app-service: underlay namespace labels modified

fix(controlhub/studio): update dialog and fix studio deploy app

.github/PULL_REQUEST_TEMPLATE.md

@@ -7,7 +7,7 @@ Title: <subsystem>:  <what changed>
 * **Target Version for Merge**
 <!-- Specify the version to which these changes need to be merged -->
 
-* ***Related Issues**
+* **Related Issues**
 <!-- Reference any related issues here, if applicable -->
 
 * **PRs Involving Sub-Systems** 

.github/workflows/build-redis.yaml

@@ -20,7 +20,7 @@ jobs:
           bash scripts/build-redis.sh linux/amd64
 
   push-arm64:
-    runs-on: self-hosted
+    runs-on: [self-hosted, linux, ARM64]
 
     steps:
       - name: Clean

.github/workflows/build-wsl2326.yaml

@@ -0,0 +1,20 @@
+name: Build and Upload WSL MSI
+
+on:
+  workflow_dispatch:
+
+jobs:
+  push:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: "Checkout source code"
+        uses: actions/checkout@v3
+
+      # test
+      - env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: "us-east-1"
+        run: |
+          bash scripts/build-wsl-install-msi.sh

.github/workflows/check.yaml

@@ -68,22 +68,6 @@ jobs:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
 
-      - name: Install coscmd
-        run: pip install coscmd        
-
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          coscmd config -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
-
       # test
       - env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -93,7 +77,7 @@ jobs:
           bash scripts/image-manifest.sh && bash scripts/upload-images.sh .manifest/images.mf
 
   push-image-arm64:
-    runs-on: self-hosted
+    runs-on: [self-hosted, linux, ARM64]
 
     steps:
       - name: 'Checkout source code'
@@ -103,22 +87,6 @@ jobs:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
 
-      - name: Install coscmd
-        run: pip install coscmd        
-
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
-          coscmd config -m 10 -p 10 -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
 
       - env: 
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -140,22 +108,6 @@ jobs:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
 
-      - name: Install coscmd
-        run: pip install coscmd        
-
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          coscmd config -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
-
       # test
       - env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -165,7 +117,7 @@ jobs:
           bash scripts/deps-manifest.sh && bash scripts/upload-deps.sh
 
   push-deps-arm64:
-    runs-on: self-hosted
+    runs-on: [self-hosted, linux, ARM64]
 
     steps:
       - name: "Checkout source code"
@@ -178,20 +130,6 @@ jobs:
       - name: Install coscmd
         run: pip install coscmd        
 
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
-          coscmd config -m 10 -p 10 -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
-
       # test
       - env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -217,7 +155,7 @@ jobs:
       - name: 'Test tag version'
         id: vars
         run: |
-          v=1.11.0-$(echo $RANDOM)
+          v=1.12.0-$(echo $RANDOM)
           echo "tag_version=$v" >> $GITHUB_OUTPUT
 
       - name: Package installer

.github/workflows/push-deps-to-s3.yml

@@ -5,7 +5,7 @@ on:
 
 jobs:
   push:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
 
     steps:
       - name: "Checkout source code"
@@ -36,7 +36,7 @@ jobs:
           bash scripts/deps-manifest.sh && bash scripts/upload-deps.sh
 
   push-arm64:
-    runs-on: self-hosted
+    runs-on: [self-hosted, linux, ARM64]
 
     steps:
       - name: "Checkout source code"

.github/workflows/push-to-s3.yaml

@@ -5,7 +5,7 @@ on:
 
 jobs:
   push:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
 
     steps:
       - name: "Checkout source code"
@@ -36,7 +36,7 @@ jobs:
           bash scripts/image-manifest.sh && bash scripts/upload-images.sh .manifest/images.mf
 
   push-arm64:
-    runs-on: self-hosted
+    runs-on: [self-hosted, linux, ARM64]
 
     steps:
       - name: "Checkout source code"

.github/workflows/release-daily.yaml

@@ -10,28 +10,12 @@ on:
 
 jobs:
   push-images:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
 
     steps:
       - name: 'Checkout source code'
         uses: actions/checkout@v3
 
-      - name: Install coscmd
-        run: pip install coscmd        
-
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          coscmd config -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
-
       - env: 
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -40,29 +24,12 @@ jobs:
           bash scripts/image-manifest.sh && bash scripts/upload-images.sh .manifest/images.mf
 
   push-images-arm64:
-    runs-on: self-hosted
+    runs-on: [self-hosted, linux, ARM64]
 
     steps:
       - name: 'Checkout source code'
         uses: actions/checkout@v3
 
-      - name: Install coscmd
-        run: pip install coscmd        
-
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
-          coscmd config -m 10 -p 10 -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
-
       - env: 
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -78,22 +45,6 @@ jobs:
       - name: "Checkout source code"
         uses: actions/checkout@v3
 
-      - name: Install coscmd
-        run: pip install coscmd        
-
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          coscmd config -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
-
       # test
       - env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -103,29 +54,12 @@ jobs:
           bash scripts/deps-manifest.sh && bash scripts/upload-deps.sh
 
   push-deps-arm64:
-    runs-on: self-hosted
+    runs-on: [self-hosted, linux, ARM64]
 
     steps:
       - name: "Checkout source code"
         uses: actions/checkout@v3
 
-      - name: Install coscmd
-        run: pip install coscmd        
-
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
-          coscmd config -m 10 -p 10 -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
-
       # test
       - env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -144,7 +78,7 @@ jobs:
       - name: 'Daily tag version'
         id: vars
         run: |
-          v=1.11.0-$(date +"%Y%m%d")
+          v=1.12.0-$(date +"%Y%m%d")
           echo "tag_version=$v" >> $GITHUB_OUTPUT
 
       - name: 'Checkout source code'
@@ -154,29 +88,6 @@ jobs:
         run: |
           bash scripts/build.sh ${{ steps.vars.outputs.tag_version }}
 
-      - name: Install coscmd
-        run: pip install coscmd        
-
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
-          coscmd config -m 10 -p 10 -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
-          
-      # - name: Upload to COS
-      #   run: |
-      #     md5sum install-wizard-v${{ steps.vars.outputs.tag_version }}.tar.gz > install-wizard-v${{ steps.vars.outputs.tag_version }}.md5sum.txt && \
-      #     coscmd upload ./install-wizard-v${{ steps.vars.outputs.tag_version }}.md5sum.txt /install-wizard-v${{ steps.vars.outputs.tag_version }}.md5sum.txt
-      #     coscmd upload ./install-wizard-v${{ steps.vars.outputs.tag_version }}.tar.gz /install-wizard-v${{ steps.vars.outputs.tag_version }}.tar.gz
-
       - name: Upload to S3
         env: 
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -199,7 +110,7 @@ jobs:
       - name: 'Daily tag version'
         id: vars
         run: |
-          v=1.11.0-$(date +"%Y%m%d")
+          v=1.12.0-$(date +"%Y%m%d")
           echo "tag_version=$v" >> $GITHUB_OUTPUT
           echo "version_md5sum=$(curl -sSfL https://dc3p1870nn3cj.cloudfront.net/install-wizard-v${v}.md5sum.txt|awk '{print $1}')" >> $GITHUB_OUTPUT
 
@@ -230,6 +141,7 @@ jobs:
             build/installer/publicInstaller.sh
             build/installer/install.sh
             build/installer/install.ps1
+            build/installer/joincluster.sh
             build/installer/publicAddnode.sh
             build/installer/version.hint
             build/installer/publicRestoreInstaller.sh

.github/workflows/release.yaml

@@ -10,7 +10,7 @@ on:
 
 jobs:
   push:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
 
     steps:
       - name: 'Checkout source code'
@@ -18,22 +18,6 @@ jobs:
         with:
           ref: ${{ github.event.inputs.tags }}
 
-      - name: Install coscmd
-        run: pip install coscmd        
-
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          coscmd config -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
-
       - env: 
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -42,7 +26,7 @@ jobs:
           bash scripts/image-manifest.sh && bash scripts/upload-images.sh .manifest/images.mf
 
   push-arm64:
-    runs-on: self-hosted
+    runs-on: [self-hosted, linux, ARM64]
 
     steps:
       - name: 'Checkout source code'
@@ -50,23 +34,6 @@ jobs:
         with:
           ref: ${{ github.event.inputs.tags }}
 
-      - name: Install coscmd
-        run: pip install coscmd        
-
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
-          coscmd config -m 10 -p 10 -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
-
       - env: 
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -89,29 +56,6 @@ jobs:
         run: |
           bash scripts/build.sh ${{ github.event.inputs.tags }}
 
-      - name: Install coscmd
-        run: pip install coscmd        
-
-      - name: Configure coscmd
-        env:
-          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
-          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
-          COS_BUCKET: ${{ secrets.COS_BUCKET }}
-          COS_REGION: ${{ secrets.COS_REGION }}
-          END_POINT: ${{ secrets.END_POINT }}
-        run: |
-          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
-          coscmd config -m 10 -p 10 -a $TENCENT_SECRET_ID \
-                        -s $TENCENT_SECRET_KEY \
-                        -b $COS_BUCKET \
-                        -r $COS_REGION 
-          
-      # - name: Upload to COS
-      #   run: |
-      #     md5sum install-wizard-v${{ github.event.inputs.tags }}.tar.gz > install-wizard-v${{ github.event.inputs.tags }}.md5sum.txt && \
-      #     coscmd upload ./install-wizard-v${{ github.event.inputs.tags }}.md5sum.txt /install-wizard-v${{ github.event.inputs.tags }}.md5sum.txt
-      #     coscmd upload ./install-wizard-v${{ github.event.inputs.tags }}.tar.gz /install-wizard-v${{ github.event.inputs.tags }}.tar.gz
-
       - name: Upload to S3
         env: 
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -174,6 +118,7 @@ jobs:
             build/installer/publicInstaller.latest.ps1
             build/installer/install.ps1
             build/installer/publicAddnode.sh
+            build/installer/joincluster.sh
             build/installer/version.hint
             build/installer/publicRestoreInstaller.sh
           prerelease: true

.gitignore

@@ -27,3 +27,4 @@ install-wizard-*.tar.gz
 olares-cli-*.tar.gz
 !ks-console-*.tgz
 .vscode
+.DS_Store

README.md

@@ -1,6 +1,6 @@
 <div align="center">
 
-# Olares - Your Sovereign Cloud, an Open-Source Self-Hosted Alternative to Public Clouds <!-- omit in toc -->
+# Olares: An Open-Source Sovereign Cloud OS for Local AI<!-- omit in toc -->
 
 [![Mission](https://img.shields.io/badge/Mission-Let%20people%20own%20their%20data%20again-purple)](#)<br/>
 [![Last Commit](https://img.shields.io/github/last-commit/beclab/olares)](https://github.com/beclab/olares/commits/main)
@@ -13,11 +13,12 @@
 <p>
   <a href="./README.md"><img alt="Readme in English" src="https://img.shields.io/badge/English-FFFFFF"></a>
   <a href="./README_CN.md"><img alt="Readme in Chinese" src="https://img.shields.io/badge/简体中文-FFFFFF"></a>
+  <a href="./README_JP.md"><img alt="Readme in Japanese" src="https://img.shields.io/badge/日本語-FFFFFF"></a>
 </p>
 
 </div>
 
-https://github.com/user-attachments/assets/5ea2fe30-7bd2-49ed-be26-e12f1d5d8cb1
+https://github.com/user-attachments/assets/3089a524-c135-4f96-ad2b-c66bf4ee7471
 
 *Build your local AI assistants, sync data across places, self-host your workspace, stream your own media, and more—all in your sovereign cloud made possible by Olares.*
 
@@ -30,32 +31,28 @@ https://github.com/user-attachments/assets/5ea2fe30-7bd2-49ed-be26-e12f1d5d8cb1
 </p>
 
 > [!IMPORTANT]  
-> We just finished our rebranding from Terminus to Olares recently. For more information, refer to our [rebranding blog](https://olares.medium.com/terminus-is-now-olares-2c3bf782f9d1). 
-
-## Table of Contents <!-- omit in toc -->
-- [Introduction](#introduction)
-- [Motivation and design](#motivation-and-design)
-- [Tech stacks](#tech-stacks)
-- [Features](#features)
-- [Feature comparison](#feature-comparison)
-- [Getting started](#getting-started)
-- [Project navigation](#project-navigation)
-- [Contributing to Olares](#contributing-to-olares)
-- [Community \& contact](#community--contact)
-- [Staying ahead](#staying-ahead)
-- [Special thanks](#special-thanks)
+> We just finished our rebranding from Terminus to Olares recently. For more information, refer to our [rebranding blog](https://blog.olares.xyz/terminus-is-now-olares/). 
   
-## Introduction
 
-Olares is the sovereign cloud that puts you in control. It's an open-source, self-hosted alternative to public clouds like AWS, built to reclaim your data ownership and privacy. By combining the power of Kubernetes with a streamlined interface, Olares enables you to take full control of your data and computing resources. Whether you're managing a homelab, hosting applications, or safeguarding your privacy, Olares delivers the flexibility and capabilities of public clouds, without compromising privacy or security.
+Convert your hardware into an AI home server with Olares, an open-source sovereign cloud OS built for local AI. 
 
-Typical use cases of Olares include:
+- **Run leading AI models on your term**s: Effortlessly host powerful open AI models like LLaMA, Stable Diffusion, Whisper, and Flux.1 directly on your hardware, giving you full control over your AI environment.
+- **Deploy with ease**: Discover and install a wide range of open-source AI apps from Olares Market in a few clicks. No more complicated configuration or setup.
+- **Access anytime, anywhere**: Access your AI apps and models through a browser whenever and wherever you need them.
+- **Integrated AI for smarter AI experience**: Using a [Model Context Protocol](https://spec.modelcontextprotocol.io/specification/) (MCP)-like mechanism, Olares seamlessly connects AI models with AI apps and your private data sets. This creates highly personalized, context-aware AI interactions that adapt to your needs.
 
-🤖 **Local AI**: Host and run world-class open-source AI models locally, including large language models, image generation, and speech recognition. Create custom AI assistants that integrate seamlessly with your personal data and applications, all while ensuring enhanced privacy and control. <br>
 
-💻**Personal data repository**: Securely store, sync, and manage your photos, documents, and important files in a unified storage and access anywhere. <br>
+> 🌟 *Star us to receive instant notifications about new releases and updates.* 
 
-🛠️ **Self-hosted workspace**: Create a free, powerful workspace for your team or family with open source self-hosted alternatives. <br>
+## Why Olares?
+
+Here is why and where you can count on Olares for private, powerful, and secure sovereign cloud experience:
+
+🤖 **Edge AI**: Run cutting-edge open AI models locally, including large language models, computer vision, and speech recognition. Create private AI services tailored to your data for enhanced functionality and privacy. <br>
+
+📊 **Personal data repository**: Securely store, sync, and manage your important files, photos, and documents across devices and locations.<br>
+
+🚀 **Self-hosted workspace**: Build a free collaborative workspace for your team using secure, open-source SaaS alternatives.<br>
 
 🎥 **Private media server**: Host your own streaming services with your personal media collections. <br>
 
@@ -65,21 +62,35 @@ Typical use cases of Olares include:
 
 📚 **Learning platform**: Explore self-hosting, container orchestration, and cloud technologies hands-on.
 
-## Motivation and design
+## Getting started
 
-We believe the current state of the internet, where user data is centralized and exploited by monopolistic corporations, is deeply flawed. Our goal is to empower individuals with true data ownership and control.
+### System compatibility
+Olares has been tested and verified on the following platforms:
 
-Olares provides a next-generation decentralized Internet framework consisting of the following three integral components:  
+| Platform            | Operating system                     | Notes                                                 |
+|---------------------|--------------------------------------|-------------------------------------------------------|
+| Linux               | Ubuntu 20.04 LTS or later <br/> Debian 11 or later |                                          |
+| Raspberry Pi        | RaspbianOS                           | Verified on Raspberry Pi 4 Model B and Raspberry Pi 5 |
+| Windows             | Windows 11 23H2 or later <br/>Windows 10 22H2 or later<br/> WSL2 |                                     |
+| Mac                 | Monterey (12) or later              |                                                        |
+| Proxmox VE (PVE)    | Proxmox Virtual Environment 8.0      |                                                       |
 
-- **Snowinning Protocol**: A decentralized identity and reputation system that integrates decentralized identifiers (DIDs), verifiable credentials (VCs), and reputation data. 
-- **Olares OS**: An one-stop self-hosted operating system running on edge devices, allowing users to host their own data and applications.  
-- **LarePass**: A comprehensive client software that securely bridges users to their Olares systems. It offers remote access, identity and device management, data storage, and productivity tools, providing a seamless interface for all Olares interactions.  
+> **Note**
+> 
+> If you successfully install Olares on an operating system that is not listed in the compatibility table, please let us know! You can [open an issue](https://github.com/beclab/Olares/issues/new) or submit a pull request on our GitHub repository.
 
-## Tech stacks
+### Set up Olares
+To get started with Olares on your own device, follow the [Getting Started Guide](https://docs.olares.xyz/manual/get-started/) for step-by-step instructions.
 
- Public clouds have IaaS, PaaS, and SaaS layers. Olares provides open-source alternatives to these layers.
+## Architecture 
 
-  ![Tech Stacks](https://file.bttcdn.com/github/terminus/v2/tech-stack-olares.jpeg)
+Olares' architecture is based on two core principles:
+- Adopts an Android-like approach to control software permissions and interactivity, ensuring smooth and secure system operations.
+- Leverages cloud-native technologies to manage hardware and middleware services efficiently.
+
+  ![Olares Architecture](https://file.bttcdn.com/github/terminus/v2/olares-arch-3.png)
+
+ For detailed description of each component, refer to [Olares architecture](https://docs.olares.xyz/manual/system-architecture.html).
 
 ## Features
 
@@ -94,62 +105,6 @@ Olares offers a wide array of features designed to enhance security, ease of use
 - **Seamless anywhere access**: Access your devices from anywhere using dedicated clients for mobile, desktop, and browsers.
 - **Development tools**: Comprehensive development tools for effortless application development and porting.
 
-## Feature comparison
-
-To help you understand how Olares stands out in the landscape, we've created a comparison table that highlights its features alongside those of other leading solutions in the market.
-
-**Legend:** 
-
-- 🚀: **Auto**, indicates that the system completes the task automatically.
-- ✅: **Yes**, indicates that users without a developer background can complete the setup through the product's UI prompts.
-- 🛠️: **Manual Configuration**, indicates that even users with an engineering background need to refer to tutorials to complete the setup.
-- ❌:  **No**, indicates that the feature is not supported.
-
-| | Olares | Synology | TrueNAS | CasaOS | Unraid |
-| --- | --- | --- | --- | --- | --- |
-| Source Code License | Olares License | Closed | GPL 3.0 | Apache 2.0 | Closed |
-| Built On | Kubernetes | Linux | Kubernetes | Docker | Docker |
-| Multi-Node | ✅   | ❌   | ✅   | ❌   | ❌   |
-| Build-in Apps | ✅ (Rich desktop apps) | ✅ (Rich desktop apps) | ❌ (CLI) | ✅ (Simple desktop apps) | ✅ (Dashboard) |
-| Free Domain Name | ✅   | ✅   | ❌   | ❌   | ❌   |
-| Auto SSL Certificate | 🚀  | ✅   | 🛠️ | 🛠️ | 🛠️ |
-| Reverse Proxy | 🚀  | ✅   | 🛠️ | 🛠️ | 🛠️ |
-| VPN Management | 🚀  | 🛠️ | 🛠️ | 🛠️ | 🛠️ |
-| Graded App Entrance | 🚀  | 🛠️ | 🛠️ | 🛠️ | 🛠️ |
-| Multi-User Management | ✅ User management <br>🚀 Resource isolation | ✅ User management<br>🛠️ Resource isolation | ✅ User management<br>🛠️ Resource isolation | ❌   | ✅ User management  <br>🛠️ Resource isolation |
-| Single Login for All Apps | 🚀  | ❌   | ❌   | ❌   |  ❌   |
-| Cross-Node Storage | 🚀 (Juicefs+<br>MinIO) | ❌   | ❌   | ❌   | ❌   |
-| Database Solution | 🚀 (Built-in cloud-native solution) | 🛠️ | 🛠️ | 🛠️ | 🛠️ |
-| Disaster Recovery | 🚀 (MinIO's [**Erasure Coding**](https://min.io/docs/minio/linux/operations/concepts/erasure-coding.html)**)** | ✅ RAID | ✅ RAID | ✅ RAID | ✅ Unraid Storage |
-| Backup | ✅ App Data  <br>✅ User Data | ✅ User Data | ✅ User Data | ✅ User Data | ✅ User Data |
-| App Sandboxing | ✅   | ❌   | ❌ (K8S's namespace) | ❌   | ❌   |
-| App Ecosystem | ✅ (Official + third-party) | ✅ (Majorly official apps) | ✅ (Official + third-party submissions) | ✅ Majorly official apps | ✅ (Community app market) |
-| Developer Friendly | ✅ IDE  <br>✅ CLI  <br>✅ SDK  <br>✅ Doc | ✅ CLI  <br>✅ SDK  <br>✅ Doc | ✅ CLI  <br>✅ Doc | ✅ CLI  <br>✅ Doc | ✅ Doc |
-| Local LLM Hosting | 🚀  | 🛠️ | 🛠️ | 🛠️ | 🛠️ |
-| Local LLM app development | 🚀 | 🛠️ | 🛠️ | 🛠️ | 🛠️ |
-| Client Platforms | ✅ Android  <br>✅ iOS  <br>✅ Windows  <br>✅ Mac  <br>✅ Chrome Plugin | ✅ Android  <br>✅ iOS | ❌   | ❌   | ❌   |
-| Client Functionality | ✅ (All-in-one client app) | ✅ (14 separate client apps) | ❌   | ❌   |  ❌   |
-
-## Getting started
-
-### System compatibility
-Olares is available for Linux, Raspberry Pi, Mac, and Windows. It has been tested and verified on the following systems:
-
-| Platform            | Operating system                     | Notes                                                 |
-|---------------------|--------------------------------------|-------------------------------------------------------|
-| Linux               | Ubuntu 24.04 <br/> Debian 12.8       |                                                       |
-| Raspberry Pi        | RaspbianOS                           | Verified on Raspberry Pi 4 Model B and Raspberry Pi 5 |
-| Windows             | Windows 11 23H2 <br/>Windows 10 22H2 |                                                       |
-| Mac (Apple silicon) | macOS Ventura 13.3.1               |                                                       |
-| Proxmox VE (PVE)    | Proxmox Virtual Environment 8.0      |                                                       |
-
-> **Note**
-> 
-> If you successfully install Olares on an operating system that is not listed in the compatibility table, please let us know! You can [open an issue](https://github.com/beclab/Olares/issues/new) or submit a pull request on our GitHub repository.
-
-### Set up Olares
-To get started with Olares on your own device, follow the [Getting Started Guide](https://docs.olares.xyz/manual/get-started/) for step-by-step instructions.
-
 ## Project navigation
 
 Olares consists of numerous code repositories publicly available on GitHub. The current repository is responsible for the final compilation, packaging, installation, and upgrade of the operating system, while specific changes mostly take place in their corresponding repositories.
@@ -240,14 +195,6 @@ https://docs.olares.xyz/developer/contribute/olares.html
 * [**GitHub Issues**](https://github.com/beclab/olares/issues). Best for filing bugs you encounter using Olares and submitting feature proposals. 
 * [**Discord**](https://discord.com/invite/BzfqrgQPDK). Best for sharing anything Olares.
 
-## Staying ahead
-
-Star the Olares project to receive instant notifications about new releases and updates.
-
- 
-![star us](https://file.bttcdn.com/github/terminus/terminus.git.v2.gif)
- 
-
 ## Special thanks
 
 The Olares project has incorporated numerous third-party open source projects, including: [Kubernetes](https://kubernetes.io/), [Kubesphere](https://github.com/kubesphere/kubesphere), [Padloc](https://padloc.app/), [K3S](https://k3s.io/), [JuiceFS](https://github.com/juicedata/juicefs), [MinIO](https://github.com/minio/minio), [Envoy](https://github.com/envoyproxy/envoy), [Authelia](https://github.com/authelia/authelia), [Infisical](https://github.com/Infisical/infisical), [Dify](https://github.com/langgenius/dify), [Seafile](https://github.com/haiwen/seafile),[HeadScale](https://headscale.net/), [tailscale](https://tailscale.com/), [Redis Operator](https://github.com/spotahome/redis-operator), [Nitro](https://nitro.jan.ai/), [RssHub](http://rsshub.app/), [predixy](https://github.com/joyieldInc/predixy), [nvshare](https://github.com/grgalex/nvshare), [LangChain](https://www.langchain.com/), [Quasar](https://quasar.dev/), [TrustWallet](https://trustwallet.com/), [Restic](https://restic.net/), [ZincSearch](https://zincsearch-docs.zinc.dev/), [filebrowser](https://filebrowser.org/), [lego](https://go-acme.github.io/lego/), [Velero](https://velero.io/), [s3rver](https://github.com/jamhall/s3rver), [Citusdata](https://www.citusdata.com/).

