_PROGRAM_PATH *> $null
+  $cliPath = "{0}\olares-cli.exe" -f $CLI_PROGRAM_PATH
+  if ( -Not (Test-Path $cliPath)) {
+    Write-Host "olares-cli.exe not found."
+    exit 1
+  }
 }
 
-if (-Not (Test-Path $CLI_PATH)) {
-  Write-Host "Download olares-cli.exe failed."
-  exit 1
-}
-
-tar -xf $CLI_PATH
-$cliPath = "{0}\olares-cli.exe" -f $currentPath
-if ( -Not (Test-Path $cliPath)) {
-  Write-Host "olares-cli.exe not found."
-  exit 1
-}
-
-wsl --unregister Ubuntu *> $null
-
 Start-Sleep -Seconds 3
 Write-Host ("Preparing to start the installation of Olares {0}. Depending on your network conditions, this process may take several minutes." -f $version)
 
-$command = "{0} olares install --version {1}" -f $cliPath, $version
+$command = "{0}\olares-cli.exe install --version {1}" -f $CLI_PROGRAM_PATH, $version
 Start-Process cmd -ArgumentList '/k',$command -Wait -Verb RunAs
 

build/installer/install.sh

@@ -20,7 +20,7 @@ fi
 
 if [[ "x${VERSION}" == "x" || "x${VERSION:3}" == "xVERSION__" ]]; then
     echo "error: Olares version is unspecified, please set the VERSION env var and rerun this script."
-    echo "for example: VERSION=1.11.0-20241124 bash $0"
+    echo "for example: VERSION=1.12.0-20241124 bash $0"
     exit 1
 fi
 
@@ -28,16 +28,16 @@ fi
 os_type=$(uname -s)
 os_arch=$(uname -m)
 
-case "$os_arch" in 
-    arm64) ARCH=arm64; ;; 
-    x86_64) ARCH=amd64; ;; 
-    armv7l) ARCH=arm; ;; 
-    aarch64) ARCH=arm64; ;; 
-    ppc64le) ARCH=ppc64le; ;; 
-    s390x) ARCH=s390x; ;; 
+case "$os_arch" in
+    arm64) ARCH=arm64; ;;
+    x86_64) ARCH=amd64; ;;
+    armv7l) ARCH=arm; ;;
+    aarch64) ARCH=arm64; ;;
+    ppc64le) ARCH=ppc64le; ;;
+    s390x) ARCH=s390x; ;;
     *) echo "error: unsupported arch \"$os_arch\"";
     exit 1; ;;
-esac 
+esac
 
 # set shell execute command
 user="$(id -un 2>/dev/null || true)"
@@ -74,13 +74,14 @@ if [ -z ${cdn_url} ]; then
     cdn_url="https://dc3p1870nn3cj.cloudfront.net"
 fi
 
-CLI_VERSION="0.1.75"
+CLI_VERSION="0.2.35"
 CLI_FILE="olares-cli-v${CLI_VERSION}_linux_${ARCH}.tar.gz"
 if [[ x"$os_type" == x"Darwin" ]]; then
     CLI_FILE="olares-cli-v${CLI_VERSION}_darwin_${ARCH}.tar.gz"
 fi
 
 if command_exists olares-cli && [[ "$(olares-cli -v | awk '{print $3}')" == "$CLI_VERSION" ]]; then
+    INSTALL_OLARES_CLI=$(which olares-cli)
     echo "olares-cli already installed and is the expected version"
     echo ""
 else
@@ -136,16 +137,22 @@ else
             echo ""
         else
             echo "building local release ..."
-            $sh_c "olares-cli olares release $PARAMS $CDN"
+            $sh_c "$INSTALL_OLARES_CLI release $PARAMS $CDN"
             if [[ $? -ne 0 ]]; then
                 echo "error: failed to build local release"
                 exit 1
             fi
         fi
     else
+        echo "running system prechecks ..."
+        echo ""
+        $sh_c "$INSTALL_OLARES_CLI precheck $PARAMS"
+        if [[ $? -ne 0 ]]; then
+            exit 1
+        fi
         echo "downloading installation wizard..."
         echo ""
-        $sh_c "olares-cli olares download wizard $PARAMS $KUBE_PARAM $CDN"
+        $sh_c "$INSTALL_OLARES_CLI download wizard $PARAMS $KUBE_PARAM $CDN"
         if [[ $? -ne 0 ]]; then
             echo "error: failed to download installation wizard"
             exit 1
@@ -154,7 +161,7 @@ else
 