README_CN.md

@@ -1,6 +1,6 @@
 <div align="center">
 
-# Olares - 您的主权云，一个开源自托管的公有云替代方案<!-- omit in toc -->
+# Olares - 为本地 AI 打造的开源私有云操作系统<!-- omit in toc -->
 
 [![Mission](https://img.shields.io/badge/Mission-Let%20people%20own%20their%20data%20again-purple)](#)<br/>
 [![Last Commit](https://img.shields.io/github/last-commit/beclab/terminus)](https://github.com/beclab/olares/commits/main)
@@ -13,12 +13,13 @@
 <p>
   <a href="./README.md"><img alt="Readme in English" src="https://img.shields.io/badge/English-FFFFFF"></a>
   <a href="./README_CN.md"><img alt="Readme in Chinese" src="https://img.shields.io/badge/简体中文-FFFFFF"></a>
+  <a href="./README_JP.md"><img alt="Readme in Japanese" src="https://img.shields.io/badge/日本語-FFFFFF"></a>
 </p>
 
 </div>
 
 
-[![cover](https://file.bttcdn.com/github/terminus/desktop-dark.jpeg)](https://github.com/user-attachments/assets/5ea2fe30-7bd2-49ed-be26-e12f1d5d8cb1)
+https://github.com/user-attachments/assets/3089a524-c135-4f96-ad2b-c66bf4ee7471
 
 *Olares 让你体验更多可能：构建个人 AI 助理、随时随地同步数据、自托管团队协作空间、打造私人影视厅——无缝整合你的数字生活。*
 
@@ -30,31 +31,25 @@
   <a href="https://space.olares.xyz">Olares Space</a>
 </p>
 
-## 目录 <!-- omit in toc -->
-
-- [介绍](#介绍)
-- [动机与设计](#动机与设计)
-- [技术栈](#技术栈)
-- [功能](#功能)
-- [功能对比](#功能对比)
-- [快速开始](#快速开始)
-- [项目目录](#项目目录)
-- [社区贡献](#社区贡献)
-- [社区支持](#社区支持)
-- [持续关注](#持续关注)
-- [特别感谢](#特别感谢)
-  
 ## 介绍
 
-Olares 是一个让您完全掌控的主权云平台。它是一个开源的、自托管的公有云替代方案，旨在帮助您重获数据所有权和隐私控制权。通过将Kubernetes的强大功能与简化的用户界面相结合，Olares使您能够完全掌控自己的数据和计算资源。无论您是在管理家庭实验环境、部署应用程序，还是保护个人隐私，Olares都能提供与公有云同等的灵活性和功能，同时确保您的隐私和安全不受损害。
+Olares 是为本地端侧 AI 打造的开源私有云操作系统，可轻松将您的硬件转变为 AI 家庭服务器。
+- 运行领先 AI 模型：在您的硬件上轻松部署并掌控 LLaMA、Stable Diffusion、Whisper 和 Flux.1 等顶尖开源 AI 模型。
+- 轻松部署 AI 应用：通过 Olares 应用市场，轻松部署丰富多样的开源 AI 应用。无需复杂繁琐的配置。
+- 随心访问：通过浏览器随时随地访问你的 AI 应用。
+- 更智能的专属 AI 体验：通过类似[模型上下文协议](https://spec.modelcontextprotocol.io/specification/)（Model Context Protocol, MCP）的机制，Olares 可让 AI 模型无缝连接 AI 应用与您的私人数据集，提供基于任务场景的个性化 AI 体验。
 
-Olares 支持以下应用场景：
+> 为 Olares 点亮 🌟 以及时获取新版本和更新的通知。
+
+## 为什么选择 Olares?
+
+在以下场景中，Olares 为您带来私密、强大且安全的私有云体验：
 
 🤖**本地 AI 助手**：在本地部署运行顶级开源 AI 模型，涵盖语言处理、图像生成和语音识别等领域。根据个人需求定制 AI 助手，确保数据隐私和控制权均处于自己手中。<br>
 
 💻**个人数据仓库**：所有个人文件，包括照片、文档和重要资料，都可以在这个安全的统一平台上存储和同步，随时随地都能方便地访问。<br>
 
-🛠️**自托管工作空间**：利用开源解决方案，无需成本即可为家庭或工作团队搭建一个功能强大的工作空间。<br>
+🛠️**自托管工作空间**：利用开源 SaaS 平替方案，无需成本即可为家庭或工作团队搭建一个功能强大的工作空间。<br>
 
 🎥**私人媒体服务器**：用自己的视频和音乐库搭建一个私人流媒体服务，随时享受个性化的娱乐体验。<br>
 
@@ -64,22 +59,39 @@ Olares 支持以下应用场景：
 
 📚**学习探索**：深入学习自托管服务、容器技术和云计算，并上手实践。<br>
 
-## 动机与设计
+## 快速开始
 
-我们深知当前互联网的局限性——用户的数据被主流互联网或云服务公司掌控，并用于其商业利益。我们致力于改变这一现状，希望通过 Olares 赋予用户真正的数据所有权和控制权。
+### 系统兼容性
+Olares 已在以下平台完成测试验证：
 
-Olares 为此提供了一套全新的去中心化互联网框架，主要包括以下三个部分：
+| 平台            | 操作系统                     | 备注                                                 |
+|---------------------|--------------------------------------|-------------------------------------------------------|
+| Linux               | Ubuntu 20.04 LTS 及以上 <br/> Debian 11 及以上  |                                               |
+| Raspberry Pi        | RaspbianOS                           | 已在 Raspberry Pi 4 Model B 和 Raspberry Pi 5 上验证    |
+| Windows             | Windows 11 23H2 及以上 <br/>Windows 10 22H2 及以上 <br/>WSL2 |                                           |
+| Mac                  | macOS Monterey (12) 及以上             |                                                         |
+| Proxmox VE (PVE)    | Proxmox Virtual Environment 8.0      |                                                         |
 
-- **Snowinning Protocol**：一个去中心化的身份和声誉系统，融合了去中心化标识符（DIDs）、可验证凭证（VCs）以及声誉数据，帮助用户在网络世界中安全地管理自己的身份。
-- **Olares**：一个专为边缘设备设计的自托管操作系统，用户可以在此系统上自主托管自己的数据和应用，确保数据的私密性和安全性。
-- **LarePass**：一款功能全面的客户端软件，通过安全的方式将用户与其 Olares 系统连接起来。它不仅支持远程访问、身份和设备管理，还提供数据存储和各种办公工具，让用户高效管理其日常工作和个人数据。
+> **注意**
+> 
+> 如果你在未列出的系统版本上成功安装了 Olares，请告诉我们！你可以在 GitHub 仓库中[提交 Issue](https://github.com/beclab/Olares/issues/new) 或发起 Pull Request。
 
-## 技术栈
-公有云具有基础设施即服务（IaaS）、平台即服务（PaaS）和软件即服务（SaaS）等层级。Olares 为这些层级提供了开源替代方案。
+### 安装 Olares
 
-  ![技术栈](https://file.bttcdn.com/github/terminus/v2/tech-stack-olares.jpeg)
+> 当前文档仅有英文版本。
+ 
+参考[快速上手指南](https://docs.olares.xyz/manual/get-started/)安装并激活 Olares。
 
-## 功能
+## 系统架构
+Olares 的架构设计遵循两个核心原则：
+- 参考 Android 模式，控制软件权限和交互性，确保系统的流畅性和安全性。
+- 借鉴云原生技术，高效管理硬件和中间件服务。
+
+  ![架构](https://file.bttcdn.com/github/terminus/v2/olares-arch-3.png)
+
+详细描述请参考 [Olares 架构](https://docs.joinolares.cn/zh/manual/system-architecture.html)文档。
+
+## 功能特性
 
 Olares 提供了一系列功能，旨在提升安全性、使用便捷性以及开发的灵活性：
 
@@ -92,65 +104,6 @@ Olares 提供了一系列功能，旨在提升安全性、使用便捷性以及
 - **无缝访问**：通过移动端、桌面端和网页浏览器客户端，从全球任何地方访问设备。
 - **开发工具**：提供全面的工具支持，便于开发和移植应用，加速开发进程。
 
-## 功能对比
-
-为了帮您快速了解 Olares 在市场中的独特优势，我们制作了一张功能比较表，详细展示了 Olares 的功能以及与市场上其他主流解决方案的对比。
-
-**图例：** 
-
-- 🚀: **自动** - 表示系统自动完成任务。
-- ✅: **支持** - 表示无开发背景的用户可以通过产品的 UI 提示完成设置。
-- 🛠️: **手动配置** - 表示即使是有工程背景的用户也需要参考教程来完成设置。
-- ❌: **不支持** - 表示不支持该功能。
-
-| | Olares | 群晖 | TrueNAS | CasaOS | Unraid |
-| --- | --- | --- | --- | --- | --- |
-| 源代码许可证 | Olares 许可证 | 闭源 | GPL 3.0 | Apache 2.0 | 闭源 |
-| 开发 | Kubernetes | Linux | Kubernetes | Docker | Docker |
-| 多节点支持 | ✅   | ❌   | ✅   | ❌   | ❌   |
-| 内置应用 | ✅（桌面应用丰富）| ✅（桌面应用丰富） | ❌ (CLI) | ✅ （桌面应用较少） | ✅（面板） |
-| 免费域名 | ✅   | ✅   | ❌   | ❌   | ❌   |
-| 自动 SSL 证书 | 🚀  | ✅   | 🛠️ | 🛠️ | 🛠️ |
-| 反向代理 | 🚀  | ✅   | 🛠️ | 🛠️ | 🛠️ |
-| VPN 管理 | 🚀  | 🛠️ | 🛠️ | 🛠️ | 🛠️ |
-| 分级应用入口 | 🚀  | 🛠️ | 🛠️ | 🛠️ | 🛠️ |
-| 多用户管理 | ✅ 用户管理 <br>🚀 资源隔离 | ✅ 用户管理 <br>🛠️ 资源隔离 | ✅ 用户管理<br>🛠️ 资源隔离 | ❌   | ✅ 用户管理  <br>🛠️ 资源隔离 |
-| 单一登录 | 🚀  | ❌   | ❌   | ❌   |  ❌   |
-| 跨节点存储 | 🚀 (Juicefs+<br>MinIO) | ❌   | ❌   | ❌   | ❌   |
-| 数据库解决方案 | 🚀 (内置云原生解决方案) | 🛠️ | 🛠️ | 🛠️ | 🛠️ |
-| 灾难恢复 | 🚀 (MinIO的[**纠错码**](https://min.io/docs/minio/linux/operations/concepts/erasure-coding.html)**)** | ✅ RAID | ✅ RAID | ✅ RAID | ✅ Unraid Storage |
-| 备份 | ✅ 应用数据  <br>✅ 用户数据 | ✅ 用户数据 | ✅ 用户数据 | ✅ 用户数据 | ✅ 用户数据 |
-| 应用沙盒 | ✅   | ❌   | ❌ （K8S的命名空间） | ❌   | ❌   |
-| 应用生态系统 | ✅ （官方 + 第三方应用） | ✅ （官方应用为主） | ✅ （官方应用 + 第三方提交）| ✅ （官方应用为主） | ✅ （社区应用市场） |
-| 开发者友好 | ✅ IDE  <br>✅ CLI  <br>✅ SDK  <br>✅ 文档| ✅ CLI  <br>✅ SDK  <br>✅ 文档 | ✅ CLI  <br>✅ 文档 | ✅ CLI  <br>✅ 文档 | ✅ 文档 |
-| 本地 LLM 部署 | 🚀  | 🛠️ | 🛠️ | 🛠️ | 🛠️ |
-| 本地 LLM 应用开发 | 🚀  | 🛠️ | 🛠️ | 🛠️ | 🛠️ |
-| 客户端 | ✅ Android  <br>✅ iOS  <br>✅ Windows  <br>✅ Mac  <br>✅ Chrome 插件 | ✅ Android  <br>✅ iOS | ❌   | ❌   | ❌   |
-| 客户端功能 | ✅ （一体化客户端应用） | ✅ （14个分散的客户端应用）| ❌   | ❌   |  ❌   |
-
-## 快速开始
-
-### 系统兼容性
-你可以在 Linux、Raspberry Pi、Mac 和 Windows 上安装 Olares。目前已验证支持的系统环境如下：
-
-| 平台            | 操作系统                     | 备注                                                 |
-|---------------------|--------------------------------------|-------------------------------------------------------|
-| Linux               | Ubuntu 24.04 <br/> Debian 12.8       |                                                       |
-| Raspberry Pi        | RaspbianOS                           | 已在 Raspberry Pi 4 Model B 和 Raspberry Pi 5 上验证|
-| Windows             | Windows 11 23H2 <br/>Windows 10 22H2 |                                                       |
-| Mac (Apple Silicon) | macOS Ventura 13.3.1               |                                                       |
-| Proxmox VE (PVE)    | Proxmox Virtual Environment 8.0      |                                                       |
-
-> **注意**
-> 
-> 如果你在未列出的系统版本上成功安装了 Olares，请告诉我们！你可以在 GitHub 仓库中[提交 Issue](https://github.com/beclab/Olares/issues/new) 或发起 Pull Request。
-
-### 安装 Olares
-
-> 当前文档仅有英文版本。
- 
-参考[快速上手指南](https://docs.olares.xyz/manual/get-started/)安装并激活 Olares。
-
 ## 项目目录
 
 Olares 包含多个在 GitHub 上公开可用的代码仓库。当前仓库负责操作系统的最终编译、打包、安装和升级，而特定的更改主要在各自对应的仓库中进行。
@@ -241,14 +194,6 @@ https://docs.olares.xyz/developer/contribute/olares.html
 * [**GitHub Discussion**](https://github.com/beclab/olares/discussions) - 讨论 Olares 使用过程中的疑问。
 * [**GitHub Issues**](https://github.com/beclab/olares/issues) - 报告 Olares 的遇到的问题或提出功能改进建议。
 * [**Discord**](https://discord.com/invite/BzfqrgQPDK) - 日常交流，分享经验，或讨论与 Olares 相关的任何主题。
- 
-## 持续关注
-
-关注 Olares 项目，及时获取新版本和更新的通知。
-
- 
-![点亮星标](https://file.bttcdn.com/github/terminus/terminus.git.v2.gif)
- 
 
 ## 特别感谢
 

README_JP.md

@@ -0,0 +1,198 @@
+<div align="center">
+
+# Olares: ローカルAIのためのオープンソース主権クラウドOS<!-- omit in toc -->
+
+[![Mission](https://img.shields.io/badge/Mission-Let%20people%20own%20their%20data%20again-purple)](#)<br/>
+[![Last Commit](https://img.shields.io/github/last-commit/beclab/olares)](https://github.com/beclab/olares/commits/main)
+![Build Status](https://github.com/beclab/olares/actions/workflows/release-daily.yaml/badge.svg)
+[![GitHub release (latest by date)](https://img.shields.io/github/v/release/beclab/olares)](https://github.com/beclab/olares/releases)
+[![GitHub Repo stars](https://img.shields.io/github/stars/beclab/olares?style=social)](https://github.com/beclab/olares/stargazers)
+[![Discord](https://img.shields.io/badge/Discord-7289DA?logo=discord&logoColor=white)](https://discord.com/invite/BzfqrgQPDK)
+[![License](https://img.shields.io/badge/License-Olares-darkblue)](https://github.com/beclab/olares/blob/main/LICENSE.md)
+
+<p>
+  <a href="./README.md"><img alt="Readme in English" src="https://img.shields.io/badge/English-FFFFFF"></a>
+  <a href="./README_CN.md"><img alt="Readme in Chinese" src="https://img.shields.io/badge/简体中文-FFFFFF"></a>
+  <a href="./README_JP.md"><img alt="Readme in Japanese" src="https://img.shields.io/badge/日本語-FFFFFF"></a>
+</p>
+
+</div>
+
+https://github.com/user-attachments/assets/3089a524-c135-4f96-ad2b-c66bf4ee7471
+
+*Olaresを使って、ローカルAIアシスタントを構築し、データを場所を問わず同期し、ワークスペースをセルフホストし、独自のメディアをストリーミングし、その他多くのことを実現できます。*
+
+<p align="center">
+  <a href="https://olares.xyz">ウェブサイト</a> ·
+  <a href="https://docs.olares.xyz">ドキュメント</a> ·
+  <a href="https://olares.xyz/larepass">LarePassをダウンロード</a> ·
+  <a href="https://github.com/beclab/apps">Olaresアプリ</a> ·
+  <a href="https://space.olares.xyz">Olares Space</a>
+</p>
+
+> [!IMPORTANT]  
+> 最近、TerminusからOlaresへのリブランディングを完了しました。詳細については、[リブランディングブログ](https://blog.olares.xyz/terminus-is-now-olares/)をご覧ください。
+
+Olaresを使用して、ハードウェアをAIホームサーバーに変換します。Olaresは、ローカルAIのためのオープンソース主権クラウドOSです。
+
+- **最先端のAIモデルを自分の条件で実行**: LLaMA、Stable Diffusion、Whisper、Flux.1などの強力なオープンAIモデルをハードウェア上で簡単にホストし、AI環境を完全に制御します。
+- **簡単にデプロイ**: Olares Marketから幅広いオープンソースAIアプリを数クリックで発見してインストールします。複雑な設定やセットアップは不要です。
+- **いつでもどこでもアクセス**: ブラウザを通じて、必要なときにAIアプリやモデルにアクセスします。
+- **統合されたAIでスマートなAI体験**: [Model Context Protocol](https://spec.modelcontextprotocol.io/specification/)（MCP）に似たメカニズムを使用して、OlaresはAIモデルとAIアプリ、およびプライベートデータセットをシームレスに接続します。これにより、ニーズに応じて適応する高度にパーソナライズされたコンテキスト対応のAIインタラクションが実現します。
+
+> 🌟 *新しいリリースや更新についての通知を受け取るために、スターを付けてください。*
+
+## なぜOlaresなのか？
+
+以下の理由とシナリオで、Olaresはプライベートで強力かつ安全な主権クラウド体験を提供します：
+
+🤖 **エッジAI**: 最先端のオープンAIモデルをローカルで実行し、大規模言語モデル、コンピュータビジョン、音声認識などを含みます。データに合わせてプライベートAIサービスを作成し、機能性とプライバシーを向上させます。<br>
+
+📊 **個人データリポジトリ**: 重要なファイル、写真、ドキュメントを安全に保存し、デバイスや場所を問わず同期および管理します。<br>
+
+🚀 **セルフホストワークスペース**: 安全なオープンソースSaaS代替品を使用して、チームのための無料のコラボレーションワークスペースを構築します。<br>
+
+🎥 **プライベートメディアサーバー**: 個人のメディアコレクションをホストし、独自のストリーミングサービスを提供します。<br>
+
+🏡 **スマートホームハブ**: IoTデバイスやホームオートメーションの中央制御ポイントを作成します。<br>
+
+🤝 **ユーザー所有の分散型ソーシャルメディア**: Mastodon、Ghost、WordPressなどの分散型ソーシャルメディアアプリをOlaresに簡単にインストールし、プラットフォームの手数料やアカウント停止のリスクなしに個人ブランドを構築します。<br>
+
+📚 **学習プラットフォーム**: セルフホスティング、コンテナオーケストレーション、クラウド技術を実践的に学びます。
+
+## はじめに
+
+### システム互換性
+Olaresは以下のプラットフォームでテストおよび検証されています：
+
+| プラットフォーム            | オペレーティングシステム                     | 備考                                                 |
+|---------------------|--------------------------------------|-------------------------------------------------------|
+| Linux               | Ubuntu 20.04 LTS以降 <br/> Debian 11以降 |                                          |
+| Raspberry Pi        | RaspbianOS                           | Raspberry Pi 4 Model BおよびRaspberry Pi 5で検証済み |
+| Windows             | Windows 11 23H2以降 <br/>Windows 10 22H2以降<br/> WSL2 |                                     |
+| Mac                 | Monterey (12)以降              |                                                        |
+| Proxmox VE (PVE)    | Proxmox Virtual Environment 8.0      |                                                       |
+
+> **注意**
+> 
+> 互換性テーブルに記載されていないオペレーティングシステムでOlaresを正常にインストールした場合は、お知らせください！GitHubリポジトリで[問題を開く](https://github.com/beclab/Olares/issues/new)か、プルリクエストを送信できます。
+
+### Olaresのセットアップ
+自分のデバイスでOlaresを始めるには、[はじめにガイド](https://docs.olares.xyz/manual/get-started/)に従ってステップバイステップの手順を確認してください。
+
+## アーキテクチャ
+
+Olaresのアーキテクチャは、次の2つの基本原則に基づいています：
+- Androidの設計思想を取り入れ、ソフトウェアの権限と対話性を制御することで、システムの安全かつ円滑な運用を実現します。
+- クラウドネイティブ技術を活用し、ハードウェアとミドルウェアサービスを効率的に管理します。
+
+  ![Olaresのアーキテクチ](https://file.bttcdn.com/github/terminus/v2/olares-arch-3.png)
+
+各コンポーネントの詳細については、[Olares アーキテクチャ](https://docs.olares.xyz/manual/system-architecture.html)（英語版）をご参照ください。
+
+## 機能
+
+Olaresは、セキュリティ、使いやすさ、開発の柔軟性を向上させるための幅広い機能を提供します：
+
+- **エンタープライズグレードのセキュリティ**: Tailscale、Headscale、Cloudflare Tunnel、FRPを使用してネットワーク構成を簡素化します。
+- **安全で許可のないアプリケーションエコシステム**: サンドボックス化によりアプリケーションの分離とセキュリティを確保します。
+- **統一ファイルシステムとデータベース**: 自動スケーリング、バックアップ、高可用性を提供します。
+- **シングルサインオン**: 一度ログインするだけで、Olares内のすべてのアプリケーションに共有認証サービスを使用してアクセスできます。
+- **AI機能**: GPU管理、ローカルAIモデルホスティング、プライベートナレッジベースの包括的なソリューションを提供し、データプライバシーを維持します。
+- **内蔵アプリケーション**: ファイルマネージャー、同期ドライブ、ボールト、リーダー、アプリマーケット、設定、ダッシュボードを含みます。
+- **どこからでもシームレスにアクセス**: モバイル、デスクトップ、ブラウザ用の専用クライアントを使用して、どこからでもデバイスにアクセスできます。
+- **開発ツール**: アプリケーションの開発と移植を容易にする包括的な開発ツールを提供します。
+
+## プロジェクトナビゲーション
+
+Olaresは、GitHubで公開されている多数のコードリポジトリで構成されています。現在のリポジトリは、オペレーティングシステムの最終コンパイル、パッケージング、インストール、およびアップグレードを担当しており、特定の変更は主に対応するリポジトリで行われます。
+
+以下の表は、Olaresのプロジェクトディレクトリと対応するリポジトリを一覧にしたものです。興味のあるものを見つけてください：
+
+<details>
+<summary><b>フレームワークコンポーネント</b></summary>
+  
+| ディレクトリ | リポジトリ | 説明 |
+| --- | --- | --- |
+| [frameworks/app-service](https://github.com/beclab/olares/tree/main/frameworks/app-service) | <https://github.com/beclab/app-service> | システムフレームワークコンポーネントで、システム内のすべてのアプリのライフサイクル管理とさまざまなセキュリティ制御を提供します。 |
+| [frameworks/backup-server](https://github.com/beclab/olares/tree/main/frameworks/backup-server) | <https://github.com/beclab/backup-server> | システムフレームワークコンポーネントで、定期的なフルまたは増分クラスターのバックアップサービスを提供します。 |
+| [frameworks/bfl](https://github.com/beclab/olares/tree/main/frameworks/bfl) | <https://github.com/beclab/bfl> | ランチャーのバックエンド（BFL）、ユーザーアクセスポイントとして機能し、さまざまなバックエンドサービスのインターフェースを集約およびプロキシします。 |
+| [frameworks/GPU](https://github.com/beclab/olares/tree/main/frameworks/GPU) | <https://github.com/grgalex/nvshare> | 複数のプロセス（またはKubernetes上で実行されるコンテナ）が同じ物理GPU上で同時に安全に実行できるようにするGPU共有メカニズムで、各プロセスが全GPUメモリを利用できます。 |
+| [frameworks/l4-bfl-proxy](https://github.com/beclab/olares/tree/main/frameworks/l4-bfl-proxy) | <https://github.com/beclab/l4-bfl-proxy> | BFLの第4層ネットワークプロキシ。SNIを事前に読み取ることで、ユーザーのIngressに通過する動的ルートを提供します。 |
+| [frameworks/osnode-init](https://github.com/beclab/olares/tree/main/frameworks/osnode-init) | <https://github.com/beclab/osnode-init> | 新しいノードがクラスターに参加する際にノードデータを初期化するシステムフレームワークコンポーネント。 |
+| [frameworks/system-server](https://github.com/beclab/olares/tree/main/frameworks/system-server) | <https://github.com/beclab/system-server> | システムランタイムフレームワークの一部として、アプリ間のセキュリティコールのメカニズムを提供します。 |
+| [frameworks/tapr](https://github.com/beclab/olares/tree/main/frameworks/tapr) | <https://github.com/beclab/tapr> | Olaresアプリケーションランタイムコンポーネント。 |
+</details>
+
+<details>
+<summary><b>システムレベルのアプリケーションとサービス</b></summary>
+  
+| ディレクトリ | リポジトリ | 説明 |
+| --- | --- | --- |
+| [apps/analytic](https://github.com/beclab/olares/tree/main/apps/analytic) | <https://github.com/beclab/analytic> | [Umami](https://github.com/umami-software/umami)に基づいて開発されたAnalyticは、Google Analyticsのシンプルで高速、プライバシー重視の代替品です。 |
+| [apps/market](https://github.com/beclab/olares/tree/main/apps/market) | <https://github.com/beclab/market> | このリポジトリは、Olaresのアプリケーションマーケットのフロントエンド部分をデプロイします。 |
+| [apps/market-server](https://github.com/beclab/olares/tree/main/apps/market-server) | <https://github.com/beclab/market> | このリポジトリは、Olaresのアプリケーションマーケットのバックエンド部分をデプロイします。 |
+| [apps/argo](https://github.com/beclab/olares/tree/main/apps/argo) | <https://github.com/argoproj/argo-workflows> | ローカル推奨アルゴリズムのコンテナ実行をオーケストレーションするワークフローエンジン。 |
+| [apps/desktop](https://github.com/beclab/olares/tree/main/apps/desktop) | <https://github.com/beclab/desktop> | システムの内蔵デスクトップアプリケーション。 |
+| [apps/devbox](https://github.com/beclab/olares/tree/main/apps/devbox) | <https://github.com/beclab/devbox> | Olaresアプリケーションの移植と開発のための開発者向けIDE。 |
+| [apps/vault](https://github.com/beclab/olares/tree/main/apps/vault) | <https://github.com/beclab/termipass> | [Padloc](https://github.com/padloc/padloc)に基づいて開発された、あらゆる規模のチームや企業向けの無料の1PasswordおよびBitwardenの代替品。DID、Olares ID、およびOlaresデバイスの管理を支援するクライアントとして機能します。 |
+| [apps/files](https://github.com/beclab/olares/tree/main/apps/files) | <https://github.com/beclab/files> | [Filebrowser](https://github.com/filebrowser/filebrowser)から変更された内蔵ファイルマネージャーで、Drive、Sync、およびさまざまなOlares物理ノード上のファイルの管理を提供します。 |
+| [apps/notifications](https://github.com/beclab/olares/tree/main/apps/notifications) | <https://github.com/beclab/notifications> | Olaresの通知システム |
+| [apps/profile](https://github.com/beclab/olares/tree/main/apps/profile) | <https://github.com/beclab/profile> | OlaresのLinktree代替品 |
+| [apps/rsshub](https://github.com/beclab/olares/tree/main/apps/rsshub) | <https://github.com/beclab/rsshub> | [RssHub](https://github.com/DIYgod/RSSHub)に基づいたRSS購読管理ツール。 |
+| [apps/settings](https://github.com/beclab/olares/tree/main/apps/settings) | <https://github.com/beclab/settings> | 内蔵システム設定。 |
+| [apps/system-apps](https://github.com/beclab/olares/tree/main/apps/system-apps) | <https://github.com/beclab/system-apps> | _kubesphere/console_プロジェクトに基づいて構築されたsystem-serviceは、視覚的なダッシュボードと機能豊富なControlHubを通じて、システムの実行状態とリソース使用状況を理解し、制御するためのセルフホストクラウドプラットフォームを提供します。 |
+| [apps/wizard](https://github.com/beclab/olares/tree/main/apps/wizard) | <https://github.com/beclab/wizard> | ユーザーにシステムのアクティベーションプロセスを案内するウィザードアプリケーション。 |
+</details>
+
+<details>
+<summary><b>サードパーティコンポーネントとサービス</b></summary>
+
+| ディレクトリ | リポジトリ | 説明 |
+| --- | --- | --- |
+| [third-party/authelia](https://github.com/beclab/olares/tree/main/third-party/authelia) | <https://github.com/beclab/authelia> | Webポータルを介してアプリケーションに二要素認証とシングルサインオン（SSO）を提供するオープンソースの認証および認可サーバー。 |
+| [third-party/headscale](https://github.com/beclab/olares/tree/main/third-party/headscale) | <https://github.com/beclab/headscale> | OlaresでのTailscaleコントロールサーバーのオープンソース自ホスト実装で、LarePassで異なるデバイス間でTailscaleを管理します。 |
+| [third-party/infisical](https://github.com/beclab/olares/tree/main/third-party/infisical) | <https://github.com/beclab/infisical> | チーム/インフラストラクチャ間でシークレットを同期し、シークレットの漏洩を防ぐオープンソースのシーク<E383BC><E382AF>ッ<EFBFBD><E38383>管理プラットフォーム。 |
+| [third-party/juicefs](https://github.com/beclab/olares/tree/main/third-party/juicefs) | <https://github.com/beclab/juicefs-ext> | RedisとS3の上に構築された分散POSIXファイルシステムで、異なるノード上のアプリがPOSIXインターフェースを介して同じデータにアクセスできるようにします。 |
+| [third-party/ks-console](https://github.com/beclab/olares/tree/main/third-party/ks-console) | <https://github.com/kubesphere/console> | Web GUIを介してクラスター管理を可能にするKubesphereコンソール。 |
+| [third-party/ks-installer](https://github.com/beclab/olares/tree/main/third-party/ks-installer) | <https://github.com/beclab/ks-installer-ext> | クラスターリソース定義に基づいて自動的にKubesphereクラスターを作成するKubesphereインストーラーコンポーネント。 |
+| [third-party/kube-state-metrics](https://github.com/beclab/olares/tree/main/third-party/kube-state-metrics) | <https://github.com/beclab/kube-state-metrics> | kube-state-metrics（KSM）は、Kubernetes APIサーバーをリッスンし、オブジェクトの状態に関するメトリックを生成するシンプルなサービスです。 |
+| [third-party/notification-manager](https://github.com/beclab/olares/tree/main/third-party/notification-manager) | <https://github.com/beclab/notification-manager-ext> | 複数の通知チャネルの統一管理と通知内容のカスタム集約を提供するKubesphereの通知管<E79FA5><E7AEA1>コンポーネント。 |
+| [third-party/predixy](https://github.com/beclab/olares/tree/main/third-party/predixy) | <https://github.com/beclab/predixy> | 利用可能なノードを自動的に識別し、名前空間の分離を追加するRedisクラスターのプロキシサービス。 |
+| [third-party/redis-cluster-operator](https://github.com/beclab/olares/tree/main/third-party/redis-cluster-operator) | <https://github.com/beclab/redis-cluster-operator> | Kubernetesに基づいてRedisクラスターを作成および管理するためのクラウドネイティブツール。 |
+| [third-party/seafile-server](https://github.com/beclab/olares/tree/main/third-party/seafile-server) | <https://github.com/beclab/seafile-server> | データストレージを処理するSeafile（同期ドライブ）のバックエンドサービス。 |
+| [third-party/seahub](https://github.com/beclab/olares/tree/main/third-party/seahub) | <https://github.com/beclab/seahub> | ファイル共有、データ同期などを処理するSeafile（同期ドライブ）のフロントエンドおよびミドルウェアサービス。 |
+| [third-party/tailscale](https://github.com/beclab/olares/tree/main/third-party/tailscale) | <https://github.com/tailscale/tailscale> | TailscaleはすべてのプラットフォームのLarePassに統合されています。 |
+</details>
+
+<details>
+<summary><b>追加のライブラリとコンポーネント</b></summary>
+
+| ディレクトリ | リポジトリ | 説明 |
+| --- | --- | --- |
+| [build/installer](https://github.com/beclab/olares/tree/main/build/installer) |     | インストーラービルドを生成するためのテンプレート。 |
+| [build/manifest](https://github.com/beclab/olares/tree/main/build/manifest) |     | インストールビルドイメージリストテンプレート。 |
+| [libs/fs-lib](https://github.com/beclab/olares/tree/main/libs) | <https://github.com/beclab/fs-lib> | JuiceFSに基づいて実装されたiNotify互換インターフェースのSDKライブラリ。 |
+| [scripts](https://github.com/beclab/olares/tree/main/scripts) |     | インストーラービルドを生成するための補助スクリプト。 |
+</details>
+
+## Olaresへの貢献
+
+あらゆる形での貢献を歓迎します：
+
+- Olaresで独自のアプリケーションを開発したい場合は、以下を参照してください：<br>
+https://docs.olares.xyz/developer/develop/
+
+
+- Olaresの改善に協力したい場合は、以下を参照してください：<br>
+https://docs.olares.xyz/developer/contribute/olares.html
+
+## コミュニティと連絡先
+
+* [**GitHub Discussion**](https://github.com/beclab/olares/discussions). フィードバックの共有や質問に最適です。
+* [**GitHub Issues**](https://github.com/beclab/olares/issues). Olaresの使用中に遭遇したバグの報告や機能提案の提出に最適です。 
+* [**Discord**](https://discord.com/invite/BzfqrgQPDK). Olaresに関するあらゆることを共有するのに最適です。
+
+## 特別な感謝
+
+Olaresプロジェクトは、次のような多数のサードパーティオープンソースプロジェクトを統合しています：[Kubernetes](https://kubernetes.io/)、[Kubesphere](https://github.com/kubesphere/kubesphere)、[Padloc](https://padloc.app/)、[K3S](https://k3s.io/)、[JuiceFS](https://github.com/juicedata/juicefs)、[MinIO](https://github.com/minio/minio)、[Envoy](https://github.com/envoyproxy/envoy)、[Authelia](https://github.com/authelia/authelia)、[Infisical](https://github.com/Infisical/infisical)、[Dify](https://github.com/langgenius/dify)、[Seafile](https://github.com/haiwen/seafile)、[HeadScale](https://headscale.net/)、 [tailscale](https://tailscale.com/)、[Redis Operator](https://github.com/spotahome/redis-operator)、[Nitro](https://nitro.jan.ai/)、[RssHub](http://rsshub.app/)、[predixy](https://github.com/joyieldInc/predixy)、[nvshare](https://github.com/grgalex/nvshare)、[LangChain](https://www.langchain.com/)、[Quasar](https://quasar.dev/)、[TrustWallet](https://trustwallet.com/)、[Restic](https://restic.net/)、[ZincSearch](https://zincsearch-docs.zinc.dev/)、[filebrowser](https://filebrowser.org/)、[lego](https://go-acme.github.io/lego/)、[Velero](https://velero.io/)、[s3rver](https://github.com/jamhall/s3rver)、[Citusdata](https://www.citusdata.com/)。

apps/argo/config/user/helm-charts/recommend/templates/argo_fe_deploy.yaml

@@ -29,59 +29,6 @@ spec:
     app: recommend
   type: ClusterIP
 
----
-{{ if (eq .Values.debugVersion true) }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: recommend
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: recommend
-    applications.app.bytetrade.io/author: bytetrade.io
-
-    applications.app.bytetrade.io/name: recommend
-    applications.app.bytetrade.io/owner: '{{ .Values.bfl.username }}'
-  annotations:
-    applications.app.bytetrade.io/icon: https://file.bttcdn.com/appstore/recommend/icon.png
-    applications.app.bytetrade.io/title: recommend
-    applications.app.bytetrade.io/version: '0.0.1'
-    applications.app.bytetrade.io/entrances: '[{"name":"recommend", "host":"argoworkflows-ui", "port":80,"title":"recommend"}]'
-
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: recommend
-  template:
-    metadata:
-      labels:
-        app: recommend
-        io.bytetrade.app: "true"
-    spec:
-      containers:
-        - name: recommend-proxy
-          image: nginx:stable-alpine3.17-slim
-          imagePullPolicy: IfNotPresent
-          ports:
-            - name: proxy
-              containerPort: 8080
-          volumeMounts:
-            - name: nginx-config
-              readOnly: true
-              mountPath: /etc/nginx/nginx.conf
-              subPath: nginx.conf
-      volumes:
-        - name: nginx-config
-          configMap:
-            name: recommend-nginx-configs
-            items:
-              - key: nginx.conf
-                path: nginx.conf
-{{ end }}
-
 
 
 ---

apps/desktop/config/user/helm-charts/desktop/templates/desktop_deploy.yaml

@@ -23,6 +23,7 @@ spec:
         runAsUser: 1000
         runAsGroup: 1000
         fsGroup: 1000
+      priorityClassName: "system-cluster-critical"
       initContainers:
       - args:
         - -it
@@ -65,7 +66,7 @@ spec:
 
       containers:
       - name: edge-desktop
-        image: beclab/desktop:v0.2.45
+        image: beclab/desktop:v0.2.57
         imagePullPolicy: IfNotPresent
         securityContext:
           runAsNonRoot: false
@@ -77,7 +78,7 @@ spec:
             value: http://bfl.{{ .Release.Namespace }}:8080
 
       - name: desktop-server
-        image: beclab/desktop-server:v0.2.45
+        image: beclab/desktop-server:v0.2.57
         imagePullPolicy: IfNotPresent
         securityContext:
           allowPrivilegeEscalation: false
@@ -139,7 +140,7 @@ spec:
             fieldRef:
               fieldPath: status.podIP
       - name: terminus-ws-sidecar
-        image: 'beclab/ws-gateway:v1.0.3'
+        image: 'beclab/ws-gateway:v1.0.5'
         imagePullPolicy: IfNotPresent
         command:
           - /ws-gateway
@@ -449,6 +450,7 @@ data:
                               - prefix: x-unauth-
                               - exact: x-authorization
                               - exact: x-bfl-user
+                              - exact: x-real-ip
                               - exact: terminus-nonce
                           headers_to_add:
                             - key: X-Forwarded-Method
@@ -516,9 +518,11 @@ data:
         
       clusters:
       - name: original_dst
-        connect_timeout: 5000s
+        connect_timeout: 120s
         type: ORIGINAL_DST
         lb_policy: CLUSTER_PROVIDED
+        common_http_protocol_options:
+          idle_timeout: 10s
       - name: authelia
         connect_timeout: 2s
         type: LOGICAL_DNS
@@ -623,6 +627,7 @@ data:
                               - prefix: x-unauth-
                               - exact: x-authorization
                               - exact: x-bfl-user
+                              - exact: x-real-ip
                               - exact: terminus-nonce
                           headers_to_add:
                             - key: X-Forwarded-Method
@@ -691,6 +696,8 @@ data:
         connect_timeout: 5000s
         type: ORIGINAL_DST
         lb_policy: CLUSTER_PROVIDED
+        common_http_protocol_options:
+          idle_timeout: 10s
       - name: ws_original_dst
         connect_timeout: 5000s
         type: LOGICAL_DNS

apps/download/config/user/helm-charts/download/templates/download_deploy.yaml

@@ -146,7 +146,7 @@ spec:
             value: user_space_{{ .Values.bfl.username }}_knowledge
       containers:
       - name: aria2
-        image: "beclab/aria2:v0.0.3"
+        image: "beclab/aria2:v0.0.4"
         imagePullPolicy: IfNotPresent
         securityContext:
           runAsNonRoot: false
@@ -172,7 +172,7 @@ spec:
             cpu: "1"
             memory: 300Mi
       - name: yt-dlp
-        image: "beclab/yt-dlp:v0.0.16"
+        image: "beclab/yt-dlp:v0.0.21"
         imagePullPolicy: IfNotPresent
         securityContext:
           allowPrivilegeEscalation: false
@@ -220,7 +220,7 @@ spec:
             cpu: "1"
             memory: 300Mi
       - name: download-spider
-        image: "beclab/download-spider:v0.0.15"
+        image: "beclab/download-spider:v0.0.21"
         imagePullPolicy: IfNotPresent
         securityContext:
           allowPrivilegeEscalation: false
@@ -251,6 +251,8 @@ spec:
           value: {{ $nat_password | b64dec }}
         - name: NATS_SUBJECT
           value: "terminus.{{ .Release.Namespace }}.download_status"
+        - name: SETTING_URL
+          value: http://system-server.user-system-{{ .Values.bfl.username }}/legacy/v1alpha1/service.settings/v1/api/cookie/retrieve
         volumeMounts:
         - name: download-dir
           mountPath: /downloads

apps/files/config/cluster/deploy/files_deploy.yaml

@@ -1,11 +1,12 @@
 
 {{- $namespace := printf "%s" "os-system" -}}
 {{- $files_secret := (lookup "v1" "Secret" $namespace "files-secrets") -}}
-{{- $password := "" -}}
+
+{{- $files_postgres_password := "" -}}
 {{ if $files_secret -}}
-{{ $password = (index $files_secret "data" "password") }}
+{{ $files_postgres_password = (index $files_secret "data" "files_postgres_password") }}
 {{ else -}}
-{{ $password = randAlphaNum 16 | b64enc }}
+{{ $files_postgres_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 
 {{- $files_redis_password := "" -}}
@@ -15,6 +16,14 @@
 {{ $files_redis_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 
+{{- $files_nats_secret := (lookup "v1" "Secret" "os-system" "files-nats-secrets") -}}
+{{- $files_nats_password := "" -}}
+{{ if $files_nats_secret -}}
+{{ $files_nats_password = (index $files_nats_secret "data" "files_nats_password") }}
+{{ else -}}
+{{ $files_nats_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -33,13 +42,18 @@ spec:
     metadata:
       labels:
         app: files
+      annotations:
+        # instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
+        # instrumentation.opentelemetry.io/inject-nginx-container-names: "nginx"    
+        instrumentation.opentelemetry.io/inject-go: "olares-instrumentation"
+        instrumentation.opentelemetry.io/go-container-names: "gateway,files,uploader"    
+        instrumentation.opentelemetry.io/otel-go-auto-target-exe: "/filebrowser"
     spec:
       serviceAccount: os-internal
       serviceAccountName: os-internal
       securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
+        runAsUser: 0
+        runAsNonRoot: false
       initContainers:
         - name: init-data
           image: busybox:1.28
@@ -61,16 +75,16 @@ spec:
             chown -R 1000:1000 /appdata; chown -R 1000:1000 /appcache; chown -R 1000:1000 /data
       containers:
         - name: gateway
-          image: beclab/appdata-gateway:0.1.15
+          image: beclab/appdata-gateway:0.1.18
           imagePullPolicy: IfNotPresent
           securityContext:
             allowPrivilegeEscalation: false
-            runAsUser: 1000
+            runAsUser: 0
           ports:
             - containerPort: 8080
           env:
             - name: FILES_SERVER_TAG
-              value: 'beclab/files-server:v0.2.45'
+              value: 'beclab/files-server:v0.2.67'
             - name: NAMESPACE
               valueFrom:
                 fieldRef:
@@ -88,6 +102,10 @@ spec:
             value: seafile
           image: beclab/media-server:v0.1.10
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: true
+            runAsUser: 0
+            privileged: true
           ports:
           - containerPort: 9090
           volumeMounts:
@@ -98,14 +116,15 @@ spec:
 {{ if .Values.sharedlib }}
           - name: shared-lib
             mountPath: /data/External
+            mountPropagation: Bidirectional
 {{ end }}
 
         - name: files
-          image: beclab/files-server:v0.2.45
+          image: beclab/files-server:v0.2.67
           imagePullPolicy: IfNotPresent
           securityContext:
             allowPrivilegeEscalation: true
-            runAsUser: 1000
+            runAsUser: 0
             privileged: true
           volumeMounts:
             - name: fb-data
@@ -157,7 +176,7 @@ spec:
 #            - name: ZINC_USER
 #              value: zincuser-files-os-system
 #            - name: ZINC_PASSWORD
-#              value: {{ $password | b64dec }}
+#              value: {{ $files_postgres_password | b64dec }}
 #            - name: ZINC_HOST
 #              value: zinc-server-svc.os-system
 #            - name: ZINC_PORT
@@ -191,6 +210,32 @@ spec:
               # use redis db 0 for redis cache
             - name: REDIS_DB
               value: '0'
+            - name: NATS_HOST
+              value: nats
+            - name: NATS_PORT
+              value: '4222'
+            - name: NATS_USERNAME
+              value: os-system-files-server
+            - name: NATS_PASSWORD
+              value: {{ $files_nats_password | b64dec }}
+            - name: NATS_SUBJECT
+              value: terminus.os-system.files-notify
+            - name: RESERVED_SPACE
+              value: '1000'
+            - name: OLARES_VERSION
+              value: '1.12'
+            - name: FILE_CACHE_DIR
+              value: '/data/file_cache'
+            - name: PGHOST
+              value: citus-headless.os-system
+            - name: PGPORT
+              value: '5432'
+            - name: PGUSER
+              value: files_os_system
+            - name: PGPASSWORD
+              value: {{ $files_postgres_password | b64dec }}
+            - name: PGDB1
+              value: os_system_files
             - name: POD_NAME
               valueFrom:
                 fieldRef:
@@ -207,12 +252,14 @@ spec:
             - /filebrowser
             - --noauth
         - name: uploader
-          image: beclab/upload:v1.0.7
+          image: beclab/upload:v1.0.14
           env:
             - name: UPLOAD_FILE_TYPE
               value: '*'
             - name: UPLOAD_LIMITED_SIZE
-              value: '21474836481'
+              value: '118111600640'
+            - name: RESERVED_SPACE
+              value: '1000'
           volumeMounts:
             - name: fb-data
               mountPath: /appdata
@@ -223,13 +270,18 @@ spec:
 {{ if .Values.sharedlib }}
             - name: shared-lib
               mountPath: /data/External
+              mountPropagation: Bidirectional
 {{ end }}
           resources: { }
           terminationMessagePath: /dev/termination-log
           terminationMessagePolicy: File
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: true
+            runAsUser: 0
+            privileged: true
         - name: nginx
-          image: 'beclab/nginx-lua:n0.0.4'
+          image: 'nginx:stable-alpine3.17-slim'
           securityContext:
             runAsNonRoot: false
             runAsUser: 0
@@ -237,6 +289,10 @@ spec:
             - containerPort: 80
               protocol: TCP
           volumeMounts:
+            - name: files-nginx-config
+              readOnly: true
+              mountPath: /etc/nginx/nginx.conf
+              subPath: nginx.conf
             - name: files-nginx-config
               mountPath: /etc/nginx/conf.d/default.conf
               subPath: default.conf
@@ -261,6 +317,8 @@ spec:
           configMap:
             name: files-nginx-config
             items:
+              - key: nginx.conf
+                path: nginx.conf
               - key: default.conf
                 path: default.conf
             defaultMode: 420
@@ -345,14 +403,21 @@ spec:
           - sh
           - -c
           - |
-            chown -R 1000:1000 /appdata 
+            chown -R 1000:1000 /appdata
+        - args:
+          - -it
+          - nats.os-system:4222
+          image: owncloudci/wait-for:latest
+          imagePullPolicy: IfNotPresent
+          name: check-nats
       containers:
         - name: files
-          image: beclab/files-server:v0.2.45
+          image: beclab/files-server:v0.2.67
           imagePullPolicy: IfNotPresent
           securityContext:
-            allowPrivilegeEscalation: false
-            runAsUser: 1000
+            allowPrivilegeEscalation: true
+            runAsUser: 0
+            runAsNonRoot: false
           volumeMounts:
             - name: fb-data
               mountPath: /appdata
@@ -361,12 +426,16 @@ spec:
           ports:
             - containerPort: 8110
           env:
-            - name: FB_DATABASE
-              value: /appdata/database/filebrowser.db
-            - name: FB_CONFIG
-              value: /appdata/config/settings.json
-            - name: FB_ROOT
+            - name: ROOT_PREFIX
               value: /data
+#            - name: FB_DATABASE
+#              value: /appdata/database/filebrowser.db
+#            - name: FB_CONFIG
+#              value: /appdata/config/settings.json
+#            - name: FB_ROOT
+#              value: /data
+            - name: OLARES_VERSION
+              value: '1.12'
             - name: NODE_NAME
               valueFrom:
                 fieldRef:
@@ -409,9 +478,39 @@ metadata:
   namespace: os-system
 type: Opaque
 data:
-  password: {{ $password }}
+  files_postgres_password: {{ $files_postgres_password }}
   files_redis_password: {{ $files_redis_password }}
 
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: files-nats-secrets
+  namespace: os-system
+data:
+  files_nats_password: {{ $files_nats_password }}
+type: Opaque
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: files-pg
+  namespace: os-system
+spec:
+  app: files
+  appNamespace: os-system
+  middleware: postgres
+  postgreSQL:
+    user: files_os_system
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: files_postgres_password
+          name: files-secrets
+    databases:
+      - name: files
+
 ---
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: MiddlewareRequest
@@ -430,6 +529,37 @@ spec:
           name: files-secrets
     namespace: files-redis
 
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: files-server-nat
+  namespace: os-system
+spec:
+  app: files-server
+  appNamespace: os-system
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: files_nats_password
+          name: files-nats-secrets
+    refs: []
+    subjects:
+      - export:
+          - appName: files-frontend
+            pub: allow
+            sub: allow
+          - appName: vault
+            pub: allow
+            sub: allow
+        name: files-notify
+        permission:
+          pub: allow
+          sub: allow
+    user: os-system-files-server
+
 ---
 kind: ConfigMap
 apiVersion: v1
@@ -439,6 +569,37 @@ metadata:
   annotations:
     kubesphere.io/creator: bytetrade.io
 data:
+  nginx.conf: |-
+    user  nginx;
+    worker_processes  auto;
+
+    error_log  /var/log/nginx/error.log notice;
+    pid        /var/run/nginx.pid;
+
+    events {
+        worker_connections  1024;
+    }
+
+    http {
+        include       /etc/nginx/mime.types;
+        default_type  application/octet-stream;
+
+        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                          '$status $body_bytes_sent "$http_referer" '
+                          '"$http_user_agent" "$http_x_forwarded_for"';
+
+        access_log  /var/log/nginx/access.log  main;
+
+        sendfile        on;
+        #tcp_nopush     on;
+
+        keepalive_timeout  2700;
+
+        #gzip  on;
+        client_max_body_size 4000M;
+
+        include /etc/nginx/conf.d/*.conf;
+    }
   default.conf: |-
     server {
     	listen 80 default_server;
@@ -488,12 +649,12 @@ data:
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Host $host;
 
-            client_body_timeout 60s;
+            client_body_timeout 600s;
             client_max_body_size 2000M;
             proxy_request_buffering off;
-            keepalive_timeout 75s;
-            proxy_read_timeout 60s;
-            proxy_send_timeout 60s;
+            keepalive_timeout 750s;
+            proxy_read_timeout 600s;
+            proxy_send_timeout 600s;
         }
 
         location /api/raw/AppData {
@@ -505,12 +666,77 @@ data:
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Host $host;
 
-            client_body_timeout 60s;
-            client_max_body_size 2000M;
+            client_body_timeout 1800s;
+            client_max_body_size 4000M;
             proxy_request_buffering off;
-            keepalive_timeout 75s;
-            proxy_read_timeout 60s;
-            proxy_send_timeout 60s;
+            keepalive_timeout 2700s;
+            proxy_read_timeout 1800s;
+            proxy_send_timeout 1800s;
+        }
+
+        location /api/raw {
+            proxy_pass http://127.0.0.1:8080;
+            # rewrite ^/server(.*)$ $1 break;
+
+            # Add original-request-related headers
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+
+            client_body_timeout 1800s;
+            client_max_body_size 4000M;
+            proxy_request_buffering off;
+            keepalive_timeout 2700s;
+            proxy_read_timeout 1800s;
+            proxy_send_timeout 1800s;
+        }
+
+        location /api/md5 {
+            proxy_pass http://127.0.0.1:8080;
+            # rewrite ^/server(.*)$ $1 break;
+            # Add original-request-related headers
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+            add_header Accept-Ranges bytes;
+            client_body_timeout 1800s;
+            client_max_body_size 4000M;
+            proxy_request_buffering off;
+            keepalive_timeout 2700s;
+            proxy_read_timeout 1800s;
+            proxy_send_timeout 1800s;
+        }
+
+        location /api/paste {
+            proxy_pass http://127.0.0.1:8080;
+            # rewrite ^/server(.*)$ $1 break;
+            # Add original-request-related headers
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+            add_header Accept-Ranges bytes;
+            client_body_timeout 1800s;
+            client_max_body_size 4000M;
+            proxy_request_buffering off;
+            keepalive_timeout 2700s;
+            proxy_read_timeout 1800s;
+            proxy_send_timeout 1800s;
+        }
+
+        location /api/cache {
+            proxy_pass http://127.0.0.1:8080;
+            # rewrite ^/server(.*)$ $1 break;
+            # Add original-request-related headers
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+            add_header Accept-Ranges bytes;
+            client_body_timeout 1800s;
+            client_max_body_size 4000M;
+            proxy_request_buffering off;
+            keepalive_timeout 2700s;
+            proxy_read_timeout 1800s;
+            proxy_send_timeout 1800s;
         }
 
         location /provider {
@@ -562,7 +788,7 @@ data:
 
             client_body_timeout 600s;
             client_max_body_size 4000M;
-            proxy_request_buffering off;
+            proxy_request_buffering on;
             keepalive_timeout 750s;
             proxy_read_timeout 600s;
             proxy_send_timeout 600s;
@@ -598,12 +824,12 @@ data:
 
             add_header Accept-Ranges bytes;
 