     echo "downloading installation packages..."
     echo ""
-    $sh_c "olares-cli olares download component $PARAMS $KUBE_PARAM $CDN"
+    $sh_c "$INSTALL_OLARES_CLI download component $PARAMS $KUBE_PARAM $CDN"
     if [[ $? -ne 0 ]]; then
         echo "error: failed to download installation packages"
         exit 1
@@ -166,10 +173,7 @@ else
     if [ x"$REGISTRY_MIRRORS" != x"" ]; then
         extra="--registry-mirrors $REGISTRY_MIRRORS"
     fi
-    if [[ "$JUICEFS" == "1" ]]; then
-        extra="$extra --with-juicefs=true"
-    fi
-    $sh_c "olares-cli olares prepare $PARAMS $KUBE_PARAM $extra"
+    $sh_c "$INSTALL_OLARES_CLI prepare $PARAMS $KUBE_PARAM $extra"
     if [[ $? -ne 0 ]]; then
         echo "error: failed to prepare installation environment"
         exit 1
@@ -185,9 +189,39 @@ if [ "$PREINSTALL" == "1" ]; then
     echo "Pre Install mode is specified by the \"PREINSTALL\" env var, skip installing"
     exit 0
 fi
+
+if [[ "$JUICEFS" == "1" ]]; then
+    echo "JuiceFS is enabled"
+    fsflag="--with-juicefs=true"
+    if [[ "$STORAGE" == "" ]]; then
+        echo "installing MinIO ..."
+    else
+        echo "checking storage config ..."
+    fi
+    $sh_c "$INSTALL_OLARES_CLI install storage $PARAMS"
+    if [[ $? -ne 0 ]]; then
+      exit 1
+    fi
+fi
+
+if [[ -n "$SWAPPINESS" ]]; then
+    swapflag="$swapflag --swappiness $SWAPPINESS"
+fi
+if [[ "$ENABLE_POD_SWAP" == "1" ]]; then
+    swapflag="$swapflag --enable-pod-swap"
+fi
+if [[ "$ENABLE_ZRAM" == "1" ]]; then
+    swapflag="$swapflag --enable-zram"
+fi
+if [[ -n "$ZRAM_SIZE" ]]; then
+    swapflag="$swapflag --zram-size $ZRAM_SIZE"
+fi
+if [[ -n "$ZRAM_SWAP_PRIORITY" ]]; then
+    swapflag="$swapflag --zram-swap-priority $ZRAM_SWAP_PRIORITY"
+fi
 echo "installing Olares..."
 echo ""
-$sh_c "olares-cli olares install $PARAMS $KUBE_PARAM"
+$sh_c "$INSTALL_OLARES_CLI install $PARAMS $KUBE_PARAM $fsflag $swapflag"
 
 if [[ $? -ne 0 ]]; then
     echo "error: failed to install Olares"