-            client_body_timeout 60s;
+            client_body_timeout 600s;
             client_max_body_size 2000M;
             proxy_request_buffering off;
-            keepalive_timeout 75s;
-            proxy_read_timeout 60s;
-            proxy_send_timeout 60s;
+            keepalive_timeout 750s;
+            proxy_read_timeout 600s;
+            proxy_send_timeout 600s;
         }
 
         location /seafhttp/ {
@@ -617,12 +843,12 @@ data:
 
             add_header Accept-Ranges bytes;
 
-            client_body_timeout 60s;
+            client_body_timeout 600s;
             client_max_body_size 2000M;
             proxy_request_buffering off;
-            keepalive_timeout 75s;
-            proxy_read_timeout 60s;
-            proxy_send_timeout 60s;
+            keepalive_timeout 750s;
+            proxy_read_timeout 600s;
+            proxy_send_timeout 600s;
         }
     	# files
     	# for all routes matching a dot, check for files and return 404 if not found

apps/files/config/user/helm-charts/files/templates/files_fe_deploy.yaml

@@ -27,6 +27,14 @@
 {{ $pg_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 
+{{- $files_frontend_nats_secret := (lookup "v1" "Secret" $namespace "files-frontend-nats-secrets") -}}
+{{- $files_frontend_nats_password := "" -}}
+{{ if $files_frontend_nats_secret -}}
+{{ $files_frontend_nats_password = (index $files_frontend_nats_secret "data" "files_frontend_nats_password") }}
+{{ else -}}
+{{ $files_frontend_nats_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
 
 ---
 apiVersion: v1
@@ -104,6 +112,11 @@ spec:
       labels:
         app: files
         io.bytetrade.app: "true"
+      annotations:
+        # support nginx 1.24.3 1.25.3
+        # instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
+        # instrumentation.opentelemetry.io/inject-nginx-container-names: "files-frontend"    
+        # instrumentation.opentelemetry.io/otel-go-auto-target-exe: "drive"
     spec:
       serviceAccountName: bytetrade-controller
       securityContext:
@@ -134,6 +147,12 @@ spec:
         image: owncloudci/wait-for:latest
         imagePullPolicy: IfNotPresent
         name: check-auth
+      - args:
+        - -it
+        - nats.user-system-{{ .Values.bfl.username }}:4222
+        image: owncloudci/wait-for:latest
+        imagePullPolicy: IfNotPresent
+        name: check-nats
       - name: terminus-sidecar-init
         image: openservicemesh/init:v1.2.3
         imagePullPolicy: IfNotPresent
@@ -283,18 +302,29 @@ spec:
 #        - /filebrowser
 #        - --noauth
       - name: files-frontend
-        image: beclab/files-frontend:v1.2.69
+        image: beclab/files-frontend:v1.3.46
         imagePullPolicy: IfNotPresent
         securityContext:
           runAsNonRoot: false
           runAsUser: 0
         ports:
         - containerPort: 80
+        env:
+          - name: NATS_HOST
+            value: nats.user-system-{{ .Values.bfl.username }}
+          - name: NATS_PORT
+            value: '4222'
+          - name: NATS_USERNAME
+            value: user-system-{{ .Values.bfl.username }}-files-frontend
+          - name: NATS_PASSWORD
+            value: {{ $files_frontend_nats_password | b64dec }}
+          - name: NATS_SUBJECT
+            value: terminus.os-system.files-notify
         volumeMounts:
         - name: userspace-dir
           mountPath: /data
       - name: drive-server
-        image: beclab/drive:v0.0.29
+        image: beclab/drive:v0.0.72
         imagePullPolicy: IfNotPresent
         env:
         - name: OS_SYSTEM_SERVER
@@ -314,8 +344,10 @@ spec:
           mountPath: /appdata/
         - name: userspace-app-dir
           mountPath: /data/Application
+        - name: data-dir
+          mountPath: /data
       - name: task-executor
-        image: beclab/driveexecutor:v0.0.29
+        image: beclab/driveexecutor:v0.0.72
         imagePullPolicy: IfNotPresent
         env:
         - name: OS_SYSTEM_SERVER
@@ -335,6 +367,8 @@ spec:
           mountPath: /appdata/
         - name: userspace-app-dir
           mountPath: /data/Application
+        - name: data-dir
+          mountPath: /data
 #      - name: terminus-upload-sidecar
 #        image: beclab/upload:v1.0.3
 #        env:
@@ -397,6 +431,10 @@ spec:
               fieldPath: status.podIP
 
       volumes:
+      - name: data-dir
+        hostPath:
+          path: {{ .Values.rootPath }}/rootfs/userspace
+          type: Directory
       - name: watch-dir
         hostPath:
           type: Directory
@@ -606,6 +644,16 @@ data:
   redis_password: {{ $redis_password }}
   pg_password: {{ $pg_password }}
 
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: files-frontend-nats-secrets
+  namespace: user-system-{{ .Values.bfl.username }}
+data:
+  files_frontend_nats_password: {{ $files_frontend_nats_password }}
+type: Opaque
+
 #---
 #apiVersion: apr.bytetrade.io/v1alpha1
 #kind: MiddlewareRequest
@@ -646,6 +694,31 @@ spec:
           name: zinc-files-secrets
     namespace: zinc-files
 
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: files-frontend-nat
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  app: files-frontend
+  appNamespace: user-space-{{ .Values.bfl.username }}
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: files_frontend_nats_password
+          name: files-frontend-nats-secrets
+    refs:
+      - appName: files-server
+        appNamespace: os-system
+        subjects:
+          - name: files-notify
+            perm:
+              - pub
+              - sub
+    user: user-system-{{ .Values.bfl.username }}-files-frontend
 
 ---
 apiVersion: v1
@@ -690,11 +763,14 @@ data:
                                 prefix: "/upload"
                               route:
                                 cluster: upload_original_dst
+                                timeout: 1800s
+                                idle_timeout: 1800s
                             - match:
                                 prefix: "/"
                               route:
                                 cluster: original_dst
-                                timeout: 600s
+                                timeout: 1800s
+                                idle_timeout: 1800s
                     http_protocol_options:
                       accept_http_10: true
                     http_filters:
@@ -716,6 +792,7 @@ data:
                                   - prefix: x-unauth-
                                   - exact: x-authorization
                                   - exact: x-bfl-user
+                                  - exact: x-real-ip
                                   - exact: terminus-nonce
                               headers_to_add:
                                 - key: X-Forwarded-Method
@@ -781,9 +858,11 @@ data:
 
       clusters:
         - name: original_dst
-          connect_timeout: 5000s
+          connect_timeout: 120s
           type: ORIGINAL_DST
           lb_policy: CLUSTER_PROVIDED
+          common_http_protocol_options:
+            idle_timeout: 10s
         - name: upload_original_dst
           connect_timeout: 5000s
           type: LOGICAL_DNS

apps/knowledge/config/user/helm-charts/knowledge/templates/knowledge_deployment.yaml

@@ -168,7 +168,7 @@ spec:
             value: user_space_{{ .Values.bfl.username }}_knowledge
       containers:
       - name: knowledge
-        image: "beclab/knowledge-base-api:v0.1.56"
+        image: "beclab/knowledge-base-api:v0.1.68"
         imagePullPolicy: IfNotPresent
         securityContext:
           allowPrivilegeEscalation: false
@@ -181,6 +181,8 @@ spec:
           value: http://127.0.0.1:8080
         - name: RSSHUB_URL
           value: 'http://rss-server.os-system:1200'
+        - name: UPLOAD_SAVE_PATH
+          value: '/data/Home/Documents/'
         - name: SEARCH_URL
           value: 'http://search3.os-system:80'
         - name: REDIS_PASSWORD
@@ -236,7 +238,7 @@ spec:
             memory: 1Gi
 
       - name: backend-server
-        image: "beclab/recommend-backend:v0.0.24"
+        image: "beclab/recommend-backend:v0.0.30"
         imagePullPolicy: IfNotPresent
         securityContext:
           allowPrivilegeEscalation: false
@@ -296,7 +298,7 @@ spec:
         - name: YT_DLP_API_URL
           value: http://download-svc.user-space-{{ .Values.bfl.username }}:3082/api/v1/get_metadata
         - name: DOWNLOAD_API_URL
-          value: http://download-svc.user-space-{{ .Values.bfl.username }}:3080/api/termius/download
+          value: http://download-svc.user-space-{{ .Values.bfl.username }}:3080/api
         - name: SETTING_API_URL
           value: http://system-server.user-system-{{ .Values.bfl.username }}/legacy/v1alpha1/service.settings/v1/api/cookie/retrieve
         volumeMounts:
@@ -367,7 +369,7 @@ spec:
             memory: 800Mi
 
       - name: terminus-ws-sidecar
-        image: 'beclab/ws-gateway:v1.0.3'
+        image: 'beclab/ws-gateway:v1.0.4'
         imagePullPolicy: IfNotPresent
         command:
           - /ws-gateway
@@ -380,6 +382,19 @@ spec:
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
 
+      - name: recommend-debug
+        image: "beclab/recommenddebug:v0.0.25"
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1000
+        env:
+          - name: KNOWLEDGE_BASE_API_URL
+            value: http://127.0.0.1:3010
+        volumeMounts:
+          - mountPath: /opt/rank_model
+            name: model
+
       volumes:
       - name: watch-dir
         hostPath:
@@ -396,7 +411,10 @@ spec:
           items:
           - key: envoy.yaml
             path: envoy.yaml
-      
+      - name: model
+        hostPath:
+          type: DirectoryOrCreate
+          path: {{ .Values.userspace.appData }}/rss/model
 
 ---
 apiVersion: v1
@@ -421,6 +439,10 @@ spec:
       protocol: TCP
       port: 3010
       targetPort: 3010
+    - name: "knowledge-websocket"
+      protocol: TCP
+      port: 40010
+      targetPort: 40010
 
 ---
 apiVersion: v1

apps/market/config/user/helm-charts/market/templates/market_deploy.yaml

@@ -3,7 +3,7 @@
 
 {{- $redis_password := "" -}}
 {{ if $market_secret -}}
-{{ $redis_password = (index $market_secret "data" "redis_password") }}
+{{ $redis_password = (index $market_secret "data" "redis-passwords") }}
 {{ else -}}
 {{ $redis_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
@@ -44,6 +44,7 @@ spec:
         app: appstore
         io.bytetrade.app: "true"
     spec:
+      priorityClassName: "system-cluster-critical"
       initContainers:
         - args:
           - -it
@@ -85,12 +86,12 @@ spec:
                 fieldPath: status.podIP
       containers:
       - name: appstore
-        image: beclab/market-frontend:v0.2.30
+        image: beclab/market-frontend:v0.3.9
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 80
       - name: appstore-backend
-        image: beclab/market-backend:v0.2.30
+        image: beclab/market-backend:v0.3.9
         imagePullPolicy: IfNotPresent
         ports:
           - containerPort: 81
@@ -170,7 +171,7 @@ spec:
             fieldRef:
               fieldPath: status.podIP
       - name: terminus-ws-sidecar
-        image: 'beclab/ws-gateway:v1.0.3'
+        image: 'beclab/ws-gateway:v1.0.5'
         command:
           - /ws-gateway
         env:

apps/notifications/config/cluster/deploy/notification_deploy.yaml

@@ -0,0 +1,211 @@
+
+
+{{- $namespace := printf "%s%s" "os-system" -}}
+{{- $notifications_secret := (lookup "v1" "Secret" $namespace "notifications-secrets") -}}
+
+{{- $pg_password := "" -}}
+{{ if $notifications_secret -}}
+{{ $pg_password = (index $notifications_secret "data" "pg_password") }}
+{{ else -}}
+{{ $pg_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+{{- $nats_password := "" -}}
+{{ if $notifications_secret -}}
+{{ $nats_password = (index $notifications_secret "data" "nats_password") }}
+{{ else -}}
+{{ $nats_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: notifications-secrets
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  pg_password: {{ $pg_password }}
+  nats_password: {{ $nats_password }}
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: notifications-pg
+  namespace: {{ .Release.Namespace }}
+spec:
+  app: notifications
+  appNamespace: {{ .Release.Namespace }}
+  middleware: postgres
+  postgreSQL:
+    user: notifications_os_system
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: pg_password
+          name: notifications-secrets
+    databases:
+    - name: notifications   
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: notifications-nats
+  namespace: {{ .Release.Namespace }}
+spec:
+  app: notifications
+  appNamespace: {{ .Release.Namespace }}
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: nats_password
+          name: notifications-secrets
+    refs: []   # TODO: refs to notifications-proxy's subject
+    subjects:
+      - export:
+          - appName: notifications-proxy
+            pub: allow
+            sub: allow
+          - appName: lldap
+            pub: allow
+            sub: allow
+          - appName: ks-component
+            pub: allow
+            sub: allow
+          - appName: authelia
+            pub: allow
+            sub: allow
+        name: system.notification
+        permission:
+          pub: allow
+          sub: allow
+    user: os-system-notifications
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: notifications-server
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: notifications-server
+    applications.app.bytetrade.io/author: bytetrade.io
+  annotations:
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: notifications-server
+  template:
+    metadata:
+      labels:
+        app: notifications-server
+    spec:
+      initContainers:
+      - name: init-container
+        image: 'postgres:16.0-alpine3.18'
+        command:
+          - sh
+          - '-c'
+          - >-
+            echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
+        env:
+          - name: PGHOST
+            value: citus-headless.os-system
+          - name: PGPORT
+            value: "5432"
+          - name: PGUSER
+            value: notifications_os_system
+          - name: PGPASSWORD
+            valueFrom:
+              secretKeyRef:
+                key: pg_password
+                name: notifications-secrets
+          - name: PGDB
+            value: os_system_notifications
+      containers:
+      - name: notifications-api
+        image: beclab/notifications-api:v1.12.2
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 3010
+          protocol: TCP
+        env:
+        - name: DATABASE_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: pg_password
+              name: notifications-secrets
+
+        - name: PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING
+          value: '1'
+        - name: DATABASE_URL
+          value: postgres://notifications_os_system:$(DATABASE_PASSWORD)@citus-headless.os-system/os_system_notifications?sslmode=disable
+        - name: NATS_HOST
+          value: nats
+        - name: NATS_PORT
+          value: "4222"
+        - name: NATS_USERNAME
+          value: os-system-notifications
+        - name: NATS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: nats_password
+              name: notifications-secrets
+        - name: NATS_SUBJECT
+          value: "terminus.{{ .Release.Namespace }}.system.notification"
+
+        livenessProbe:
+          tcpSocket:
+            port: 3010
+          initialDelaySeconds: 25
+          timeoutSeconds: 15
+          periodSeconds: 10
+          successThreshold: 1
+          failureThreshold: 8
+        readinessProbe:
+          tcpSocket:
+            port: 3010
+          initialDelaySeconds: 25
+          periodSeconds: 10
+
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: notifications-service
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: ClusterIP
+  selector:
+    app: notifications-server
+  ports:
+  - name: "notifications-server"
+    protocol: TCP
+    port: 80
+    targetPort: 3010
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: notifications-server
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: ClusterIP
+  selector:
+    app: notifications-server
+  ports:
+  - name: "server"
+    protocol: TCP
+    port: 80
+    targetPort: 3010
+

apps/notifications/config/user/helm-charts/notification/templates/notification_deploy.yaml

@@ -1,413 +1 @@
-
-
-{{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
-{{- $notifications_secret := (lookup "v1" "Secret" $namespace "notifications-secrets") -}}
-{{- $password := "" -}}
-{{ if $notifications_secret -}}
-{{ $password = (index $notifications_secret "data" "pg_password") }}
-{{ else -}}
-{{ $password = randAlphaNum 16 | b64enc }}
-{{- end -}}
-
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: notifications-secrets
-  namespace: user-system-{{ .Values.bfl.username }}
-type: Opaque
-data:
-  pg_password: {{ $password }}
----
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
-metadata:
-  name: notifications-pg
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: notifications
-  appNamespace: {{ .Release.Namespace }}
-  middleware: postgres
-  postgreSQL:
-    user: notifications_{{ .Values.bfl.username }}
-    password:
-      valueFrom:
-        secretKeyRef:
-          key: pg_password
-          name: notifications-secrets
-    databases:
-    - name: notifications   
-
-{{ if (eq .Values.debugVersion true) }}
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: notifications-deployment
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: notifications
-    applications.app.bytetrade.io/author: bytetrade.io
-
-    applications.app.bytetrade.io/name: notifications
-    applications.app.bytetrade.io/owner: '{{ .Values.bfl.username }}'
-  annotations:
-    applications.app.bytetrade.io/icon: https://file.bttcdn.com/appstore/notifications/icon.png
-    applications.app.bytetrade.io/title: Notifications
-    applications.app.bytetrade.io/version: '0.0.1'
-    applications.app.bytetrade.io/entrances: '[{"name":"notifications", "host":"notifications-service", "port":80,"title":"Notifications"}]'
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: notifications
-  template:
-    metadata:
-      labels:
-        app: notifications
-        io.bytetrade.app: "true"
-    spec:
-      initContainers:
-      - args:
-        - -it
-        - authelia-backend.os-system:9091
-        image: owncloudci/wait-for:latest
-        imagePullPolicy: IfNotPresent
-        name: check-auth
-      - name: terminus-sidecar-init
-        image: openservicemesh/init:v1.2.3
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          privileged: true
-          capabilities: 
-            add:
-            - NET_ADMIN
-          runAsNonRoot: false
-          runAsUser: 0
-        command:
-        - /bin/sh
-        - -c
-        - |
-          iptables-restore --noflush <<EOF
-          # sidecar interception rules
-          *nat
-          :PROXY_IN_REDIRECT - [0:0]
-          :PROXY_INBOUND - [0:0]
-          -A PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15003
-          -A PROXY_INBOUND -p tcp --dport 15000 -j RETURN
-          -A PROXY_INBOUND -p tcp -j PROXY_IN_REDIRECT
-          -A PREROUTING -p tcp -j PROXY_INBOUND
-          COMMIT
-          EOF
-        
-        env:
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: status.podIP
-      containers:
-      - name: notifications-frontend
-        image: beclab/notifications-frontend:v0.1.22
-        imagePullPolicy: IfNotPresent
-        ports:
-        - containerPort: 80
-      - name: terminus-envoy-sidecar
-        image: bytetrade/envoy:v1.25.11
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          allowPrivilegeEscalation: false
-          runAsUser: 1000
-        ports:
-        - name: proxy-admin
-          containerPort: 15000
-        - name: proxy-inbound
-          containerPort: 15003
-        volumeMounts:
-        - name: terminus-sidecar-config
-          readOnly: true
-          mountPath: /etc/envoy/envoy.yaml
-          subPath: envoy.yaml
-        command:
-        - /usr/local/bin/envoy
-        - --log-level
-        - debug
-        - -c
-        - /etc/envoy/envoy.yaml
-        env:
-        - name: POD_UID
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.uid
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              fieldPath: status.podIP
-      volumes:
-      - name: terminus-sidecar-config
-        configMap:
-          name: sidecar-configs
-          items:
-          - key: envoy.yaml
-            path: envoy.yaml
-        # - name: REDIS_HOST
-        #   value: localhost
-        # - name: REDIS_PORT
-        #   value: "6379"
-      # - name: notifications-worker
-      #   image: aboveos/notifications-worker:v0.1.2
-      #   imagePullPolicy: IfNotPresent
-      #   env:
-      #   - name: MONGO_URL
-      #     value: mongodb://admin:123456@localhost:27017
-      #   - name: REDIS_HOST
-      #     value: localhost
-      #   - name: REDIS_CACHE_SERVICE_HOST
-      #     value: localhost
-      #   - name: REDIS_PORT
-      #     value: "6379"
-      # - name: mongodb
-      #   image: mongo:4.4.5
-      #   env:
-      #   - name: MONGO_INITDB_ROOT_USERNAME
-      #     value: admin
-      #   - name: MONGO_INITDB_ROOT_PASSWORD
-      #     value: '123456'
-      #   imagePullPolicy: IfNotPresent
-      #   ports:
-      #   - containerPort: 27017
-      #   volumeMounts:
-      #   - name: mongo-data
-      #     mountPath: /data/db
-      # - name: redis
-      #   image: redis:7.0.5-alpine3.16
-      #   imagePullPolicy: IfNotPresent
-      #   volumeMounts:
-      #   - name: redis-data
-      #     mountPath: /data
-      # volumes:
-      # - name: mongo-data
-      #   hostPath:
-      #     type: DirectoryOrCreate
-      #     path: {{ .Values.userspace.appCache}}/notification/db
-      # - name: redis-data
-      #   hostPath:
-      #     type: DirectoryOrCreate
-      #     path: {{ .Values.userspace.appCache}}/notification/redisdata
-{{ end }}
-
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: notifications-server
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: notifications-server
-    applications.app.bytetrade.io/author: bytetrade.io
-  annotations:
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: notifications-server
-  template:
-    metadata:
-      labels:
-        app: notifications-server
-    spec:
-      initContainers:
-      - name: init-container
-        image: 'postgres:16.0-alpine3.18'
-        command:
-          - sh
-          - '-c'
-          - >-
-            echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
-        env:
-          - name: PGHOST
-            value: citus-master-svc.user-system-{{ .Values.bfl.username }}
-          - name: PGPORT
-            value: "5432"
-          - name: PGUSER
-            value: notifications_{{ .Values.bfl.username }}
-          - name: PGPASSWORD
-            value: {{ $password | b64dec }}
-          - name: PGDB
-            value: user_space_{{ .Values.bfl.username }}_notifications
-      containers:
-      - name: notifications-api
-        image: beclab/notifications-api:v0.1.25
-        imagePullPolicy: IfNotPresent
-        ports:
-        - containerPort: 3010
-          protocol: TCP
-        env:
-        - name: OS_SYSTEM_SERVER
-          value: system-server.user-system-{{ .Values.bfl.username }}
-        - name: OS_APP_SECRET
-          value: '{{ .Values.os.notification.appSecret }}'
-        - name: OS_APP_KEY
-          value: {{ .Values.os.notification.appKey }}
-        - name: DATABASE_PASSWORD
-          value: {{ $password | b64dec }}
-        - name: PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING
-          value: '1'
-        - name: DATABASE_URL
-          value: postgres://notifications_{{ .Values.bfl.username }}:$(DATABASE_PASSWORD)@citus-master-svc.user-system-{{ .Values.bfl.username }}/user_space_{{ .Values.bfl.username }}_notifications?sslmode=disable
-        livenessProbe:
-          tcpSocket:
-            port: 3010
-          initialDelaySeconds: 25
-          timeoutSeconds: 15
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 8
-        readinessProbe:
-          tcpSocket:
-            port: 3010
-          initialDelaySeconds: 25
-          periodSeconds: 10
-
-
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: notifications-service
-  namespace: {{ .Release.Namespace }}
-{{ if (eq .Values.debugVersion true) }}
-spec:
-  type: ClusterIP
-  selector:
-    app: notifications
-  ports:
-  - name: "notifications-frontend"
-    protocol: TCP
-    port: 80
-    targetPort: 80
-{{ else }}    
-spec:
-  type: ClusterIP
-  selector:
-    app: notifications-server
-  ports:
-  - name: "notifications-server"
-    protocol: TCP
-    port: 80
-    targetPort: 3010
-{{ end }}
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: notifications-server
-  namespace: {{ .Release.Namespace }}
-spec:
-  type: ClusterIP
-  selector:
-    app: notifications-server
-  ports:
-  - name: "server"
-    protocol: TCP
-    port: 80
-    targetPort: 3010
-
----
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: notifications-token-provider
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: token
-  deployment: notifications-server
-  description: notifications provider
-  endpoint: notifications-server.{{ .Release.Namespace }}
-  group: service.notification
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  opApis:
-  - name: Create
-    uri: /termipass/create_token
-  version: v1
-status:
-  state: active
- 
----
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: notifications-message-provider
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: message
-  deployment: notifications-server
-  description: notifications provider
-  endpoint: notifications-server.{{ .Release.Namespace }}
-  group: service.notification
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  opApis:
-  - name: SendMassage
-    uri: /notification/create_job
-  - name: SystemMessage
-    uri: /notification/system/push
-  version: v1
-status:
-  state: active
-
----
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ApplicationPermission
-metadata:
-  name: notification-call-vault
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: notifications
-  appid: notifications
-  key: {{ .Values.os.notification.appKey }}
-  secret: {{ .Values.os.notification.appSecret }}
-  permissions:
-  - dataType: notification
-    group: service.vault
-    ops:
-    - Create
-    - Query
-    version: v1
-  - dataType: notification
-    group: service.desktop
-    ops:
-    - Create
-    - Query
-    version: v1
-  - dataType: secret
-    group: secret.infisical
-    ops:
-    - RetrieveSecret?workspace=notification
-    - CreateSecret?workspace=notification
-    - DeleteSecret?workspace=notification
-    - UpdateSecret?workspace=notification
-    - ListSecret?workspace=notification
-    version: v1
-  - dataType: app
-    group: service.bfl
-    ops:
-    - UserApps
-    version: v1
-status:
-  state: active
+# TODO: deploy a notification proxy

apps/rss/config/cluster/deploy/rss_deploy.yaml

@@ -24,7 +24,7 @@ spec:
     spec:
       containers:
         - name: rss-server
-          image: beclab/rsshub-server:v0.0.2
+          image: beclab/rsshub-server:v0.0.5
           imagePullPolicy: IfNotPresent
           ports:
           - containerPort: 1200

apps/search3/config/cluster/deploy/search3_server_deploy.yaml

@@ -199,7 +199,7 @@ spec:
             value: os_system_search3
       containers:
       - name: search3
-        image: beclab/search3:v0.0.24
+        image: beclab/search3:v0.0.30
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 8080

apps/studio/README.md

@@ -0,0 +1,4 @@
+# devbox
+Terminus App development management tools
+
+https://github.com/beclab/devbox

apps/studio/config/user/helm-charts/studio/Chart.yaml

@@ -0,0 +1,26 @@
+apiVersion: v2
+name: studio
+description: A Terminus app development tool
+maintainers:
+- name: bytetrade
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.3
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "4.9.1"

apps/studio/config/user/helm-charts/studio/templates/deployment.yaml

@@ -0,0 +1,549 @@
+{{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
+{{- $studio_secret := (lookup "v1" "Secret" $namespace "studio-secrets") -}}
+
+{{- $pg_password := "" -}}
+{{ if $studio_secret -}}
+{{ $pg_password = (index $studio_secret "data" "pg_password") }}
+{{ else -}}
+{{ $pg_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: studio-secrets
+  namespace: user-system-{{ .Values.bfl.username }}
+type: Opaque
+data:
+  pg_password: {{ $pg_password }}
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: studio-pg
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  app: studio
+  appNamespace: {{ .Release.Namespace }}
+  middleware: postgres
+  postgreSQL:
+    user: studio_{{ .Values.bfl.username }}
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: pg_password
+          name: studio-secrets
+    databases:
+      - name: studio
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: studio-server
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    app: studio-server
+  ports:
+    - protocol: TCP
+      port: 8080
+      targetPort: 8088
+      name: http
+    - protocol: TCP
+      port: 8083
+      targetPort: 8083
+      name: https
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: chartmuseum-studio
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+    - name: http
+      protocol: TCP
+      port: 8080
+      targetPort: 8888
+  selector:
+    app: studio-server
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: studio-san-cnf
+  namespace: {{ .Release.Namespace }}
+data:
+  san.cnf: |
+    [req]
+    distinguished_name = req_distinguished_name
+    req_extensions = v3_req
+    prompt = no
+
+    [req_distinguished_name]
+    countryName = CN
+    stateOrProvinceName = Beijing
+    localityName = Beijing
+    0.organizationName = bytetrade
+    commonName = studio-server.{{ .Release.Namespace }}.svc
+
+    [v3_req]
+    basicConstraints = CA:FALSE
+    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+    subjectAltName = @bytetrade
+
+    [bytetrade]
+    DNS.1 = studio-server.{{ .Release.Namespace }}.svc
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: studio-server
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: studio-server
+    applications.app.bytetrade.io/author: bytetrade.io
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: studio-server
+  template:
+    metadata:
+      labels:
+        app: studio-server
+    spec:
+      serviceAccountName: bytetrade-controller
+      volumes:
+        - name: chart
+          hostPath:
+            type: DirectoryOrCreate
+            path: {{ .Values.userspace.appData}}/studio/Chart
+        - name: data
+          hostPath:
+            type: DirectoryOrCreate
+            path: {{ .Values.userspace.appData }}/studio/Data
+        - name: storage-volume
+          hostPath:
+            path: {{ .Values.userspace.appData }}/studio/helm-repo-dev
+            type: DirectoryOrCreate
+        - name: config-san
+          configMap:
+            name: studio-san-cnf
+            items:
+              - key: san.cnf
+                path: san.cnf
+        - name: sidecar-configs-studio
+          configMap:
+            name: sidecar-configs-studio
+            items:
+              - key: envoy.yaml
+                path: envoy.yaml
+        - name: certs
+          emptyDir: {}
+      initContainers:
+        - name: init-chmod-data
+          image: busybox:1.28
+          imagePullPolicy: IfNotPresent
+          command:
+            - sh
+            - '-c'
+            - |
+              chown -R 1000:1000 /home/coder
+              chown -R 65532:65532 /charts
+              chown -R 65532:65532 /data
+          securityContext:
+            runAsUser: 0
+          resources: { }
+          volumeMounts:
+            - name: storage-volume
+              mountPath: /home/coder
+            - name: chart
+              mountPath: /charts
+            - name: data
+              mountPath: /data
+        - name: terminus-sidecar-init
+          image: aboveos/openservicemesh-init:v1.2.3
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+            - -c
+            - |
+              iptables-restore --noflush <<EOF
+              # sidecar interception rules
+              *nat
+              :PROXY_IN_REDIRECT - [0:0]
+              :PROXY_INBOUND - [0:0]
+              :PROXY_OUTBOUND - [0:0]
+              :PROXY_OUT_REDIRECT - [0:0]
+
+              -A PREROUTING -p tcp -j PROXY_INBOUND
+              -A OUTPUT -p tcp -j PROXY_OUTBOUND
+              -A PROXY_INBOUND -p tcp --dport 15000 -j RETURN
+              -A PROXY_INBOUND -p tcp --dport 8083 -j RETURN
+              -A PROXY_INBOUND -p tcp -j PROXY_IN_REDIRECT
+              -A PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15003
+
+
+              -A PROXY_OUTBOUND -p tcp --dport 5432 -j RETURN
+              -A PROXY_OUTBOUND -p tcp --dport 6379 -j RETURN
+              -A PROXY_OUTBOUND -p tcp --dport 27017 -j RETURN
+              -A PROXY_OUTBOUND -p tcp --dport 443 -j RETURN
+
+
+              -A PROXY_OUTBOUND -d ${POD_IP}/32 -j RETURN
+
+              -A PROXY_OUTBOUND -o lo ! -d 127.0.0.1/32 -m owner --uid-owner 1555 -j PROXY_IN_REDIRECT
+              -A PROXY_OUTBOUND -o lo -m owner ! --uid-owner 1555 -j RETURN
+              -A PROXY_OUTBOUND -m owner --uid-owner 1555 -j RETURN
+              -A PROXY_OUTBOUND -d 127.0.0.1/32 -j RETURN
+
+              -A PROXY_OUTBOUND -j PROXY_OUT_REDIRECT
+              -A PROXY_OUT_REDIRECT -p tcp -j REDIRECT --to-port 15001
+
+              COMMIT
+              EOF
+          env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: status.podIP
+          securityContext:
+            privileged: true
+            capabilities:
+              add:
+                - NET_ADMIN
+            runAsNonRoot: false
+            runAsUser: 0
+
+        - name: generate-certs
+          image: beclab/openssl:v3
+          imagePullPolicy: IfNotPresent
+          command: [ "/bin/sh", "-c" ]
+          args:
+            - |
+              openssl genrsa -out /etc/certs/ca.key 2048
+              openssl req -new -x509 -days 3650 -key /etc/certs/ca.key -out /etc/certs/ca.crt \
+                -subj "/CN=bytetrade CA/O=bytetrade/C=CN"
+              openssl req -new -newkey rsa:2048 -nodes \
+                -keyout /etc/certs/server.key -out /etc/certs/server.csr \
+                -config /etc/san/san.cnf
+              openssl x509 -req -days 3650 -in /etc/certs/server.csr \
+                -CA /etc/certs/ca.crt -CAkey /etc/certs/ca.key \
+                -CAcreateserial -out /etc/certs/server.crt \
+                -extensions v3_req -extfile /etc/san/san.cnf
+              chown -R 65532 /etc/certs/*
+          volumeMounts:
+            - name: config-san
+              mountPath: /etc/san
+            - name: certs
+              mountPath: /etc/certs
+
+      containers:
+        - name: studio
+          image: beclab/studio-server:v0.1.48
+          imagePullPolicy: IfNotPresent
+          args:
+            - server
+          ports:
+            - name: port
+              containerPort: 8088
+              protocol: TCP
+            - name: ssl-port
+              containerPort: 8083
+              protocol: TCP
+          volumeMounts:
+            - name: chart
+              mountPath: /charts
+            - name: data
+              mountPath: /data
+            - mountPath: /etc/certs
+              name: certs
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - "/studio"
+                  - "clean"
+          env:
+            - name: BASE_DIR
+              value: /charts
+            - name: OS_API_KEY
+              value: {{ .Values.os.studio.appKey }}
+            - name: OS_API_SECRET
+              value: {{ .Values.os.studio.appSecret }}
+            - name: OS_SYSTEM_SERVER
+              value: system-server.user-system-{{ .Values.bfl.username }}
+            - name: NAME_SPACE
+              value: {{ .Release.Namespace }}
+            - name: OWNER
+              value: '{{ .Values.bfl.username }}'
+            - name: DB_HOST
+              value: citus-master-svc.user-system-{{ .Values.bfl.username }}
+            - name: DB_USERNAME
+              value: studio_{{ .Values.bfl.username }}
+            - name: DB_PASSWORD
+              value: "{{ $pg_password | b64dec }}"
+            - name: DB_NAME
+              value: user_space_{{ .Values.bfl.username }}_studio
+            - name: DB_PORT
+              value: "5432"
+          resources:
+            requests:
+              cpu: "50m"
+              memory: 100Mi
+            limits:
+              cpu: "0.5"
+              memory: 1000Mi
+        - name: terminus-envoy-sidecar
+          image: bytetrade/envoy:v1.25.11.1
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsUser: 1555
+          ports:
+            - name: proxy-admin
+              containerPort: 15000
+            - name: proxy-inbound
+              containerPort: 15003
+            - name: proxy-outbound
+              containerPort: 15001
+          resources:
+            requests:
+              cpu: "50m"
+              memory: 100Mi
+            limits:
+              cpu: "0.5"
+              memory: 200Mi
+          volumeMounts:
+            - name: sidecar-configs-studio
+              readOnly: true
+              mountPath: /etc/envoy/envoy.yaml
+              subPath: envoy.yaml
+          command:
+            - /usr/local/bin/envoy
+            - --log-level
+            - debug
+            - -c
+            - /etc/envoy/envoy.yaml
+          env:
+            - name: POD_UID
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.uid
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: APP_KEY
+              value: {{ .Values.os.appKey }}
+            - name: APP_SECRET
+              value: {{ .Values.os.appSecret }}
+        - name: chartmuseum
+          image: aboveos/helm-chartmuseum:v0.15.0
+          args:
+            - '--port=8888'
+            - '--storage-local-rootdir=/storage'
+          ports:
+            - name: http
+              containerPort: 8888
+              protocol: TCP
+          env:
+            - name: CHART_POST_FORM_FIELD_NAME
+              value: chart
+            - name: DISABLE_API
+              value: 'false'
+            - name: LOG_JSON
+              value: 'true'
+            - name: PROV_POST_FORM_FIELD_NAME
+              value: prov
+            - name: STORAGE
+              value: local
+          resources:
+            requests:
+              cpu: "50m"
+              memory: 100Mi
+            limits:
+              cpu: "0.5"
+              memory: 256Mi
+          volumeMounts:
+            - name: storage-volume
+              mountPath: /storage
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+              scheme: HTTP
+            initialDelaySeconds: 5
+            timeoutSeconds: 1
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: http
+              scheme: HTTP
+            initialDelaySeconds: 5
+            timeoutSeconds: 1
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 3
+
+---
+apiVersion: v1
+data:
+  envoy.yaml: |
+    admin:
+      access_log_path: "/dev/stdout"
+      address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: 15000
+    static_resources:
+      listeners:
+        - name: listener_0
+          address:
+            socket_address:
+              address: 0.0.0.0
+              port_value: 15003
+          listener_filters:
+            - name: envoy.filters.listener.original_dst
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst
+          filter_chains:
+            - filters:
+                - name: envoy.filters.network.http_connection_manager
+                  typed_config:
+                    "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                    stat_prefix: desktop_http
+                    upgrade_configs:
+                      - upgrade_type: websocket
+                      - upgrade_type: tailscale-control-protocol
+                    skip_xff_append: false
+                    codec_type: AUTO
+                    route_config:
+                      name: local_route
+                      virtual_hosts:
+                        - name: service
+                          domains: ["*"]
+                          routes:
+                            - match:
+                                prefix: "/"
+                              route:
+                                cluster: original_dst
+                                timeout: 180s
+                    http_protocol_options:
+                      accept_http_10: true
+                    http_filters:
+                      - name: envoy.filters.http.router
+                        typed_config:
+                          "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+        - name: listener_1
+          address:
+            socket_address:
+              address: 0.0.0.0
+              port_value: 15001
+          listener_filters:
+            - name: envoy.filters.listener.original_dst
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst
+          filter_chains:
+            - filters:
+                - name: envoy.filters.network.http_connection_manager
+                  typed_config:
+                    "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                    stat_prefix: studio_out_http
+                    skip_xff_append: false
+                    codec_type: AUTO
+                    route_config:
+                      name: local_route
+                      virtual_hosts:
+                        - name: service
+                          domains: ["*"]
+                          routes:
+                            - match:
+                                prefix: "/server/intent/send"
+                              request_headers_to_add:
+                                - header:
+                                    key: X-App-Key
+                                    value: {{ .Values.os.appKey }}
+                              route:
+                                cluster: system-server
+                                prefix_rewrite: /system-server/v2/legacy_api/api.intent/v2/server/intent/send
+                            - match:
+                                prefix: "/"
+                              route:
+                                cluster: original_dst
+                                timeout: 180s
+                              typed_per_filter_config:
+                                envoy.filters.http.lua:
+                                  "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.LuaPerRoute
+                                  disabled: true
+
+                    http_protocol_options:
+                      accept_http_10: true
+                    http_filters:
+                      - name: envoy.filters.http.lua
+                        typed_config:
+                          "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
+                          inline_code:
+                            local sha = require("lib.sha2")
+                            function envoy_on_request(request_handle)
+                            local app_key = os.getenv("APP_KEY")
+                            local app_secret = os.getenv("APP_SECRET")
+                            local current_time = os.time()
+                            local minute_level_time = current_time - (current_time % 60)
+                            local time_string = tostring(minute_level_time)
+                            local s = app_key .. app_secret .. time_string
+                            request_handle:logInfo("originstring:" .. s)
+                            local hash = sha.sha256(s)
+                            request_handle:logInfo("Hello World.")
+                            request_handle:logInfo(hash)
+                            request_handle:headers():add("X-Auth-Signature",hash)
+                            end
+                      - name: envoy.filters.http.router
+                        typed_config:
+                          "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+
+
+      clusters:
+        - name: original_dst
+          connect_timeout: 5000s
+          type: ORIGINAL_DST
+          lb_policy: CLUSTER_PROVIDED
+        - name: system-server
+          connect_timeout: 2s
+          type: LOGICAL_DNS
+          dns_lookup_family: V4_ONLY
+          dns_refresh_rate: 600s
+          lb_policy: ROUND_ROBIN
+          load_assignment:
+            cluster_name: system-server
+            endpoints:
+              - lb_endpoints:
+                  - endpoint:
+                      address:
+                        socket_address:
+                          address: system-server.user-system-{{ .Values.bfl.username }}
+                          port_value: 80
+kind: ConfigMap
+metadata:
+  name: sidecar-configs-studio
+  namespace: {{ .Release.Namespace }}

apps/studio/config/user/helm-charts/studio/values.yaml

@@ -0,0 +1,44 @@
+
+bfl:
+  nodeport: 30883
+  nodeport_ingress_http: 30083
+  nodeport_ingress_https: 30082
+  username: 'test'
+  url: 'test'
+  nodeName: test
+pvc:
+  userspace: test
+userspace:
+  userData: test/Home
+  appData: test/Data
+  appCache: test
+  dbdata: test
+docs:
+  nodeport: 30881
+desktop:
+  nodeport: 30180
+os:
+  portfolio:
+    appKey: '${ks[0]}'
+    appSecret: test
+  vault:
+    appKey: '${ks[0]}'
+    appSecret: test
+  desktop:
+    appKey: '${ks[0]}'
+    appSecret: test
+  message:
+    appKey: '${ks[0]}'
+    appSecret: test
+  rss:
+    appKey: '${ks[0]}'
+    appSecret: test
+  search:
+    appKey: '${ks[0]}'
+    appSecret: test
+  search2:
+    appKey: '${ks[0]}'
+    appSecret: test
+kubesphere:
+  redis_password: ""
+

apps/system-apps/config/cluster/deploy/ks_server_deploy.yaml

@@ -22,7 +22,7 @@ spec:
     spec:
       containers:
       - name: monitoring-server
-        image: beclab/monitoring-server-v1:v0.2.3
+        image: beclab/monitoring-server-v1:v0.2.5
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 8000

apps/system-apps/config/user/helm-charts/monitoring/templates/system-frontend.yaml

@@ -109,6 +109,19 @@ spec:
       port: 3010
       targetPort: 3010
 ---
+apiVersion: v1
+kind: Service
+metadata:
+  name: studio-svc
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    app: system-frontend
+  ports:
+    - protocol: TCP
+      port: 8080
+      targetPort: 87
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -121,11 +134,11 @@ metadata:
     applications.app.bytetrade.io/group: 'true'
     applications.app.bytetrade.io/author: bytetrade.io
   annotations:
-    applications.app.bytetrade.io/icon: '{"dashboard":"https://file.bttcdn.com/appstore/dashboard/icon.png","control-hub":"https://file.bttcdn.com/appstore/control-hub/icon.png","profile":"https://file.bttcdn.com/appstore/profile/icon.png","wise":"https://file.bttcdn.com/appstore/rss/icon.png","headscale": "https://file.bttcdn.com/appstore/headscale/icon.png","settings": "https://file.bttcdn.com/appstore/settings/icon.png"}'
-    applications.app.bytetrade.io/title: '{"dashboard": "Dashboard","control-hub":"Control Hub","profile":"Profile","wise":"Wise","headscale":"Headscale","settings":"Settings"}'
-    applications.app.bytetrade.io/version: '{"dashboard": "0.0.1","control-hub":"0.0.1","profile":"0.0.1","wise":"0.0.1","headscale":"0.0.1","settings":"0.0.1"}'
+    applications.app.bytetrade.io/icon: '{"dashboard":"https://file.bttcdn.com/appstore/dashboard/icon.png","control-hub":"https://file.bttcdn.com/appstore/control-hub/icon.png","profile":"https://file.bttcdn.com/appstore/profile/icon.png","wise":"https://file.bttcdn.com/appstore/rss/icon.png","headscale": "https://file.bttcdn.com/appstore/headscale/icon.png","settings": "https://file.bttcdn.com/appstore/settings/icon.png","studio":"https://file.bttcdn.com/appstore/devbox/icon.png"}'
+    applications.app.bytetrade.io/title: '{"dashboard": "Dashboard","control-hub":"Control Hub","profile":"Profile","wise":"Wise","headscale":"Headscale","settings":"Settings","studio":"Studio"}'
+    applications.app.bytetrade.io/version: '{"dashboard": "0.0.1","control-hub":"0.0.1","profile":"0.0.1","wise":"0.0.1","headscale":"0.0.1","settings":"0.0.1","studio":"0.0.1"}'
     applications.app.bytetrade.io/policies: '{"dashboard":{"policies":[{"entranceName":"dashboard","uriRegex":"/js/script.js", "level":"public"},{"entranceName":"dashboard","uriRegex":"/js/api/send", "level":"public"}]}}'
-    applications.app.bytetrade.io/entrances: '{"dashboard":[{"name":"dashboard","host":"dashboard-service","port":80,"title":"Dashboard","windowPushState":true}],"control-hub":[{"name":"control-hub","host":"control-hub-service","port":80,"title":"Control Hub","windowPushState":true}],"profile":[{"name":"profile", "host":"profile-service", "port":80,"title":"Profile","windowPushState":true}],"wise":[{"name":"wise", "host":"wise-svc", "port":80,"title":"Wise","windowPushState":true}],"headscale":[{"name":"headscale", "host":"headscale-svc", "port":80,"title":"Headscale","invisible": true}],"settings":[{"name":"settings", "host":"settings-service", "port":80,"title":"Settings"}]}'
+    applications.app.bytetrade.io/entrances: '{"dashboard":[{"name":"dashboard","host":"dashboard-service","port":80,"title":"Dashboard","windowPushState":true}],"control-hub":[{"name":"control-hub","host":"control-hub-service","port":80,"title":"Control Hub","windowPushState":true}],"profile":[{"name":"profile", "host":"profile-service", "port":80,"title":"Profile","windowPushState":true}],"wise":[{"name":"wise", "host":"wise-svc", "port":80,"title":"Wise","windowPushState":true}],"headscale":[{"name":"headscale", "host":"headscale-svc", "port":80,"title":"Headscale","invisible": true}],"settings":[{"name":"settings", "host":"settings-service", "port":80,"title":"Settings"}],"studio":[{"name":"studio","host":"studio-svc","port":8080,"title":"Studio","openMethod":"window"}]}'
 spec:
   replicas: 1
   selector:
@@ -136,7 +149,13 @@ spec:
       labels:
         app: system-frontend
         io.bytetrade.app: "true"
+      # annotations:
+        # instrumentation.opentelemetry.io/inject-nodejs: "olares-instrumentation"
+        # instrumentation.opentelemetry.io/nodejs-container-names: "settings-server"    
+        # instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
+        # instrumentation.opentelemetry.io/inject-nginx-container-names: "system-frontend"    
     spec:
+      priorityClassName: "system-cluster-critical"
       initContainers:
         - args:
             - -it
@@ -177,7 +196,7 @@ spec:
                   apiVersion: v1
                   fieldPath: status.podIP
         - name: dashboard-init
-          image: beclab/dashboard-frontend-v1:v0.4.4
+          image: beclab/dashboard-frontend-v1:v0.4.9
           imagePullPolicy: IfNotPresent
           command:
             - /bin/sh
@@ -189,7 +208,7 @@ spec:
             - mountPath: /www
               name: www-dir
         - name: control-hub-init
-          image: beclab/admin-console-frontend-v1:v0.4.8
+          image: beclab/admin-console-frontend-v1:v0.5.5
           imagePullPolicy: IfNotPresent
           command:
             - /bin/sh
@@ -201,7 +220,7 @@ spec:
             - mountPath: /www
               name: www-dir
         - name: profile-editor-init
-          image: beclab/profile-editor:v0.2.0
+          image: beclab/profile-editor:v0.2.1
           imagePullPolicy: IfNotPresent
           command:
             - /bin/sh
@@ -213,7 +232,7 @@ spec:
             - mountPath: /www
               name: www-dir
         - name: profile-preview-init
-          image: beclab/profile-preview:v0.2.0
+          image: beclab/profile-preview:v0.2.1
           imagePullPolicy: IfNotPresent
           command:
             - /bin/sh
@@ -225,7 +244,7 @@ spec:
             - mountPath: /www
               name: www-dir
         - name: wise-init
-          image: beclab/wise:v1.2.69
+          image: beclab/wise:v1.3.47
           imagePullPolicy: IfNotPresent
           command:
             - /bin/sh
@@ -237,7 +256,7 @@ spec:
             - mountPath: /www
               name: www-dir
         - name: settings-init
-          image: beclab/settings:v0.2.0
+          image: beclab/settings:v0.2.17
           imagePullPolicy: IfNotPresent
           command:
             - /bin/sh
@@ -248,6 +267,18 @@ spec:
           volumeMounts:
             - mountPath: /www
               name: www-dir
+        - name: studio-init
+          image: beclab/studio:v0.2.9
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+            - -c
+            - |
+              mkdir -p /www/studio
+              cp -r /app/* /www/studio
+          volumeMounts:
+            - mountPath: /www
+              name: www-dir
       containers:
         - name: terminus-envoy-sidecar
           image: bytetrade/envoy:v1.25.11
@@ -298,7 +329,7 @@ spec:
             - name: www-dir
               mountPath: /www
             - name: wise-download-dir
-              mountPath: /data/Home/Downloads
+              mountPath: /data/Home
             - name: system-frontend-nginx-config
               mountPath: /etc/nginx/nginx.conf
               subPath: nginx.conf
@@ -320,6 +351,9 @@ spec:
             - name: system-frontend-nginx-config
               mountPath: /etc/nginx/conf.d/settings.conf
               subPath: settings.conf
+            - name: system-frontend-nginx-config
+              mountPath: /etc/nginx/conf.d/studio.conf
+              subPath: studio.conf
           env:
             - name: POD_UID
               valueFrom:
@@ -338,7 +372,7 @@ spec:
                 fieldRef:
                   fieldPath: status.podIP
         - name: terminus-ws-sidecar
-          image: 'beclab/ws-gateway:v1.0.3'
+          image: 'beclab/ws-gateway:v1.0.5'
           imagePullPolicy: IfNotPresent
           command:
             - /ws-gateway
@@ -351,7 +385,7 @@ spec:
           terminationMessagePath: /dev/termination-log
           terminationMessagePolicy: File
         - name: settings-server
-          image: beclab/settings-server:v0.2.0
+          image: beclab/settings-server:v0.2.17
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 3000
@@ -394,7 +428,7 @@ spec:
             path: {{ .Values.userspace.userData }}
         - name: terminus-sidecar-config
           configMap:
-            name: sidecar-ws-configs
+            name: sidecar-configs
             items:
               - key: envoy.yaml
                 path: envoy.yaml
@@ -403,7 +437,7 @@ spec:
         - name: wise-download-dir
           hostPath:
             type: Directory
-            path: {{ .Values.userspace.userData }}/Downloads
+            path: {{ .Values.userspace.userData }}
         - name: system-frontend-nginx-config
           configMap:
             name: system-frontend-nginx-config
@@ -422,6 +456,8 @@ spec:
                 path: headscale.conf
               - key: settings.conf
                 path: settings.conf
+              - key: studio.conf
+                path: studio.conf
 
 
 ---
@@ -477,6 +513,31 @@ status:
 ---
 apiVersion: sys.bytetrade.io/v1alpha1
 kind: ApplicationPermission
+metadata:
+  name: studio
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  app: studio
+  appid: studio
+  key: {{ .Values.os.studio.appKey }}
+  secret: {{ .Values.os.studio.appSecret }}
+  permissions:
+    - dataType: app
+      group: service.appstore
+      ops:
+        - InstallDevApp
+        - UninstallDevApp
+      version: v1
+    - dataType: legacy_api
+      group: api.intent
+      ops:
+        - POST
+      version: v2
+status:
+  state: active
+---
+apiVersion: sys.bytetrade.io/v1alpha1
+kind: ApplicationPermission
 metadata:
   name: settings
   namespace: user-system-{{ .Values.bfl.username }}
@@ -622,6 +683,11 @@ spec:
           - settings-event
       op: Create
       uri: /api/event/app_installation_event
+    - filters:
+        type:
+          - entrance-state-event
+      op: Create
+      uri: /api/event/entrance_state_event
     - filters:
         type:
           - system-upgrade-event
@@ -748,6 +814,10 @@ data:
         server anayltic2-server.os-system:3010;
     }
 