build/installer/joincluster.sh

@@ -0,0 +1,261 @@
+#!/usr/bin/env bash
+
+set -o pipefail
+set -e
+
+function command_exists() {
+	  command -v "$@" > /dev/null 2>&1
+}
+
+function read_tty() {
+    echo -n $1
+    read $2 < /dev/tty
+}
+
+function confirm() {
+    if [[ "$QUIET" == "1" ]]; then
+        return 0
+    fi
+    answer=""
+    while :; do
+        read_tty "Do you confirm to continue? (y/n): " answer
+        if [[ "$answer" != "y" && "$answer" != "n" ]]; then
+            echo "Please input the letter y or n"
+            continue
+        fi
+        if [[ "$answer" == "y" ]]; then
+            return 0
+        fi
+        if [[ "$answer" == "n" ]]; then
+            exit 0
+        fi
+    done
+}
+
+function validate_ip() {
+    if [[ ! "$1" ]]; then
+        echo "invalid IP: empty address"
+        return 1
+    elif [[ ! $1 =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+        echo "invalid IP: illegal format"
+        return 1
+    elif [[ $1 =~ ^127 ]]; then
+        echo "invalid IP: loopback address"
+        return 1
+    else
+        return 0
+    fi
+}
+
+MASTER_SSH_OPTIONS=""
+
+function add_master_host_ssh_options() {
+    MASTER_SSH_OPTIONS="$MASTER_SSH_OPTIONS --$1 $2"
+}
+
+function set_master_host_ssh_options() {
+    master_host="$MASTER_HOST"
+    if [[ ! "$master_host" ]]; then
+        read_tty "Enter the master node's IP: " master_host
+    fi
+
+    while :; do
+        if ! validate_ip "$master_host"; then
+            read_tty "Enter the master node's IP: " master_host
+        else
+            break
+        fi
+    done
+
+    add_master_host_ssh_options master-host "$master_host"
+
+    if [[ "$MASTER_NODE_NAME" ]]; then
+        add_master_host_ssh_options master-node-name "$MASTER_NODE_NAME"
+    fi
+
+    if [[ "$MASTER_SSH_USER" ]]; then
+        add_master_host_ssh_options master-ssh-user "$MASTER_SSH_USER"
+    else
+        echo "the environment variable \$MASTER_SSH_USER is not set"
+        echo "the default remote user \"root\" on the master node will be used to authenticate"
+        echo "if this is unexpected, please set it explicitly"
+        confirm
+    fi
+
+    if [[ "$MASTER_SSH_PASSWORD" ]]; then
+        add_master_host_ssh_options master-ssh-password "$MASTER_SSH_PASSWORD"
+    fi
+
+    if [[ "$MASTER_SSH_PRIVATE_KEY_PATH" ]]; then
+        add_master_host_ssh_options master-ssh-private-key-path "$MASTER_SSH_PRIVATE_KEY_PATH"
+    elif [[ ! "$MASTER_SSH_PASSWORD" ]]; then
+        echo "the environment variable \$MASTER_SSH_PRIVATE_KEY_PATH is not set"
+        echo "the default key in the local path /root/.ssh/id_rsa will be used to authenticate to the master"
+        echo "please make sure the key exists and the public key has already been added to the master node"
+        echo "if this is unexpected, please set it explicitly"
+        confirm
+    fi
+
+    if [[ "$MASTER_SSH_PORT" ]]; then
+        add_master_host_ssh_options master-ssh-port "$MASTER_SSH_PORT"
+    fi
+}
+
+function getmasterinfo() {
+    $sh_c "$INSTALL_OLARES_CLI node masterinfo $MASTER_SSH_OPTIONS" | tee /proc/$$/fd/1
+    if [[ $? -ne 0 ]]; then
+        exit 1
+    fi
+    echo "" > /proc/$$/fd/1
+}
+
+# check os type and arch
+os_type=$(uname -s)
+os_arch=$(uname -m)
+
+case "$os_arch" in
+    arm64) ARCH=arm64; ;;
+    x86_64) ARCH=amd64; ;;
+    armv7l) ARCH=arm; ;;
+    aarch64) ARCH=arm64; ;;
+    ppc64le) ARCH=ppc64le; ;;
+    s390x) ARCH=s390x; ;;
+    *) echo "error: unsupported arch \"$os_arch\"";
+    exit 1; ;;
+esac
+
+if [[ "$os_type" != "Linux" ]]; then
+    echo "error: only Linux machine can be added to the cluster"
+    exit 1
+fi
+
+# set shell execute command
+user="$(id -un 2>/dev/null || true)"
+sh_c='sh -c'
+if [ "$user" != 'root' ]; then
+    if ! command_exists sudo; then