+    upstream HamiServer {
+        server hami-webui.kube-system:3000;
+    }
+
     server {
       listen 81;
       gzip off;
@@ -766,6 +836,14 @@ data:
         expires 0;
       }
 
+      location /ws {
+        proxy_pass http://127.0.0.1:40010;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+      }
+
       location /bfl {
         add_header 'Access-Control-Allow-Headers' 'x-api-nonce,x-api-ts,x-api-ver,x-api-source';
         proxy_pass http://bfl;
@@ -780,6 +858,18 @@ data:
         proxy_pass http://SettingsServer;
       }
 
+      location /hami/ {
+        proxy_pass http://HamiServer/;
+      }
+
+    
+      location /api/profile/init {
+        proxy_pass http://127.0.0.1:3010;
+        proxy_set_header            Host $host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+      }
+
       location /api {
         proxy_pass http://SettingsServer;
       }
@@ -1048,6 +1138,15 @@ data:
         expires 0;
       }
 
+      location /ws {
+        proxy_pass http://rss-svc:40010;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+      }
+
+
         location /knowledge {
           proxy_pass http://KnowledgeServer;
 
@@ -1079,9 +1178,9 @@ data:
             proxy_pass http://ArgoworkflowsSever;
         }
 
-        location ~ ^/download/preview/Downloads/(.*)$
+        location ~ ^/download/preview/(.*)$
         {
-          alias /data/Home/Downloads/$1;
+          alias /data/Home/$1;
         }
 
         location /videos/ {
@@ -1102,6 +1201,44 @@ data:
             proxy_pass http://media-server-service.os-system:9090;
         }
 
+        location /api {
+            proxy_pass http://files-service.os-system:80;
+            # rewrite ^/server(.*)$ $1 break;
+
+            # Add original-request-related headers
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+
+            add_header Accept-Ranges bytes;
+
+            client_body_timeout 600s;
+            client_max_body_size 4000M;
+            proxy_request_buffering off;
+            keepalive_timeout 750s;
+            proxy_read_timeout 600s;
+            proxy_send_timeout 600s;
+        }
+
+        location /upload {
+            proxy_pass http://files-service.os-system:80;
+            # rewrite ^/server(.*)$ $1 break;
+
+            # Add original-request-related headers
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+
+            add_header Accept-Ranges bytes;
+
+            client_body_timeout 600s;
+            client_max_body_size 4000M;
+            proxy_request_buffering off;
+            keepalive_timeout 750s;
+            proxy_read_timeout 600s;
+            proxy_send_timeout 600s;
+        }
+
         # # files
         # # for all routes matching a dot, check for files and return 404 if not found
         # # e.g. /file.js returns a 404 if not found
@@ -1146,10 +1283,6 @@ data:
         server infisical-service:8080;
     }
 
-    upstream NotificationServer {
-        server notifications-server;
-    }
-
     server {
         listen 86;
 
@@ -1173,6 +1306,15 @@ data:
             expires 0;
         }
 
+        location /ws {
+          proxy_pass http://127.0.0.1:40010;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "upgrade";
+          proxy_set_header Host $host;
+        }
+
+
         location /kapis {
             proxy_pass http://SettingsServer_Monitoring;
             # rewrite ^/server(.*)$ $1 break;
@@ -1236,11 +1378,193 @@ data:
             proxy_set_header X-Forwarded-Host $host;
         }
 
-        location /notification {
-            proxy_pass http://NotificationServer;
-        }
-
         location ~.*\.(js|css|png|jpg|svg|woff|woff2)$ {
             add_header Cache-Control "public, max-age=2678400";
         }
     }
+  studio.conf: |-
+    upstream SettingsServerStudio {
+        server monitoring-server.os-system;
+    }
+
+    upstream MiddlewareStudio {
+        server middleware-service.os-system;
+    }
+
+    upstream AnalyticsStudio {
+      server anayltic2-server.os-system:3010;
+    }
+
+    server {
+        listen 87;
+        # Gzip Settings
+        gzip off;
+        gzip_disable "msie6";
+        gzip_min_length 1k;
+        gzip_buffers 16 64k;
+        gzip_http_version 1.1;
+        gzip_comp_level 6;
+        gzip_types *;
+        root /www/studio;
+
+        location / {
+          try_files $uri $uri/index.html /index.html;
+          add_header Cache-Control "private,no-cache";
+          add_header Last-Modified "Oct, 03 Jan 2022 13:46:41 GMT";
+          expires 0;
+        }
+
+       location /api/command {
+          proxy_pass http://studio-server:8080;
+          proxy_set_header            Host $http_host;
+          proxy_set_header            X-real-ip $remote_addr;
+          proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection $http_connection;
+          proxy_set_header Accept-Encoding gzip;
+          proxy_read_timeout 180;
+      }
+      location /api/apps {
+          proxy_pass http://studio-server:8080;
+          proxy_set_header            Host $http_host;
+          proxy_set_header            X-real-ip $remote_addr;
+          proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection $http_connection;
+          proxy_set_header Accept-Encoding gzip;
+          proxy_read_timeout 180;
+      }
+      location /api/app-cfg {
+        proxy_pass http://studio-server:8080;
+        proxy_set_header            Host $http_host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+        proxy_set_header Accept-Encoding gzip;
+        proxy_read_timeout 180;
+      }
+      location /api/app-state {
+        proxy_pass http://studio-server:8080;
+        proxy_set_header            Host $http_host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+        proxy_set_header Accept-Encoding gzip;
+        proxy_read_timeout 180;
+      }
+      location /api/app-status {
+        proxy_pass http://studio-server:8080;
+        proxy_set_header            Host $http_host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+        proxy_set_header Accept-Encoding gzip;
+        proxy_read_timeout 180;
+      }
+      location /api/list-my-containers {
+        proxy_pass http://studio-server:8080;
+        proxy_set_header            Host $http_host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+        proxy_set_header Accept-Encoding gzip;
+        proxy_read_timeout 180;
+      }
+      location /api/files {
+        proxy_pass http://studio-server:8080;
+        proxy_set_header            Host $http_host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+        proxy_set_header Accept-Encoding gzip;
+        proxy_read_timeout 180;
+      }
+
+      location /ws {
+        proxy_pass http://127.0.0.1:40010;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+      }
+
+      location /bfl {
+        add_header 'Access-Control-Allow-Headers' 'x-api-nonce,x-api-ts,x-api-ver,x-api-source';
+        proxy_pass http://bfl;
+        proxy_set_header            Host $host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        add_header X-Frame-Options SAMEORIGIN;
+      }
+
+      location /kapis {
+        proxy_pass http://SettingsServerStudio;
+      }
+
+      location /api/profile/init {
+        proxy_pass http://127.0.0.1:3010;
+        proxy_set_header            Host $host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+      }
+
+      location /api {
+        proxy_pass http://SettingsServerStudio;
+      }
+
+      location /capi {
+        proxy_pass http://SettingsServerStudio;
+        proxy_set_header            Host $host;
+        proxy_set_header            X-real-ip $remote_addr;
+        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+      }
+
+      location = /js/api/send {
+        proxy_pass http://AnalyticsStudio;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        rewrite ^/js(.*)$ $1 break;
+      }
+
+      location /analytics_service {
+        proxy_pass http://AnalyticsStudio;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+        rewrite ^/analytics_service(.*)$ $1 break;
+      }
+
+      location ~ /(kapis/terminal|api/v1/watch|apis/apps/v1/watch) {
+        proxy_pass http://SettingsServerStudio;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+      }
+
+
+      location = /js/script.js {
+        add_header Access-Control-Allow-Origin "*";
+      }
+
+      location ~.*\.(js|css|png|jpg|svg|woff|woff2)$ {
+        add_header Cache-Control "public, max-age=2678400";
+      }
+    }

apps/vault/config/cluster/deploy/vault_server_deploy.yaml

@@ -83,7 +83,7 @@ spec:
             value: os_system_vault
       containers:
       - name: vault-server
-        image: beclab/vault-server:v1.2.69
+        image: beclab/vault-server:v1.3.46
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 3000
@@ -114,7 +114,7 @@ spec:
         - name: vault-attach
           mountPath: /padloc/packages/server/attachments
       - name: vault-admin
-        image: beclab/vault-admin:v1.2.69
+        image: beclab/vault-admin:v1.3.46
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 3010

apps/vault/config/user/helm-charts/vault/templates/vault_deploy.yaml

@@ -1,3 +1,13 @@
+{{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
+
+{{- $vault_nats_secret := (lookup "v1" "Secret" $namespace "vault-nats-secrets") -}}
+{{- $vault_nats_password := "" -}}
+{{ if $vault_nats_secret -}}
+{{ $vault_nats_password = (index $vault_nats_secret "data" "vault_nats_password") }}
+{{ else -}}
+{{ $vault_nats_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
 
 
 ---
@@ -36,6 +46,12 @@ spec:
         image: owncloudci/wait-for:latest
         imagePullPolicy: IfNotPresent
         name: check-auth
+      - args:
+        - -it
+        - nats.user-system-{{ .Values.bfl.username }}:4222
+        image: owncloudci/wait-for:latest
+        imagePullPolicy: IfNotPresent
+        name: check-nats
       - name: terminus-sidecar-init
         image: openservicemesh/init:v1.2.3
         imagePullPolicy: IfNotPresent
@@ -72,13 +88,13 @@ spec:
 
       containers:
       - name: vault-frontend
-        image: beclab/vault-frontend:v1.2.69
+        image: beclab/vault-frontend:v1.3.46
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 80
       
       - name: notification-server
-        image: beclab/vault-notification:v1.2.69
+        image: beclab/vault-notification:v1.3.46
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 3010
@@ -93,6 +109,17 @@ spec:
             value: '{{ .Values.os.vault.appSecret }}'
           - name: OS_APP_KEY
             value: {{ .Values.os.vault.appKey }}
+          - name: NATS_HOST
+            value: nats.user-system-{{ .Values.bfl.username }}
+          - name: NATS_PORT
+            value: '4222'
+          - name: NATS_USERNAME
+            value: user-system-{{ .Values.bfl.username }}-vault
+          - name: NATS_PASSWORD
+            value: {{ $vault_nats_password | b64dec }}
+          - name: NATS_SUBJECT
+            value: terminus.os-system.files-notify
+          
 
       - name: terminus-envoy-sidecar
         image: bytetrade/envoy:v1.25.11
@@ -238,3 +265,38 @@ spec:
     version: v1
 status:
   state: active
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vault-nats-secrets
+  namespace: user-system-{{ .Values.bfl.username }}
+data:
+  vault_nats_password: {{ $vault_nats_password }}
+type: Opaque
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: vault-nat
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  app: vault
+  appNamespace: user-space-{{ .Values.bfl.username }}
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: vault_nats_password
+          name: vault-nats-secrets
+    refs:
+      - appName: files-server
+        appNamespace: os-system
+        subjects:
+          - name: files-notify
+            perm:
+              - pub
+              - sub
+    user: user-system-{{ .Values.bfl.username }}-vault

apps/wizard/config/user/helm-charts/wizard/templates/wizard_deploy.yaml

@@ -61,7 +61,7 @@ spec:
 
       containers:
       - name: wizard
-        image: beclab/wizard:v0.5.11
+        image: beclab/wizard:v0.5.12
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 80

build/installer/deploy/device-plugin.yaml

@@ -28,6 +28,8 @@ spec:
     spec:
       runtimeClassName: nvidia # Explicitly request the runtime
       priorityClassName: system-node-critical
+      nodeSelector:
+        gpu.bytetrade.io/cuda-supported: 'true'
       initContainers:
       - name: init-dir
         image: busybox:1.28
@@ -40,7 +42,7 @@ spec:
         - "[ -d /var/run/nvshare/libnvshare.so ] && rm -rf /var/run/nvshare/libnvshare.so || true"
       containers:
       - name: nvshare-lib
-        image: beclab/nvshare:libnvshare-v0.0.2
+        image: beclab/nvshare:libnvshare-v0.0.1
         command:
         - sleep
         - infinity
@@ -50,7 +52,7 @@ spec:
               command:
               - "/bin/sh"
               - "-c"
-              - "test -f /host-var-run-nvshare/libnvshare.so || touch /host-var-run-nvshare/libnvshare.so && mount -v --bind /libnvshare.so /host-var-run-nvshare/libnvshare.so"
+              - "test -f /host-var-run-nvshare/libnvshare.so || ( test -d /host-var-run-nvshare/libnvshare.so && rm -rf /host-var-run-nvshare/libnvshare.so && false ) || touch /host-var-run-nvshare/libnvshare.so && mount -v --bind /libnvshare.so /host-var-run-nvshare/libnvshare.so"
           preStop:
             exec:
               command:

build/installer/deploy/nvidia-device-plugin.yml

@@ -44,6 +44,8 @@ spec:
       # be rescheduled after a failure.
       # See https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/
       priorityClassName: "system-node-critical"
+      nodeSelector:
+        gpu.bytetrade.io/cuda-supported: 'true'
       containers:
       - image: nvcr.io/nvidia/k8s-device-plugin:v0.16.1
         name: nvidia-device-plugin-ctr

build/installer/deploy/scheduler.yaml

@@ -26,8 +26,9 @@ spec:
       labels:
         name: nvshare-scheduler
     spec:
-      runtimeClassName: nvidia # Explicitly request the runtime
       priorityClassName: system-node-critical
+      nodeSelector:
+        gpu.bytetrade.io/cuda-supported: 'true'
       initContainers:
       - name: init-dir
         image: busybox:1.28
@@ -46,6 +47,10 @@ spec:
           allowPrivilegeEscalation: false
           capabilities:
             drop: ["ALL"]
+        command:
+        - sh
+        - -c
+        - "test -f /var/run/nvshare/scheduler.sock && rm -rf /var/run/nvshare/scheduler.sock; pid1 nvshare-scheduler"
         volumeMounts:
           - name: nvshare-socket-directory
             mountPath: /var/run/nvshare

build/installer/install.ps1

@@ -1,6 +1,8 @@
 $currentPath = Get-Location
 $architecture = $env:PROCESSOR_ARCHITECTURE
+$downloadCdnUrlFromEnv = $env:DOWNLOAD_CDN_URL
 $version = "#__VERSION__"
+$downloadUrl = "https://dc3p1870nn3cj.cloudfront.net"
 
 function Test-Wait {
   while ($true) {
@@ -8,42 +10,78 @@ function Test-Wait {
   }
 }
 
+$runAsAdmin = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
+if (-not $runAsAdmin.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
+    Write-Host "`n`nThe installation script needs to be run as an administrator.`n"
+    Write-Host "Please try the following methods:`n"
+    Write-Host "1. Search for 'PowerShell' in the Start menu, right-click it, and select 'Run as administrator'. "
+    Write-Host "   Navigate to the directory where the installation script is located and run the installation script.`n"
+    Write-Host "2. Press Win + R, type 'powershell', and then press Ctrl + Shift + Enter. "
+    Write-Host "   Navigate to the directory where the installation script is located and run the installation script.`n"
+    Write-Host "`nPress Ctrl+C to exit.`n"
+    Test-Wait
+}
+
 $process = Get-Process -Name olares-cli -ErrorAction SilentlyContinue
 if ($process) {
   Write-Host "olares-cli.exe is running, Press Ctrl+C to exit."
   Test-Wait
 }
 
+$distro = wsl --list | Select-String -Pattern "^Ubuntu$"
+if (-not $distro -eq "") {
+  Write-Host "Distro Olares exists, please unregister it first."
+  exit 1
+}
+
 $arch = "amd64"
 if ($architecture -like "ARM") {
   $arch = "arm64"
 }
 
-$CLI_VERSION = "0.1.75"
+if (-Not $downloadCdnUrlFromEnv -eq "") {
+  $downloadUrl = $downloadCdnUrlFromEnv
+}
+
+$CLI_PROGRAM_PATH = "{0}\" -f $currentPath
+if (-Not (Test-Path $CLI_PROGRAM_PATH)) {
+  New-Item -Path $CLI_PROGRAM_PATH -ItemType Directory
+}
+
+$CLI_VERSION = "0.2.27"
 $CLI_FILE = "olares-cli-v{0}_windows_{1}.tar.gz" -f $CLI_VERSION, $arch
-$CLI_URL = "https://dc3p1870nn3cj.cloudfront.net/{0}" -f $CLI_FILE
-$CLI_PATH = "{0}\{1}"  -f $currentPath, $CLI_FILE
-if (-Not (Test-Path $CLI_FILE)) {
+$CLI_URL = "{0}/{1}" -f $downloadUrl, $CLI_FILE
+$CLI_PATH = "{0}{1}" -f $CLI_PROGRAM_PATH, $CLI_FILE
+
+$download = 0
+if (Test-Path $CLI_PATH) {
+  tar -xzf $CLI_PATH -C $CLI_PROGRAM_PATH *> $null
+  if (-Not ($LASTEXITCODE -eq 0)) {
+    Remove-Item -Path $CLI_PATH
+    $download = 1
+  }
+} else {
+  $download = 1
+}
+
+if ($download -eq 1) {
   curl -Uri $CLI_URL -OutFile $CLI_PATH
+  Write-Host "Downloading olares-cli.exe..."
+  if (-Not (Test-Path $CLI_PATH)) {
+    Write-Host "Download olares-cli.exe failed."
+    exit 1
+  }
+  tar -xzf $CLI_PATH -C $CLI_PROGRAM_PATH *> $null
+  $cliPath = "{0}\olares-cli.exe" -f $CLI_PROGRAM_PATH
+  if ( -Not (Test-Path $cliPath)) {
+    Write-Host "olares-cli.exe not found."
+    exit 1
+  }
 }
 
-if (-Not (Test-Path $CLI_PATH)) {
-  Write-Host "Download olares-cli.exe failed."
-  exit 1
-}
-
-tar -xf $CLI_PATH
-$cliPath = "{0}\olares-cli.exe" -f $currentPath
-if ( -Not (Test-Path $cliPath)) {
-  Write-Host "olares-cli.exe not found."
-  exit 1
-}
-
-wsl --unregister Ubuntu *> $null
-
 Start-Sleep -Seconds 3
 Write-Host ("Preparing to start the installation of Olares {0}. Depending on your network conditions, this process may take several minutes." -f $version)
 
-$command = "{0} olares install --version {1}" -f $cliPath, $version
+$command = "{0}\olares-cli.exe olares install --version {1}" -f $CLI_PROGRAM_PATH, $version
 Start-Process cmd -ArgumentList '/k',$command -Wait -Verb RunAs
 

build/installer/install.sh

@@ -20,7 +20,7 @@ fi
 
 if [[ "x${VERSION}" == "x" || "x${VERSION:3}" == "xVERSION__" ]]; then
     echo "error: Olares version is unspecified, please set the VERSION env var and rerun this script."
-    echo "for example: VERSION=1.11.0-20241124 bash $0"
+    echo "for example: VERSION=1.12.0-20241124 bash $0"
     exit 1
 fi
 
@@ -28,16 +28,16 @@ fi
 os_type=$(uname -s)
 os_arch=$(uname -m)
 
-case "$os_arch" in 
-    arm64) ARCH=arm64; ;; 
-    x86_64) ARCH=amd64; ;; 
-    armv7l) ARCH=arm; ;; 
-    aarch64) ARCH=arm64; ;; 
-    ppc64le) ARCH=ppc64le; ;; 
-    s390x) ARCH=s390x; ;; 
+case "$os_arch" in
+    arm64) ARCH=arm64; ;;
+    x86_64) ARCH=amd64; ;;
+    armv7l) ARCH=arm; ;;
+    aarch64) ARCH=arm64; ;;
+    ppc64le) ARCH=ppc64le; ;;
+    s390x) ARCH=s390x; ;;
     *) echo "error: unsupported arch \"$os_arch\"";
     exit 1; ;;
-esac 
+esac
 
 # set shell execute command
 user="$(id -un 2>/dev/null || true)"
@@ -74,13 +74,14 @@ if [ -z ${cdn_url} ]; then
     cdn_url="https://dc3p1870nn3cj.cloudfront.net"
 fi
 
-CLI_VERSION="0.1.75"
+CLI_VERSION="0.2.27"
 CLI_FILE="olares-cli-v${CLI_VERSION}_linux_${ARCH}.tar.gz"
 if [[ x"$os_type" == x"Darwin" ]]; then
     CLI_FILE="olares-cli-v${CLI_VERSION}_darwin_${ARCH}.tar.gz"
 fi
 
 if command_exists olares-cli && [[ "$(olares-cli -v | awk '{print $3}')" == "$CLI_VERSION" ]]; then
+    INSTALL_OLARES_CLI=$(which olares-cli)
     echo "olares-cli already installed and is the expected version"
     echo ""
 else
@@ -136,16 +137,22 @@ else
             echo ""
         else
             echo "building local release ..."
-            $sh_c "olares-cli olares release $PARAMS $CDN"
+            $sh_c "$INSTALL_OLARES_CLI olares release $PARAMS $CDN"
             if [[ $? -ne 0 ]]; then
                 echo "error: failed to build local release"
                 exit 1
             fi
         fi
     else
+        echo "running system prechecks ..."
+        echo ""
+        $sh_c "$INSTALL_OLARES_CLI olares precheck $PARAMS"
+        if [[ $? -ne 0 ]]; then
+            exit 1
+        fi
         echo "downloading installation wizard..."
         echo ""
-        $sh_c "olares-cli olares download wizard $PARAMS $KUBE_PARAM $CDN"
+        $sh_c "$INSTALL_OLARES_CLI olares download wizard $PARAMS $KUBE_PARAM $CDN"
         if [[ $? -ne 0 ]]; then
             echo "error: failed to download installation wizard"
             exit 1
@@ -154,7 +161,7 @@ else
 
     echo "downloading installation packages..."
     echo ""
-    $sh_c "olares-cli olares download component $PARAMS $KUBE_PARAM $CDN"
+    $sh_c "$INSTALL_OLARES_CLI olares download component $PARAMS $KUBE_PARAM $CDN"
     if [[ $? -ne 0 ]]; then
         echo "error: failed to download installation packages"
         exit 1
@@ -166,10 +173,7 @@ else
     if [ x"$REGISTRY_MIRRORS" != x"" ]; then
         extra="--registry-mirrors $REGISTRY_MIRRORS"
     fi
-    if [[ "$JUICEFS" == "1" ]]; then
-        extra="$extra --with-juicefs=true"
-    fi
-    $sh_c "olares-cli olares prepare $PARAMS $KUBE_PARAM $extra"
+    $sh_c "$INSTALL_OLARES_CLI olares prepare $PARAMS $KUBE_PARAM $extra"
     if [[ $? -ne 0 ]]; then
         echo "error: failed to prepare installation environment"
         exit 1
@@ -185,9 +189,39 @@ if [ "$PREINSTALL" == "1" ]; then
     echo "Pre Install mode is specified by the \"PREINSTALL\" env var, skip installing"
     exit 0
 fi
+
+if [[ "$JUICEFS" == "1" ]]; then
+    echo "JuiceFS is enabled"
+    fsflag="--with-juicefs=true"
+    if [[ "$STORAGE" == "" ]]; then
+        echo "installing MinIO ..."
+    else
+        echo "checking storage config ..."
+    fi
+    $sh_c "$INSTALL_OLARES_CLI olares install storage $PARAMS"
+    if [[ $? -ne 0 ]]; then
+      exit 1
+    fi
+fi
+
+if [[ -n "$SWAPPINESS" ]]; then
+    swapflag="$swapflag --swappiness $SWAPPINESS"
+fi
+if [[ "$ENABLE_POD_SWAP" == "1" ]]; then
+    swapflag="$swapflag --enable-pod-swap"
+fi
+if [[ "$ENABLE_ZRAM" == "1" ]]; then
+    swapflag="$swapflag --enable-zram"
+fi
+if [[ -n "$ZRAM_SIZE" ]]; then
+    swapflag="$swapflag --zram-size $ZRAM_SIZE"
+fi
+if [[ -n "$ZRAM_SWAP_PRIORITY" ]]; then
+    swapflag="$swapflag --zram-swap-priority $ZRAM_SWAP_PRIORITY"
+fi
 echo "installing Olares..."
 echo ""
-$sh_c "olares-cli olares install $PARAMS $KUBE_PARAM"
+$sh_c "$INSTALL_OLARES_CLI olares install $PARAMS $KUBE_PARAM $fsflag $swapflag"
 
 if [[ $? -ne 0 ]]; then
     echo "error: failed to install Olares"

build/installer/joincluster.sh

@@ -0,0 +1,261 @@
+#!/usr/bin/env bash
+
+set -o pipefail
+set -e
+
+function command_exists() {
+	  command -v "$@" > /dev/null 2>&1
+}
+
+function read_tty() {
+    echo -n $1
+    read $2 < /dev/tty
+}
+
+function confirm() {
+    if [[ "$QUIET" == "1" ]]; then
+        return 0
+    fi
+    answer=""
+    while :; do
+        read_tty "Do you confirm to continue? (y/n): " answer
+        if [[ "$answer" != "y" && "$answer" != "n" ]]; then
+            echo "Please input the letter y or n"
+            continue
+        fi
+        if [[ "$answer" == "y" ]]; then
+            return 0
+        fi
+        if [[ "$answer" == "n" ]]; then
+            exit 0
+        fi
+    done
+}
+
+function validate_ip() {
+    if [[ ! "$1" ]]; then
+        echo "invalid IP: empty address"
+        return 1
+    elif [[ ! $1 =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+        echo "invalid IP: illegal format"
+        return 1
+    elif [[ $1 =~ ^127 ]]; then
+        echo "invalid IP: loopback address"
+        return 1
+    else
+        return 0
+    fi
+}
+
+MASTER_SSH_OPTIONS=""
+
+function add_master_host_ssh_options() {
+    MASTER_SSH_OPTIONS="$MASTER_SSH_OPTIONS --$1 $2"
+}
+
+function set_master_host_ssh_options() {
+    master_host="$MASTER_HOST"
+    if [[ ! "$master_host" ]]; then
+        read_tty "Enter the master node's IP: " master_host
+    fi
+
+    while :; do
+        if ! validate_ip "$master_host"; then
+            read_tty "Enter the master node's IP: " master_host
+        else
+            break
+        fi
+    done
+
+    add_master_host_ssh_options master-host "$master_host"
+
+    if [[ "$MASTER_NODE_NAME" ]]; then
+        add_master_host_ssh_options master-node-name "$MASTER_NODE_NAME"
+    fi
+
+    if [[ "$MASTER_SSH_USER" ]]; then
+        add_master_host_ssh_options master-ssh-user "$MASTER_SSH_USER"
+    else
+        echo "the environment variable \$MASTER_SSH_USER is not set"
+        echo "the default remote user \"root\" on the master node will be used to authenticate"
+        echo "if this is unexpected, please set it explicitly"
+        confirm
+    fi
+
+    if [[ "$MASTER_SSH_PASSWORD" ]]; then
+        add_master_host_ssh_options master-ssh-password "$MASTER_SSH_PASSWORD"
+    fi
+
+    if [[ "$MASTER_SSH_PRIVATE_KEY_PATH" ]]; then
+        add_master_host_ssh_options master-ssh-private-key-path "$MASTER_SSH_PRIVATE_KEY_PATH"
+    elif [[ ! "$MASTER_SSH_PASSWORD" ]]; then
+        echo "the environment variable \$MASTER_SSH_PRIVATE_KEY_PATH is not set"
+        echo "the default key in the local path /root/.ssh/id_rsa will be used to authenticate to the master"
+        echo "please make sure the key exists and the public key has already been added to the master node"
+        echo "if this is unexpected, please set it explicitly"
+        confirm
+    fi
+
+    if [[ "$MASTER_SSH_PORT" ]]; then
+        add_master_host_ssh_options master-ssh-port "$MASTER_SSH_PORT"
+    fi
+}
+
+function getmasterinfo() {
+    $sh_c "$INSTALL_OLARES_CLI node masterinfo $MASTER_SSH_OPTIONS" | tee /proc/$$/fd/1
+    if [[ $? -ne 0 ]]; then
+        exit 1
+    fi
+    echo "" > /proc/$$/fd/1
+}
+
+# check os type and arch
+os_type=$(uname -s)
+os_arch=$(uname -m)
+
+case "$os_arch" in
+    arm64) ARCH=arm64; ;;
+    x86_64) ARCH=amd64; ;;
+    armv7l) ARCH=arm; ;;
+    aarch64) ARCH=arm64; ;;
+    ppc64le) ARCH=ppc64le; ;;
+    s390x) ARCH=s390x; ;;
+    *) echo "error: unsupported arch \"$os_arch\"";
+    exit 1; ;;
+esac
+
+if [[ "$os_type" != "Linux" ]]; then
+    echo "error: only Linux machine can be added to the cluster"
+    exit 1
+fi
+
+# set shell execute command
+user="$(id -un 2>/dev/null || true)"
+sh_c='sh -c'
+if [ "$user" != 'root' ]; then
+    if ! command_exists sudo; then
+        echo "error: the ability to run as root is needed, but the command \"sudo\" can not be found"
+        exit 1
+    fi
+    sh_c='sudo -E sh -c'
+fi
+
+if ! command_exists tar; then
+    echo "error: the \"tar\" command is needed to unpack installation files, but can not be found"
+    exit 1
+fi
+
+BASE_DIR="$HOME/.olares"
+if [ ! -d $BASE_DIR ]; then
+    mkdir -p $BASE_DIR
+fi
+
+cdn_url=${DOWNLOAD_CDN_URL}
+if [[ -z "${cdn_url}" ]]; then
+    cdn_url="https://dc3p1870nn3cj.cloudfront.net"
+fi
+
+set_master_host_ssh_options
+
+CLI_VERSION="0.2.27"
+CLI_FILE="olares-cli-v${CLI_VERSION}_linux_${ARCH}.tar.gz"
+
+if command_exists olares-cli && [[ "$(olares-cli -v | awk '{print $3}')" == "$CLI_VERSION" ]]; then
+    INSTALL_OLARES_CLI=$(which olares-cli)
+    echo "olares-cli already installed and is the expected version"
+    echo ""
+else
+    if [[ ! -f ${CLI_FILE} ]]; then
+        CLI_URL="${cdn_url}/${CLI_FILE}"
+
+        echo "downloading Olares installer from ${CLI_URL} ..."
+        echo ""
+
+        curl -Lo ${CLI_FILE} ${CLI_URL}
+
+        if [[ $? -ne 0 ]]; then
+            echo "error: failed to download Olares installer"
+            exit 1
+        else
+            echo "Olares installer ${CLI_VERSION} download complete!"
+            echo ""
+        fi
+    fi
+    INSTALL_OLARES_CLI="/usr/local/bin/olares-cli"
+    echo "unpacking Olares installer to $INSTALL_OLARES_CLI..."
+    echo ""
+    tar -zxf ${CLI_FILE} olares-cli && chmod +x olares-cli
+    $sh_c "mv olares-cli $INSTALL_OLARES_CLI"
+
+    if [[ $? -ne 0 ]]; then
+        echo "error: failed to unpack Olares installer"
+        exit 1
+    fi
+fi
+
+echo "getting master info and checking current machine's eligibility to join the cluster"
+echo ""
+master_olares_version="$( getmasterinfo | grep OlaresVersion | awk '{print $2}' )"
+if [[ ! "$master_olares_version" ]]; then
+    echo "failed to fetch the version of Olares installed on master node"
+    exit 1
+fi
+PARAMS="--version $master_olares_version --base-dir $BASE_DIR"
+CDN="--download-cdn-url ${cdn_url}"
+
+if [[ -f $BASE_DIR/.prepared ]]; then
+    echo "file $BASE_DIR/.prepared detected, skip preparing phase"
+    echo ""
+    echo "please make sure the prepared Olares version is the same as the master, or there might be compatibility issues"
+    echo ""
+else
+    echo "running system prechecks ..."
+    echo ""
+    $sh_c "$INSTALL_OLARES_CLI olares precheck $PARAMS"
+    if [[ $? -ne 0 ]]; then
+        exit 1
+    fi
+
+    echo "downloading installation wizard..."
+    echo ""
+    $sh_c "$INSTALL_OLARES_CLI olares download wizard $PARAMS $CDN"
+    if [[ $? -ne 0 ]]; then
+        echo "error: failed to download installation wizard"
+        exit 1
+    fi
+
+    echo "downloading installation packages..."
+    echo ""
+    $sh_c "$INSTALL_OLARES_CLI olares download component $PARAMS $CDN"
+    if [[ $? -ne 0 ]]; then
+        echo "error: failed to download installation packages"
+        exit 1
+    fi
+
+    echo "preparing installation environment..."
+    echo ""
+    # env 'REGISTRY_MIRRORS' is a docker image cache mirrors, separated by commas
+    if [ x"$REGISTRY_MIRRORS" != x"" ]; then
+        extra="--registry-mirrors $REGISTRY_MIRRORS"
+    fi
+    $sh_c "$INSTALL_OLARES_CLI olares prepare $PARAMS $extra"
+    if [[ $? -ne 0 ]]; then
+        echo "error: failed to prepare installation environment"
+        exit 1
+    fi
+fi
+
+if [ -f $BASE_DIR/.installed ]; then
+    echo "file $BASE_DIR/.installed detected, skip installing"
+    echo "if it is left by an unclean uninstallation, please manually remove it and invoke the installer again"
+    exit 0
+fi
+
+echo "installing Kubernetes and joining Olares cluster..."
+echo ""
+$sh_c "$INSTALL_OLARES_CLI node add $PARAMS $MASTER_SSH_OPTIONS"
+
+if [[ $? -ne 0 ]]; then
+    echo "error: failed to install Olares"
+    exit 1
+fi

build/installer/upgrade_cmd.sh

@@ -146,7 +146,7 @@ function get_app_key_secret(){
 
 function get_app_settings(){
     local username=$1
-    local apps=("vault" "desktop" "message" "wise" "search" "appstore" "notification" "dashboard" "settings" "devbox" "profile" "agent" "files")
+    local apps=("vault" "desktop" "message" "wise" "search" "appstore" "notification" "dashboard" "settings" "studio" "profile" "agent" "files")
     for a in ${apps[@]};do
         ks=($(get_app_key_secret "$username" "$a"))
         echo '
@@ -282,6 +282,33 @@ function get_bfl_status(){
     $sh_c "${KUBECTL} get pod  -n user-space-${username} -l 'tier=bfl' -o jsonpath='{.items[*].status.phase}'"
 }
 
+function get_fileserver_status(){
+    $sh_c "${KUBECTL} get pod  -n os-system -l 'app=files' -o jsonpath='{.items[*].status.phase}'"
+}
+
+function get_filefe_status(){
+    local username=$1
+    $sh_c "${KUBECTL} get pod  -n user-space-${username} -l 'app=files' -o jsonpath='{.items[*].status.phase}'"
+}
+
+function check_fileserver(){
+    local status=$(get_fileserver_status)
+    local n=0
+    while [ "x${status}" != "xRunning" ]; do
+        n=$(expr $n + 1)
+        local dotn=$(($n % 10))
+        local dot=$(repeat $dotn '>')
+
+        echo -ne "\rWaiting for file-server starting ${dot}"
+        sleep 0.5
+
+        status=$(get_fileserver_status)
+        echo -ne "\rWaiting for file-server starting          "
+
+    done
+    echo
+}
+
 function check_appservice(){
     local status=$(get_appservice_status)
     local n=0
@@ -300,6 +327,25 @@ function check_appservice(){
     echo
 }
 
+function check_filesfe(){
+    local username=$1
+    local status=$(get_filefe_status ${username})
+    local n=0
+    while [ "x${status}" != "xRunning" ]; do
+        n=$(expr $n + 1)
+        local dotn=$(($n % 10))
+        local dot=$(repeat $dotn '>')
+
+        echo -ne "\rPlease waiting ${dot}"
+        sleep 0.5
+
+        status=$(get_filefe_status ${username})
+        echo -ne "\rPlease waiting          "
+
+    done
+    echo
+}
+
 function check_bfl(){
     local username=$1
     local status=$(get_bfl_status ${username})
@@ -482,7 +528,7 @@ function upgrade_terminus(){
 
     # patch
     ensure_success $sh_c "${KUBECTL} apply -f ${BASE_DIR}/deploy/patch-globalrole-workspace-manager.yaml"
-    ensure_success $sh_c "$KUBECTL apply -f ${BASE_DIR}/deploy/patch-notification-manager.yaml"
+    # ensure_success $sh_c "$KUBECTL apply -f ${BASE_DIR}/deploy/patch-notification-manager.yaml"
 
     # clear apps values.yaml
     cat /dev/null > ${BASE_DIR}/wizard/config/apps/values.yaml
@@ -510,6 +556,13 @@ function upgrade_terminus(){
         for appdir in "${BASE_DIR}/wizard/config/apps"/*/; do
           if [ -d "$appdir" ]; then
             releasename=$(basename "$appdir")
+
+            # ignore wizard
+            # FIXME: unintitialized user's wizard should be upgrade
+            if [ x"${releasename}" == x"wizard" ]; then 
+                continue
+            fi
+
             if [ "$user" != "$admin_user" ];then
                 releasename=${releasename}-${user}
             fi
@@ -519,18 +572,6 @@ function upgrade_terminus(){
 
     done
 
-    echo 'Waiting for Vault ...'
-    check_vault ${admin_user}
-    echo
-
-    echo 'Starting BFL ...'
-    check_bfl ${admin_user}
-    echo
-
-    echo 'Starting Desktop ...'
-    check_desktop ${admin_user}
-    echo
-
     # upgrade app service in the last. keep app service online longer
     local terminus_is_cloud_version=$($sh_c "${KUBECTL} get cm -n os-system backup-config -o jsonpath='{.data.terminus-is-cloud-version}'")
     local backup_cluster_bucket=$($sh_c "${KUBECTL} get cm -n os-system backup-config -o jsonpath='{.data.backup-cluster-bucket}'")
@@ -544,18 +585,27 @@ function upgrade_terminus(){
         --set backup.sync_secret=\"${backup_secret}\""
 
     echo 'Waiting for App-Service ...'
+    sleep 2 # wait for controller reconiling
     check_appservice
     echo
 
-    # upgrade_ksapi ${users[@]}
-    # echo
+    echo 'Waiting for Vault ...'
+    check_vault ${admin_user}
+    echo
+
+    echo 'Starting BFL ...'
+    check_bfl ${admin_user}
+    echo
+
+    echo 'Starting files ...'
+    check_fileserver
+    check_filesfe ${admin_user}
+    echo
+
+    echo 'Starting Desktop ...'
+    check_desktop ${admin_user}
+    echo
 
-    local gpu=$($sh_c "${KUBECTL} get ds -n gpu-system orionx-server -o jsonpath='{.meta.name}'")
-    if [ "x$gpu" != "x" ]; then
-        echo "upgrade"
-        local GPU_DOMAIN=$($sh_c "${KUBECTL} get ds -n gpu-system orionx-server -o jsonpath='{.meta.annotations.gpu-server}'")
-        ensure_success $sh_c "${HELM} upgrade -i gpu ${BASE_DIR}/wizard/config/gpu -n gpu-system --set gpu.server=${GPU_DOMAIN} --reuse-values"
-    fi
 }
 
 

build/installer/version.hint

@@ -1,2 +1,2 @@
 upgrade:
-  minVersion: 1.11.0-0000000
+  minVersion: 1.12.0-0000000

build/installer/wizard/config/account/templates/account.yaml

@@ -7,14 +7,18 @@ metadata:
     iam.kubesphere.io/uninitialized: "true"
     helm.sh/resource-policy: keep
     bytetrade.io/owner-role: platform-admin
-    bytetrade.io/terminus-name: {{.Values.user.terminus_name}}
+    bytetrade.io/terminus-name: "{{.Values.user.terminus_name}}"
     bytetrade.io/launcher-auth-policy: two_factor
     bytetrade.io/launcher-access-level: "1"
+    iam.kubesphere.io/sync-to-lldap: "true"
+    iam.kubesphere.io/synced-to-lldap: "false"
+    iam.kubesphere.io/user-provider: lldap
+    iam.kubesphere.io/globalrole: platform-admin
 {{ if .Values.nat_gateway_ip }}
     bytetrade.io/nat-gateway-ip: {{ .Values.nat_gateway_ip }}
 {{ end }}            
 spec:
-  email: {{.Values.user.email}}
-  password: {{.Values.user.password}}
+  email: "{{.Values.user.email}}"
+  initialPassword: "{{ .Values.user.password }}"
 status:
   state: Active

build/installer/wizard/config/account/templates/sync.yaml

@@ -0,0 +1,18 @@
+apiVersion: iam.kubesphere.io/v1alpha2
+kind: Sync
+metadata:
+  name: lldap
+spec:
+  lldap:
+    name: ldap
+    url: "http://lldap-service.os-system:17170"
+    userBlacklist:
+      - admin
+      - terminus
+    groupWhitelist:
+      - lldap_admin
+      - lldap_regular
+    credentialsSecret:
+      kind: Secret
+      name: lldap-credentials
+      namespace: os-system

build/installer/wizard/config/settings/templates/system-serviceaccount.yaml

@@ -33,6 +33,7 @@ rules:
   resources:
   - users
   - configmaps
+  - secrets
   verbs:
   - get
 
@@ -61,6 +62,7 @@ rules:
   - pods
   - users
   - configmaps
+  - secrets
   verbs:
   - get
   - list

build/installer/wizard/config/settings/templates/workspacerole-binding.yaml

@@ -1,18 +0,0 @@
-
-
-apiVersion: iam.kubesphere.io/v1alpha2
-kind: WorkspaceRoleBinding
-metadata:
-  generation: 1
-  labels:
-    iam.kubesphere.io/user-ref: '{{.Values.user.name}}'
-    kubesphere.io/workspace: system-workspace
-  name: '{{.Values.user.name}}'
-roleRef:
-  apiGroup: iam.kubesphere.io
-  kind: WorkspaceRole
-  name: system-workspace-admin
-subjects:
-- apiGroup: rbac.authorization.k8s.io
-  kind: User
-  name: '{{.Values.user.name}}'

build/manifest/components

@@ -1,4 +1,4 @@
-olaresd-v0.0.50.tar.gz,pkg/components,https://dc3p1870nn3cj.cloudfront.net/olaresd-v0.0.50-linux-amd64.tar.gz,https://dc3p1870nn3cj.cloudfront.net/olaresd-v0.0.50-linux-arm64.tar.gz,olaresd
+olaresd-v1.12.0.tar.gz,pkg/components,https://dc3p1870nn3cj.cloudfront.net/olaresd-v1.12.0-linux-amd64.tar.gz,https://dc3p1870nn3cj.cloudfront.net/olaresd-v1.12.0-linux-arm64.tar.gz,olaresd
 socat-1.7.3.2.tar.gz,pkg/components,https://src.fedoraproject.org/lookaside/pkgs/socat/socat-1.7.3.2.tar.gz/sha512/540658b2a3d1b87673196282e5c62b97681bd0f1d1e4759ff9d72909d11060235ee9e9521a973603c1b00376436a9444248e5fbc0ffac65f8edb9c9bc28e7972/socat-1.7.3.2.tar.gz,https://src.fedoraproject.org/lookaside/pkgs/socat/socat-1.7.3.2.tar.gz/sha512/540658b2a3d1b87673196282e5c62b97681bd0f1d1e4759ff9d72909d11060235ee9e9521a973603c1b00376436a9444248e5fbc0ffac65f8edb9c9bc28e7972/socat-1.7.3.2.tar.gz,socat
 conntrack-tools-1.4.1.tar.gz,pkg/components,https://github.com/fqrouter/conntrack-tools/archive/refs/tags/conntrack-tools-1.4.1.tar.gz,https://github.com/fqrouter/conntrack-tools/archive/refs/tags/conntrack-tools-1.4.1.tar.gz,conntrack-tools
 minio.RELEASE.2023-05-04T21-44-30Z,pkg/components,https://dl.min.io/server/minio/release/linux-amd64/archive/minio.RELEASE.2023-05-04T21-44-30Z,https://dl.min.io/server/minio/release/linux-arm64/archive/minio.RELEASE.2023-05-04T21-44-30Z,minio
@@ -14,8 +14,11 @@ ubuntu2204_cuda-keyring_1.1-1_all.deb,pkg/components,https://developer.download.
 ubuntu2204_cuda-keyring_1.0-1_all.deb,pkg/components,https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64/cuda-keyring_1.0-1_all.deb,https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/arm64/cuda-keyring_1.0-1_all.deb,ubuntu-22.04_cuda-keyring_1.0-1
 ubuntu2004_cuda-keyring_1.1-1_all.deb,pkg/components,https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/x86_64/cuda-keyring_1.1-1_all.deb,https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/arm64/cuda-keyring_1.1-1_all.deb,ubuntu-20.04_cuda-keyring_1.1-1
 ubuntu2004_cuda-keyring_1.0-1_all.deb,pkg/components,https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/x86_64/cuda-keyring_1.0-1_all.deb,https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/arm64/cuda-keyring_1.0-1_all.deb,ubuntu-20.04_cuda-keyring_1.0-1
+debian12_cuda-keyring_1.1-1_all.deb,pkg/components,https://developer.download.nvidia.com/compute/cuda/repos/debian12/x86_64/cuda-keyring_1.1-1_all.deb,https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/arm64/cuda-keyring_1.1-1_all.deb,debian-12_cuda-keyring_1.1-1
+debian11_cuda-keyring_1.1-1_all.deb,pkg/components,https://developer.download.nvidia.com/compute/cuda/repos/debian11/x86_64/cuda-keyring_1.1-1_all.deb,https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/arm64/cuda-keyring_1.1-1_all.deb,debian-11_cuda-keyring_1.1-1
 
-gpgkey,pkg/components,https://nvidia.github.io/libnvidia-container/gpgkey,https://nvidia.github.io/libnvidia-container/gpgkey,gpgkey
-ubuntu_22.04_libnvidia-container.list,pkg/components,https://nvidia.github.io/libnvidia-container/ubuntu22.04/libnvidia-container.list,https://nvidia.github.io/libnvidia-container/ubuntu22.04/libnvidia-container.list,ubuntu_22.04_libnvidia-container.list
-ubuntu_20.04_libnvidia-container.list,pkg/components,https://nvidia.github.io/libnvidia-container/ubuntu20.04/libnvidia-container.list,https://nvidia.github.io/libnvidia-container/ubuntu20.04/libnvidia-container.list,ubuntu_20.04_libnvidia-container.list
+libnvidia-gpgkey,pkg/components,https://nvidia.github.io/libnvidia-container/gpgkey,https://nvidia.github.io/libnvidia-container/gpgkey,libnvidia-gpgkey
+libnvidia-container.list,pkg/components,https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list,https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list,libnvidia-container.list
 
+restic-linux-0.17.3,pkg/components,https://github.com/restic/restic/releases/download/v0.17.3/restic_0.17.3_linux_amd64.bz2,https://github.com/restic/restic/releases/download/v0.17.3/restic_0.17.3_linux_arm64.bz2,restic
+restic-darwin-0.17.3,pkg/components,https://github.com/restic/restic/releases/download/v0.17.3/restic_0.17.3_darwin_amd64.bz2,https://github.com/restic/restic/releases/download/v0.17.3/restic_0.17.3_darwin_arm64.bz2,restic

build/manifest/dependencies.amd64

@@ -1,53 +0,0 @@
-[components] format: url,filename
-https://github.com/beclab/Installer/releases/download/0.1.13/terminus-cli-v0.1.13_linux_amd64.tar.gz,terminus-cli-v0.1.13_linux_amd64.tar.gz
-https://src.fedoraproject.org/lookaside/pkgs/socat/socat-1.7.3.2.tar.gz/sha512/540658b2a3d1b87673196282e5c62b97681bd0f1d1e4759ff9d72909d11060235ee9e9521a973603c1b00376436a9444248e5fbc0ffac65f8edb9c9bc28e7972/socat-1.7.3.2.tar.gz,socat-1.7.3.2.tar.gz
-
-https://github.com/fqrouter/conntrack-tools/archive/refs/tags/conntrack-tools-1.4.1.tar.gz,conntrack-tools-1.4.1.tar.gz
-
-https://dl.min.io/server/minio/release/linux-amd64/archive/minio.RELEASE.2023-05-04T21-44-30Z,minio.RELEASE.2023-05-04T21-44-30Z
-https://github.com/beclab/minio-operator/releases/download/v0.0.1/minio-operator-v0.0.1-linux-amd64.tar.gz,minio-operator-v0.0.1-linux-amd64.tar.gz
-
-https://download.redis.io/releases/redis-5.0.14.tar.gz,redis-5.0.14.tar.gz
-
-https://github.com/beclab/juicefs-ext/releases/download/v11.1.1/juicefs-v11.1.1-linux-amd64.tar.gz,juicefs-v11.1.1-linux-amd64.tar.gz
-
-https://github.com/beclab/velero/releases/download/v1.11.3/velero-v1.11.3-linux-amd64.tar.gz,velero-v1.11.3-linux-amd64.tar.gz
-
-https://launchpad.net/ubuntu/+source/apparmor/4.0.1-0ubuntu1/+build/28428840/+files/apparmor_4.0.1-0ubuntu1_amd64.deb,apparmor_4.0.1-0ubuntu1_amd64.deb
-
-https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2404/x86_64/cuda-keyring_1.1-1_all.deb,ubuntu_24.04_cuda-keyring_1.1-1_all.deb
-https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2404/x86_64/cuda-keyring_1.1-1_all.deb,ubuntu2404_cuda-keyring_1.1-1_all.deb
-
-https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64/cuda-keyring_1.1-1_all.deb,ubuntu_22.04_cuda-keyring_1.1-1_all.deb
-https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64/cuda-keyring_1.0-1_all.deb,ubuntu_22.04_cuda-keyring_1.0-1_all.deb
-https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64/cuda-keyring_1.0-1_all.deb,ubuntu2204_cuda-keyring_1.0-1_all.deb
-
-https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/x86_64/cuda-keyring_1.1-1_all.deb,ubuntu_20.04_cuda-keyring_1.1-1_all.deb
-https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/x86_64/cuda-keyring_1.0-1_all.deb,ubuntu_20.04_cuda-keyring_1.0-1_all.deb
-https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/x86_64/cuda-keyring_1.0-1_all.deb,ubuntu2004_cuda-keyring_1.0-1_all.deb
-https://nvidia.github.io/libnvidia-container/gpgkey,gpgkey
-https://nvidia.github.io/libnvidia-container/ubuntu22.04/libnvidia-container.list,ubuntu_22.04_libnvidia-container.list
-https://nvidia.github.io/libnvidia-container/ubuntu20.04/libnvidia-container.list,ubuntu_20.04_libnvidia-container.list
-
-
-[pkg] format: url,path,filename,special,cpname
-https://github.com/containernetworking/plugins/releases/download/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz,cni/v0.9.1,,,
-
-https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz,cni/v1.1.1,,,
-
-https://github.com/containerd/containerd/releases/download/v1.6.4/containerd-1.6.4-linux-amd64.tar.gz,containerd/1.6.4,,,
-
-https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.24.0/crictl-v1.24.0-linux-amd64.tar.gz,crictl/v1.24.0,,,
-
-https://github.com/coreos/etcd/releases/download/v3.4.13/etcd-v3.4.13-linux-amd64.tar.gz,etcd/v3.4.13,,,
-
-https://get.helm.sh/helm-v3.9.0-linux-amd64.tar.gz,helm/v3.9.0,,helm,helm-v3.9.0
-
-https://github.com/k3s-io/k3s/releases/download/v1.21.5+k3s1/k3s,kube/v1.21.5,,,k3s-v1.21.5
-
-https://storage.googleapis.com/kubernetes-release/release/v1.22.10/bin/linux/amd64/kubeadm,kube/v1.22.10,,kubeadm,kubeadm-v1.22.10
-https://storage.googleapis.com/kubernetes-release/release/v1.22.10/bin/linux/amd64/kubelet,kube/v1.22.10,,kubelet,kubelet-v1.22.10
-https://storage.googleapis.com/kubernetes-release/release/v1.22.10/bin/linux/amd64/kubectl,kube/v1.22.10,,kubectl,kubectl-v1.22.10
-
-https://github.com/opencontainers/runc/releases/download/v1.1.1/runc.amd64,runc/v1.1.1,,,runc-v1.1.1
-https://github.com/opencontainers/runc/releases/download/v1.1.4/runc.amd64,runc/v1.1.4,,,runc-v1.1.4