+        echo "error: the ability to run as root is needed, but the command \"sudo\" can not be found"
+        exit 1
+    fi
+    sh_c='sudo -E sh -c'
+fi
+
+if ! command_exists tar; then
+    echo "error: the \"tar\" command is needed to unpack installation files, but can not be found"
+    exit 1
+fi
+
+BASE_DIR="$HOME/.olares"
+if [ ! -d $BASE_DIR ]; then
+    mkdir -p $BASE_DIR
+fi
+
+cdn_url=${DOWNLOAD_CDN_URL}
+if [[ -z "${cdn_url}" ]]; then
+    cdn_url="https://dc3p1870nn3cj.cloudfront.net"
+fi
+
+set_master_host_ssh_options
+
+CLI_VERSION="0.2.35"
+CLI_FILE="olares-cli-v${CLI_VERSION}_linux_${ARCH}.tar.gz"
+
+if command_exists olares-cli && [[ "$(olares-cli -v | awk '{print $3}')" == "$CLI_VERSION" ]]; then
+    INSTALL_OLARES_CLI=$(which olares-cli)
+    echo "olares-cli already installed and is the expected version"
+    echo ""
+else
+    if [[ ! -f ${CLI_FILE} ]]; then
+        CLI_URL="${cdn_url}/${CLI_FILE}"
+
+        echo "downloading Olares installer from ${CLI_URL} ..."
+        echo ""
+
+        curl -Lo ${CLI_FILE} ${CLI_URL}
+
+        if [[ $? -ne 0 ]]; then
+            echo "error: failed to download Olares installer"
+            exit 1
+        else
+            echo "Olares installer ${CLI_VERSION} download complete!"
+            echo ""
+        fi
+    fi
+    INSTALL_OLARES_CLI="/usr/local/bin/olares-cli"
+    echo "unpacking Olares installer to $INSTALL_OLARES_CLI..."
+    echo ""
+    tar -zxf ${CLI_FILE} olares-cli && chmod +x olares-cli
+    $sh_c "mv olares-cli $INSTALL_OLARES_CLI"
+
+    if [[ $? -ne 0 ]]; then
+        echo "error: failed to unpack Olares installer"
+        exit 1
+    fi
+fi
+
+echo "getting master info and checking current machine's eligibility to join the cluster"
+echo ""
+master_olares_version="$( getmasterinfo | grep OlaresVersion | awk '{print $2}' )"
+if [[ ! "$master_olares_version" ]]; then
+    echo "failed to fetch the version of Olares installed on master node"
+    exit 1
+fi
+PARAMS="--version $master_olares_version --base-dir $BASE_DIR"
+CDN="--download-cdn-url ${cdn_url}"
+
+if [[ -f $BASE_DIR/.prepared ]]; then
+    echo "file $BASE_DIR/.prepared detected, skip preparing phase"
+    echo ""
+    echo "please make sure the prepared Olares version is the same as the master, or there might be compatibility issues"
+    echo ""
+else
+    echo "running system prechecks ..."
+    echo ""
+    $sh_c "$INSTALL_OLARES_CLI precheck $PARAMS"
+    if [[ $? -ne 0 ]]; then
+        exit 1
+    fi
+
+    echo "downloading installation wizard..."
+    echo ""
+    $sh_c "$INSTALL_OLARES_CLI download wizard $PARAMS $CDN"
+    if [[ $? -ne 0 ]]; then
+        echo "error: failed to download installation wizard"
+        exit 1
+    fi
+
+    echo "downloading installation packages..."
+    echo ""
+    $sh_c "$INSTALL_OLARES_CLI download component $PARAMS $CDN"
+    if [[ $? -ne 0 ]]; then
+        echo "error: failed to download installation packages"
+        exit 1
+    fi
+
+    echo "preparing installation environment..."
+    echo ""
+    # env 'REGISTRY_MIRRORS' is a docker image cache mirrors, separated by commas
+    if [ x"$REGISTRY_MIRRORS" != x"" ]; then
+        extra="--registry-mirrors $REGISTRY_MIRRORS"
+    fi
+    $sh_c "$INSTALL_OLARES_CLI prepare $PARAMS $extra"
+    if [[ $? -ne 0 ]]; then
+        echo "error: failed to prepare installation environment"
+        exit 1
+    fi
+fi
+
+if [ -f $BASE_DIR/.installed ]; then
+    echo "file $BASE_DIR/.installed detected, skip installing"
+    echo "if it is left by an unclean uninstallation, please manually remove it and invoke the installer again"
+    exit 0
+fi
+
+echo "installing Kubernetes and joining Olares cluster..."
+echo ""
+$sh_c "$INSTALL_OLARES_CLI node add $PARAMS $MASTER_SSH_OPTIONS"
+
+if [[ $? -ne 0 ]]; then
+    echo "error: failed to install Olares"
+    exit 1
+fi

build/installer/upgrade_cmd.sh

@@ -146,7 +146,7 @@ function get_app_key_secret(){
 
 function get_app_settings(){
     local username=$1
-    local apps=("vault" "desktop" "message" "wise" "search" "appstore" "notification" "dashboard" "settings" "devbox" "profile" "agent" "files")
+    local apps=("vault" "desktop" "message" "wise" "search" "appstore" "notification" "dashboard" "settings" "studio" "profile" "agent" "files")
     for a in ${apps[@]};do
         ks=($(get_app_key_secret "$username" "$a"))
         echo '
@@ -282,6 +282,33 @@ function get_bfl_status(){
     $sh_c "${KUBECTL} get pod  -n user-space-${username} -l 'tier=bfl' -o jsonpath='{.items[*].status.phase}'"
 }
 
+function get_fileserver_status(){
+    $sh_c "${KUBECTL} get pod  -n os-system -l 'app=files' -o jsonpath='{.items[*].status.phase}'"
+}
+
+function get_filefe_status(){
+    local username=$1
+    $sh_c "${KUBECTL} get pod  -n user-space-${username} -l 'app=files' -o jsonpath='{.items[*].status.phase}'"
+}
+
+function check_fileserver(){
+    local status=$(get_fileserver_status)
+    local n=0
+    while [ "x${status}" != "xRunning" ]; do
+        n=$(expr $n + 1)
+        local dotn=$(($n % 10))
+        local dot=$(repeat $dotn '>')
+
+        echo -ne "\rWaiting for file-server starting ${dot}"
+        sleep 0.5
+
+        status=$(get_fileserver_status)
+        echo -ne "\rWaiting for file-server starting          "
+
+    done
+    echo
+}
+
 function check_appservice(){
     local status=$(get_appservice_status)
     local n=0
@@ -300,6 +327,25 @@ function check_appservice(){
     echo
 }
 
+function check_filesfe(){
+    local username=$1
+    local status=$(get_filefe_status ${username})
+    local n=0
+    while [ "x${status}" != "xRunning" ]; do
+        n=$(expr $n + 1)
+        local dotn=$(($n % 10))
+        local dot=$(repeat $dotn '>')
+
+        echo -ne "\rPlease waiting ${dot}"
+        sleep 0.5
+
+        status=$(get_filefe_status ${username})
+        echo -ne "\rPlease waiting          "
+
+    done
+    echo
+}
+
 function check_bfl(){
     local username=$1
     local status=$(get_bfl_status ${username})
@@ -482,7 +528,7 @@ function upgrade_terminus(){
 
     # patch
     ensure_success $sh_c "${KUBECTL} apply -f ${BASE_DIR}/deploy/patch-globalrole-workspace-manager.yaml"
-    ensure_success $sh_c "$KUBECTL apply -f ${BASE_DIR}/deploy/patch-notification-manager.yaml"
+    # ensure_success $sh_c "$KUBECTL apply -f ${BASE_DIR}/deploy/patch-notification-manager.yaml"
 
     # clear apps values.yaml
     cat /dev/null > ${BASE_DIR}/wizard/config/apps/values.yaml
@@ -510,6 +556,13 @@ function upgrade_terminus(){
         for appdir in "${BASE_DIR}/wizard/config/apps"/*/; do
           if [ -d "$appdir" ]; then
             releasename=$(basename "$appdir")
+
+            # ignore wizard
+            # FIXME: unintitialized user's wizard should be upgrade
+            if [ x"${releasename}" == x"wizard" ]; then 
+                continue
+            fi
+
             if [ "$user" != "$admin_user" ];then
                 releasename=${releasename}-${user}
             fi
@@ -519,18 +572,6 @@ function upgrade_terminus(){
 
     done
 
-    echo 'Waiting for Vault ...'
-    check_vault ${admin_user}
-    echo
-
-    echo 'Starting BFL ...'
-    check_bfl ${admin_user}
-    echo
-
-    echo 'Starting Desktop ...'
-    check_desktop ${admin_user}
-    echo
-
     # upgrade app service in the last. keep app service online longer
     local terminus_is_cloud_version=$($sh_c "${KUBECTL} get cm -n os-system backup-config -o jsonpath='{.data.terminus-is-cloud-version}'")
     local backup_cluster_bucket=$($sh_c "${KUBECTL} get cm -n os-system backup-config -o jsonpath='{.data.backup-cluster-bucket}'")
@@ -544,18 +585,27 @@ function upgrade_terminus(){
         --set backup.sync_secret=\"${backup_secret}\""
 
     echo 'Waiting for App-Service ...'
+    sleep 2 # wait for controller reconiling
     check_appservice
     echo
 
-    # upgrade_ksapi ${users[@]}
-    # echo
+    echo 'Waiting for Vault ...'
+    check_vault ${admin_user}
+    echo
+
+    echo 'Starting BFL ...'
+    check_bfl ${admin_user}
+    echo
+
+    echo 'Starting files ...'
+    check_fileserver
+    check_filesfe ${admin_user}
+    echo
+
+    echo 'Starting Desktop ...'
+    check_desktop ${admin_user}
+    echo
 
-    local gpu=$($sh_c "${KUBECTL} get ds -n gpu-system orionx-server -o jsonpath='{.meta.name}'")
-    if [ "x$gpu" != "x" ]; then
-        echo "upgrade"
-        local GPU_DOMAIN=$($sh_c "${KUBECTL} get ds -n gpu-system orionx-server -o jsonpath='{.meta.annotations.gpu-server}'")
-        ensure_success $sh_c "${HELM} upgrade -i gpu ${BASE_DIR}/wizard/config/gpu -n gpu-system --set gpu.server=${GPU_DOMAIN} --reuse-values"
-    fi
 }
 
 

build/installer/version.hint

@@ -1,2 +1,2 @@
 upgrade:
-  minVersion: 1.11.0-0000000
+  minVersion: 1.12.0-1

build/installer/wizard/config/account/templates/account.yaml

@@ -7,14 +7,20 @@ metadata:
     iam.kubesphere.io/uninitialized: "true"
     helm.sh/resource-policy: keep
     bytetrade.io/owner-role: platform-admin
-    bytetrade.io/terminus-name: {{.Values.user.terminus_name}}
+    bytetrade.io/terminus-name: "{{.Values.user.terminus_name}}"
     bytetrade.io/launcher-auth-policy: two_factor
     bytetrade.io/launcher-access-level: "1"
+    iam.kubesphere.io/sync-to-lldap: "true"
+    iam.kubesphere.io/synced-to-lldap: "false"
+    iam.kubesphere.io/user-provider: lldap
+    iam.kubesphere.io/globalrole: platform-admin
 {{ if .Values.nat_gateway_ip }}
     bytetrade.io/nat-gateway-ip: {{ .Values.nat_gateway_ip }}
 {{ end }}            
 spec:
-  email: {{.Values.user.email}}
-  password: {{.Values.user.password}}
+  email: "{{.Values.user.email}}"
+  initialPassword: "{{ .Values.user.password }}"
+  groups:
+  - lldap_admin
 status:
   state: Active

build/installer/wizard/config/account/templates/sync.yaml

@@ -0,0 +1,18 @@
+apiVersion: iam.kubesphere.io/v1alpha2
+kind: Sync
+metadata:
+  name: lldap
+spec:
+  lldap:
+    name: ldap
+    url: "http://lldap-service.os-system:17170"
+    userBlacklist:
+      - admin
+      - terminus
+    groupWhitelist:
+      - lldap_admin
+      - lldap_regular
+    credentialsSecret:
+      kind: Secret
+      name: lldap-credentials
+      namespace: os-system

build/installer/wizard/config/settings/templates/system-serviceaccount.yaml

@@ -33,6 +33,7 @@ rules:
   resources:
   - users
   - configmaps
+  - secrets
   verbs:
   - get
 
@@ -61,6 +62,7 @@ rules:
   - pods
   - users
   - configmaps
+  - secrets
   verbs:
   - get
   - list

build/installer/wizard/config/settings/templates/workspacerole-binding.yaml

@@ -1,18 +0,0 @@
-
-
-apiVersion: iam.kubesphere.io/v1alpha2
-kind: WorkspaceRoleBinding
-metadata:
-  generation: 1
-  labels:
-    iam.kubesphere.io/user-ref: '{{.Values.user.name}}'
-    kubesphere.io/workspace: system-workspace
-  name: '{{.Values.user.name}}'
-roleRef:
-  apiGroup: iam.kubesphere.io
-  kind: WorkspaceRole
-  name: system-workspace-admin
-subjects:
-- apiGroup: rbac.authorization.k8s.io
-  kind: User
-  name: '{{.Values.user.name}}'