build/manifest/dependencies.arm64

@@ -1,53 +0,0 @@
-[components] format: url,filename
-https://github.com/beclab/Installer/releases/download/0.1.13/terminus-cli-v0.1.13_linux_amd64.tar.gz,terminus-cli-v0.1.13_linux_amd64.tar.gz
-https://src.fedoraproject.org/lookaside/pkgs/socat/socat-1.7.3.2.tar.gz/sha512/540658b2a3d1b87673196282e5c62b97681bd0f1d1e4759ff9d72909d11060235ee9e9521a973603c1b00376436a9444248e5fbc0ffac65f8edb9c9bc28e7972/socat-1.7.3.2.tar.gz,socat-1.7.3.2.tar.gz
-
-https://github.com/fqrouter/conntrack-tools/archive/refs/tags/conntrack-tools-1.4.1.tar.gz,conntrack-tools-1.4.1.tar.gz
-
-https://dl.min.io/server/minio/release/linux-arm64/archive/minio.RELEASE.2023-05-04T21-44-30Z,
-https://github.com/beclab/minio-operator/releases/download/v0.0.1/minio-operator-v0.0.1-linux-arm64.tar.gz,minio-operator-v0.0.1-linux-arm64.tar.gz
-
-https://download.redis.io/releases/redis-5.0.14.tar.gz,redis-5.0.14.tar.gz
-
-https://github.com/beclab/juicefs-ext/releases/download/v11.1.1/juicefs-v11.1.1-linux-arm64.tar.gz,juicefs-v11.1.1-linux-arm64.tar.gz
-
-https://github.com/beclab/velero/releases/download/v1.11.3/velero-v1.11.3-linux-arm64.tar.gz,velero-v1.11.3-linux-arm64.tar.gz
-
-https://launchpad.net/ubuntu/+source/apparmor/4.0.1-0ubuntu1/+build/28428841/+files/apparmor_4.0.1-0ubuntu1_arm64.deb,apparmor_4.0.1-0ubuntu1_arm64.deb
-
-https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2404/arm64/cuda-keyring_1.1-1_all.deb,ubuntu_24.04_cuda-keyring_1.1-1_all.deb
-https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2404/arm64/cuda-keyring_1.1-1_all.deb,ubuntu2404_cuda-keyring_1.1-1_all.deb
-
-https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/arm64/cuda-keyring_1.1-1_all.deb,ubuntu_22.04_cuda-keyring_1.1-1_all.deb
-https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/arm64/cuda-keyring_1.0-1_all.deb,ubuntu_22.04_cuda-keyring_1.0-1_all.deb
-https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/arm64/cuda-keyring_1.0-1_all.deb,ubuntu2204_cuda-keyring_1.0-1_all.deb
-
-https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/arm64/cuda-keyring_1.1-1_all.deb,ubuntu_20.04_cuda-keyring_1.1-1_all.deb
-https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/arm64/cuda-keyring_1.0-1_all.deb,ubuntu_20.04_cuda-keyring_1.0-1_all.deb
-https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/arm64/cuda-keyring_1.0-1_all.deb,ubuntu2004_cuda-keyring_1.0-1_all.deb
-
-https://nvidia.github.io/libnvidia-container/gpgkey,gpgkey
-https://nvidia.github.io/libnvidia-container/ubuntu22.04/libnvidia-container.list,ubuntu_22.04_libnvidia-container.list
-https://nvidia.github.io/libnvidia-container/ubuntu20.04/libnvidia-container.list,ubuntu_20.04_libnvidia-container.list
-
-
-[pkg] format: url,path,filename,special,cpname
-https://github.com/containernetworking/plugins/releases/download/v0.9.1/cni-plugins-linux-arm64-v0.9.1.tgz,cni/v0.9.1,,
-https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-arm64-v1.1.1.tgz,cni/v1.1.1,,
-
-https://github.com/containerd/containerd/releases/download/v1.6.4/containerd-1.6.4-linux-arm64.tar.gz,containerd/1.6.4,,
-
-https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.24.0/crictl-v1.24.0-linux-arm64.tar.gz,crictl/v1.24.0,,
-
-https://github.com/coreos/etcd/releases/download/v3.4.13/etcd-v3.4.13-linux-arm64.tar.gz,etcd/v3.4.13,,
-
-https://get.helm.sh/helm-v3.9.0-linux-arm64.tar.gz,helm/v3.9.0,,helm,helm-v3.9.0
-
-https://github.com/k3s-io/k3s/releases/download/v1.21.5+k3s1/k3s-arm64,kube/v1.21.5,,,k3s-v1.21.5
-
-https://storage.googleapis.com/kubernetes-release/release/v1.22.10/bin/linux/arm64/kubeadm,kube/v1.22.10,,kubeadm,kubeadm-v1.22.10
-https://storage.googleapis.com/kubernetes-release/release/v1.22.10/bin/linux/arm64/kubelet,kube/v1.22.10,,kubelet,kubelet-v1.22.10
-https://storage.googleapis.com/kubernetes-release/release/v1.22.10/bin/linux/arm64/kubectl,kube/v1.22.10,,kubectl,kubectl-v1.22.10
-
-https://github.com/opencontainers/runc/releases/download/v1.1.1/runc.arm64,runc/v1.1.1,,,runc-v1.1.1
-https://github.com/opencontainers/runc/releases/download/v1.1.4/runc.arm64,runc/v1.1.4,,,runc-v1.1.4

build/manifest/images

@@ -1,50 +1,23 @@
-beclab/ks-apiserver:v3.3.0-ext-3
-beclab/kube-state-metrics:v2.3.0-ext
-beclab/notification-manager-ext:v0.1.1-ext
-beclab/notification-manager-operator-ext:v0.1.0-ext
-beclab/notification-tenant-sidecar:v0.1.0
-calico/cni:v3.23.2
-calico/cni:v3.27.3
-calico/kube-controllers:v3.23.2
-calico/kube-controllers:v3.27.3
-calico/node:v3.23.2
-calico/node:v3.27.3
-calico/pod2daemon-flexvol:v3.23.2
+beclab/ks-apiserver:0.0.8
+beclab/ks-controller-manager:0.0.8
+beclab/kube-state-metrics:v2.3.0-ext.1
+calico/cni:v3.29.2
+calico/kube-controllers:v3.29.2
+calico/node:v3.29.2
 beclab/citus:12.2
-csiplugin/snapshot-controller:v4.0.0
-beclab/ks-installer-ext:v0.1.9-ext
-kubesphere/k8s-dns-node-cache:1.15.12
-kubesphere/ks-console:v3.3.0
-kubesphere/ks-controller-manager:v3.3.0
-kubesphere/kube-apiserver:v1.22.10
-kubesphere/kube-apiserver:v1.21.4
-kubesphere/kube-controller-manager:v1.22.10
-kubesphere/kube-controller-manager:v1.21.4
 kubesphere/kubectl:v1.22.0
-kubesphere/kube-proxy:v1.22.10
-kubesphere/kube-proxy:v1.21.4
-kubesphere/kube-rbac-proxy:v0.12.0
-kubesphere/kube-rbac-proxy:v0.8.0
-kubesphere/kube-scheduler:v1.22.10
-kubesphere/kube-scheduler:v1.21.4
-kubesphere/pause:3.5
-kubesphere/pause:3.4.1
-k8s.gcr.io/pause:3.5
-k8s.gcr.io/pause:3.6
-k8s.gcr.io/kube-scheduler:v1.22.10
-k8s.gcr.io/kube-proxy:v1.22.10
-k8s.gcr.io/kube-controller-manager:v1.22.10
-k8s.gcr.io/kube-apiserver:v1.22.10
-k8s.gcr.io/etcd:3.5.0-0
-k8s.gcr.io/coredns/coredns:v1.8.4
-registry.k8s.io/pause:3.5
+bitnami/kube-rbac-proxy:0.19.0
+registry.k8s.io/kube-apiserver:v1.32.2
+registry.k8s.io/kube-scheduler:v1.32.2
+registry.k8s.io/kube-proxy:v1.32.2
+registry.k8s.io/kube-controller-manager:v1.32.2
+registry.k8s.io/coredns/coredns:v1.11.3
+registry.k8s.io/pause:3.10
 kubesphere/prometheus-config-reloader:v0.55.1
 kubesphere/prometheus-operator:v0.55.1
-mirrorgooglecontainers/defaultbackend-amd64:1.4
 openebs/linux-utils:3.3.0
 openebs/provisioner-localpv:3.3.0
 beclab/percona-server-mongodb-operator:1.15.2
-prom/alertmanager:v0.23.0
 prom/node-exporter:v1.3.1
 prom/prometheus:v2.34.0
 quay.io/argoproj/argocli:v3.5.0
@@ -53,19 +26,19 @@ quay.io/argoproj/workflow-controller:v3.5.0
 redis:5.0.14-alpine
 beclab/velero:v1.11.3
 beclab/velero-plugin-for-terminus:v1.0.2
-beclab/l4-bfl-proxy:v0.2.7
+beclab/l4-bfl-proxy:v0.3.0
 gcr.io/k8s-minikube/storage-provisioner:v5
 owncloudci/wait-for:latest
 beclab/recommend-argotask:v0.0.12
-nvcr.io/nvidia/k8s-device-plugin:v0.16.1
-beclab/nvshare:libnvshare-v0.0.2
-bytetrade/nvshare:nvshare-device-plugin
 bytetrade/nvshare:nvshare-scheduler
 beclab/nats-server-config-reloader:v1
-beclab/cloudflared:v0.1.0
-rancher/mirrored-library-busybox:1.34.1
-rancher/mirrored-library-traefik:2.6.2
-rancher/mirrored-metrics-server:v0.5.2
-rancher/mirrored-pause:3.6
-beclab/reverse-proxy:v0.1.4
-beclab/upgrade-job:0.1.5
+beclab/reverse-proxy:v0.1.8
+beclab/upgrade-job:0.1.7
+bytetrade/envoy:v1.25.11.1
+liangjw/kube-webhook-certgen:v1.1.1
+beclab/hami:v2.5.1
+alpine:3.14
+mirrorgooglecontainers/defaultbackend-amd64:1.4
+projecthami/hami-webui-fe-oss:v1.0.5
+projecthami/hami-webui-be-oss:v1.0.5
+nvidia/dcgm-exporter:4.1.1-4.0.4-ubuntu22.04

build/manifest/images.node.mf

@@ -1,7 +1,8 @@
-kubesphere/pause:3.5
-calico/cni:v3.23.2
-calico/node:v3.23.2
-kubesphere/kube-rbac-proxy:v0.11.0
+registry.k8s.io/pause:3.10
+calico/cni:v3.29.2
+calico/kube-controllers:v3.29.2
+calico/node:v3.29.2
+bitnami/kube-rbac-proxy:0.19.0
 prom/node-exporter:v1.3.1
 beclab/image-service:0.2.12
 beclab/osnode-init:v0.0.10

build/manifest/pkgs

@@ -1,12 +1,10 @@
-cni-plugins-v0.9.1.tgz,pkg/cni/v0.9.1,https://github.com/containernetworking/plugins/releases/download/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz,https://github.com/containernetworking/plugins/releases/download/v0.9.1/cni-plugins-linux-arm64-v0.9.1.tgz,cni-plugins-k3s
-cni-plugins-v1.1.1.tgz,pkg/cni/v1.1.1,https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz,https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-arm64-v1.1.1.tgz,cni-plugins-k8s
+cni-plugins-v1.6.2.tgz,pkg/cni/v1.6.2,https://github.com/containernetworking/plugins/releases/download/v1.6.2/cni-plugins-linux-amd64-v1.6.2.tgz,https://github.com/containernetworking/plugins/releases/download/v1.6.2/cni-plugins-linux-arm-v1.6.2.tgz,cni-plugins
 containerd-1.6.4.tar.gz,pkg/containerd/1.6.4,https://github.com/containerd/containerd/releases/download/v1.6.4/containerd-1.6.4-linux-amd64.tar.gz,https://github.com/containerd/containerd/releases/download/v1.6.4/containerd-1.6.4-linux-arm64.tar.gz,containerd
-crictl-v1.24.0-linux-amd64.tar.gz,pkg/crictl/v1.24.0,https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.24.0/crictl-v1.24.0-linux-amd64.tar.gz,https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.24.0/crictl-v1.24.0-linux-arm64.tar.gz,crictl
-etcd-v3.4.13.tar.gz,pkg/etcd/v3.4.13,https://github.com/coreos/etcd/releases/download/v3.4.13/etcd-v3.4.13-linux-amd64.tar.gz,https://github.com/coreos/etcd/releases/download/v3.4.13/etcd-v3.4.13-linux-arm64.tar.gz,etcd
-helm-v3.9.0.tar.gz,pkg/helm/v3.9.0,https://get.helm.sh/helm-v3.9.0-linux-amd64.tar.gz,https://get.helm.sh/helm-v3.9.0-linux-arm64.tar.gz,helm
-k3s,pkg/kube/v1.21.5,https://github.com/k3s-io/k3s/releases/download/v1.21.5+k3s1/k3s,https://github.com/k3s-io/k3s/releases/download/v1.21.5+k3s1/k3s-arm64,k3s
-kubeadm,pkg/kube/v1.22.10,https://storage.googleapis.com/kubernetes-release/release/v1.22.10/bin/linux/amd64/kubeadm,https://storage.googleapis.com/kubernetes-release/release/v1.22.10/bin/linux/arm64/kubeadm,kubeadm
-kubelet,pkg/kube/v1.22.10,https://storage.googleapis.com/kubernetes-release/release/v1.22.10/bin/linux/amd64/kubelet,https://storage.googleapis.com/kubernetes-release/release/v1.22.10/bin/linux/arm64/kubelet,kubelet
-kubectl,pkg/kube/v1.22.10,https://storage.googleapis.com/kubernetes-release/release/v1.22.10/bin/linux/amd64/kubectl,https://storage.googleapis.com/kubernetes-release/release/v1.22.10/bin/linux/arm64/kubectl,kubectl
-runc,pkg/runc/v1.1.1,https://github.com/opencontainers/runc/releases/download/v1.1.1/runc.amd64,https://github.com/opencontainers/runc/releases/download/v1.1.1/runc.arm64,runc-k3s
-runc,pkg/runc/v1.1.4,https://github.com/opencontainers/runc/releases/download/v1.1.4/runc.amd64,https://github.com/opencontainers/runc/releases/download/v1.1.4/runc.arm64,runc-k8s
+crictl-v1.32.0.tar.gz,pkg/crictl/v1.32.0,https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.32.0/crictl-v1.32.0-linux-amd64.tar.gz,https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.32.0/crictl-v1.32.0-linux-arm64.tar.gz,crictl
+etcd-v3.5.18.tar.gz,pkg/etcd/v3.5.18,https://github.com/coreos/etcd/releases/download/v3.5.18/etcd-v3.5.18-linux-amd64.tar.gz,https://github.com/coreos/etcd/releases/download/v3.5.18/etcd-v3.5.18-linux-arm64.tar.gz,etcd
+helm-v3.9.0.tar.gz,pkg/helm/v3.9.0,https://get.helm.sh/helm-v3.17.1-linux-amd64.tar.gz,https://get.helm.sh/helm-v3.17.1-linux-arm.tar.gz,helm
+k3s-v1.32.2,pkg/kube/v1.32.2,https://github.com/k3s-io/k3s/releases/download/v1.32.2+k3s1/k3s,https://github.com/k3s-io/k3s/releases/download/v1.32.2+k3s1/k3s-arm64,k3s
+kubeadm-v1.32.2,pkg/kube/v1.32.2,https://dl.k8s.io/release/v1.32.2/bin/linux/amd64/kubeadm,https://dl.k8s.io/release/v1.32.2/bin/linux/arm64/kubeadm,kubeadm
+kubelet-v1.32.2,pkg/kube/v1.32.2,https://dl.k8s.io/release/v1.32.2/bin/linux/amd64/kubelet,https://dl.k8s.io/release/v1.32.2/bin/linux/arm64/kubelet,kubelet
+kubectl-v1.32.2,pkg/kube/v1.32.2,https://dl.k8s.io/release/v1.32.2/bin/linux/amd64/kubectl,https://dl.k8s.io/release/v1.32.2/bin/linux/arm64/kubectl,kubectl
+runc-v1.2.5,pkg/runc/v1.2.5,https://github.com/opencontainers/runc/releases/download/v1.2.5/runc.amd64,https://github.com/opencontainers/runc/releases/download/v1.2.5/runc.arm64,runc

frameworks/GPU/config/gpu/hami/Chart.yaml

@@ -0,0 +1,16 @@
+apiVersion: v2
+name: hami
+version: 2.5.0
+kubeVersion: ">= 1.16.0"
+description: Heterogeneous AI Computing Virtualization Middleware
+keywords:
+  - vgpu
+  - gpu
+type: application
+maintainers:
+  - name: limengxuan
+    email: limengxuan@4paradigm.com
+  - name: zhangxiao
+    email: xiaozhang0210@hotmail.com
+appVersion: "2.5.0"
+

frameworks/GPU/config/gpu/hami/templates/NOTES.txt

@@ -0,0 +1,3 @@
+** Please be patient while the chart is being deployed **
+Resource name: {{ .Values.resourceName }}
+

frameworks/GPU/config/gpu/hami/templates/_helpers.tpl

@@ -0,0 +1,272 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "hami-vgpu.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "hami-vgpu.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+The app name for Scheduler
+*/}}
+{{- define "hami-vgpu.scheduler" -}}
+{{- printf "%s-scheduler" ( include "hami-vgpu.fullname" . ) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+The app name for DevicePlugin
+*/}}
+{{- define "hami-vgpu.device-plugin" -}}
+{{- printf "%s-device-plugin" ( include "hami-vgpu.fullname" . ) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+The tls secret name for Scheduler
+*/}}
+{{- define "hami-vgpu.scheduler.tls" -}}
+{{- printf "%s-scheduler-tls" ( include "hami-vgpu.fullname" . ) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+The webhook name
+*/}}
+{{- define "hami-vgpu.scheduler.webhook" -}}
+{{- printf "%s-webhook" ( include "hami-vgpu.fullname" . ) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "hami-vgpu.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "hami-vgpu.labels" -}}
+helm.sh/chart: {{ include "hami-vgpu.chart" . }}
+{{ include "hami-vgpu.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "hami-vgpu.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "hami-vgpu.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Image registry secret name
+*/}}
+{{- define "hami-vgpu.imagePullSecrets" -}}
+imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 2 }}
+{{- end }}
+
+{{/*
+    Resolve the tag for kubeScheduler.
+*/}}
+{{- define "resolvedKubeSchedulerTag" -}}
+{{- if .Values.scheduler.kubeScheduler.imageTag }}
+{{- .Values.scheduler.kubeScheduler.imageTag | trim -}}
+{{- else }}
+{{- include "strippedKubeVersion" . | trim -}}
+{{- end }}
+{{- end }}
+
+
+{{/*
+    Return the stripped Kubernetes version string by removing extra parts after semantic version number.
+    v1.31.1+k3s1 -> v1.31.1
+    v1.30.8-eks-2d5f260 -> v1.30.8
+    v1.31.1 -> v1.31.1
+*/}}
+{{- define "strippedKubeVersion" -}}
+{{ regexReplaceAll "^(v[0-9]+\\.[0-9]+\\.[0-9]+)(.*)$" .Capabilities.KubeVersion.Version "$1" }}
+{{- end -}}
+
+
+{{- define "dcgm-exporter.name" -}}
+{{- .Values.dcgmExporter.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "dcgm-exporter.fullname" -}}
+{{- if .Values.dcgmExporter.fullnameOverride -}}
+{{- .Values.dcgmExporter.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := .Values.dcgmExporter.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "hami-%s" $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "dcgm-exporter.namespace" -}}
+  {{- if .Values.dcgmExporter.namespaceOverride -}}
+    {{- .Values.dcgmExporter.namespaceOverride -}}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "dcgm-exporter.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "dcgm-exporter.labels" -}}
+helm.sh/chart: {{ include "dcgm-exporter.chart" . }}
+{{ include "dcgm-exporter.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "dcgm-exporter.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "dcgm-exporter.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "dcgm-exporter.serviceAccountName" -}}
+{{- if .Values.dcgmExporter.serviceAccount.create -}}
+    {{ default (include "dcgm-exporter.fullname" .) .Values.dcgmExporter.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.dcgmExporter.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+
+{{/*
+Create the name of the tls secret to use
+*/}}
+{{- define "dcgm-exporter.tlsCertsSecretName" -}}
+{{- if .Values.dcgmExporter.tlsServerConfig.existingSecret -}}
+    {{- printf "%s" (tpl .Values.dcgmExporter.tlsServerConfig.existingSecret $) -}}
+{{- else -}}
+    {{ printf "%s-tls" (include "dcgm-exporter.fullname" .) }}
+{{- end -}}
+{{- end -}}
+
+
+{{/*
+Create the name of the web-config configmap name to use
+*/}}
+{{- define "dcgm-exporter.webConfigConfigMap" -}}
+  {{ printf "%s-web-config.yml" (include "dcgm-exporter.fullname" .) }}
+{{- end -}}
+
+{{- define "hami-webui.name" -}}
+{{- .Values.webui.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "hami-webui.fullname" -}}
+{{- if .Values.webui.fullnameOverride }}
+{{- .Values.webui.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := .Values.webui.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "hami-%s" $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "hami-webui.namespace" -}}
+  {{- if .Values.webui.namespaceOverride -}}
+    {{- .Values.webui.namespaceOverride -}}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "hami-webui.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "hami-webui.labels" -}}
+helm.sh/chart: {{ include "hami-webui.chart" . }}
+{{ include "hami-webui.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "hami-webui.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "hami-webui.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "hami-webui.serviceAccountName" -}}
+{{- if .Values.webui.serviceAccount.create }}
+{{- default (include "hami-webui.fullname" .) .Values.webui.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.webui.serviceAccount.name }}
+{{- end }}
+{{- end }}

frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/daemonset.yaml

@@ -0,0 +1,168 @@
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "dcgm-exporter.fullname" . }}
+  namespace: {{ include "dcgm-exporter.namespace" . }}
+  labels:
+    {{- include "dcgm-exporter.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "dcgm-exporter"
+spec:
+  updateStrategy:
+    type: RollingUpdate
+    {{- with .Values.dcgmExporter.rollingUpdate }}
+    rollingUpdate:
+      maxUnavailable: {{ .maxUnavailable }}
+      maxSurge: {{ .maxSurge }}
+    {{- end }}
+  selector:
+    matchLabels:
+      {{- include "dcgm-exporter.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: "dcgm-exporter"
+  template:
+    metadata:
+      labels:
+        {{- include "dcgm-exporter.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: "dcgm-exporter"
+      {{- if .Values.dcgmExporter.podLabels }}
+        {{- toYaml .Values.podLabels | nindent 8 }}
+      {{- end }}
+      {{- if .Values.dcgmExporter.podAnnotations }}
+      annotations:
+        {{- toYaml .Values.dcgmExporter.podAnnotations | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- if .Values.dcgmExporter.runtimeClassName }}
+      runtimeClassName: {{ .Values.dcgmExporter.runtimeClassName }}
+      {{- end }}
+      priorityClassName: {{ .Values.dcgmExporter.priorityClassName | default "system-node-critical" }}
+      serviceAccountName: {{ include "dcgm-exporter.serviceAccountName" . }}
+      {{- if .Values.dcgmExporter.podSecurityContext }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- end }}
+      {{- if .Values.dcgmExporter.affinity }}
+      affinity:
+        {{- toYaml .Values.dcgmExporter.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.dcgmExporter.nodeSelector }}
+      nodeSelector:
+        {{- toYaml .Values.dcgmExporter.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- with .Values.dcgmExporter.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      volumes:
+      - name: "pod-gpu-resources"
+        hostPath:
+          path: {{ .Values.dcgmExporter.kubeletPath }}
+      {{- if and .Values.dcgmExporter.tlsServerConfig.enabled }}
+      - name: "tls"
+        secret:
+          secretName: {{ include "dcgm-exporter.tlsCertsSecretName" . }}
+          defaultMode: 0664
+      {{- end }}
+      {{- if or .Values.dcgmExporter.tlsServerConfig.enabled $.Values.dcgmExporter.basicAuth.users}}
+      - name: "web-config-yaml"
+        configMap:
+          name: {{ include "dcgm-exporter.webConfigConfigMap" . }}
+          defaultMode: 0664
+      {{- end }}
+      {{- range .Values.dcgmExporter.extraHostVolumes }}
+      - name: {{ .name | quote }}
+        hostPath:
+          path: {{ .hostPath | quote }}
+      {{- end }}
+      {{- with .Values.dcgmExporter.extraConfigMapVolumes }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+      containers:
+      - name: exporter
+        securityContext:
+          {{- toYaml .Values.dcgmExporter.securityContext | nindent 10 }}
+        {{- if .Values.dcgmExporter.image.tag }}
+        image: "{{ .Values.dcgmExporter.image.repository }}:{{ .Values.dcgmExporter.image.tag }}"
+        {{- else }}
+        image: "{{ .Values.dcgmExporter.image.repository }}:{{ .Chart.AppVersion }}"
+        {{- end }}
+        imagePullPolicy: "{{ .Values.dcgmExporter.image.pullPolicy }}"
+        args:
+        {{- range $.Values.dcgmExporter.arguments }}
+        - {{ . }}
+        {{- end }}
+        env:
+        - name: "DCGM_EXPORTER_KUBERNETES"
+          value: "true"
+        - name: "DCGM_EXPORTER_LISTEN"
+          value: "{{ .Values.dcgmExporter.service.address }}"
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        {{- if or .Values.dcgmExporter.tlsServerConfig.enabled $.Values.dcgmExporter.basicAuth.users}}
+        - name: "DCGM_EXPORTER_WEB_CONFIG_FILE"
+          value: /etc/dcgm-exporter/web-config.yaml
+        {{- end }}
+        {{- if .Values.dcgmExporter.extraEnv }}
+        {{- toYaml .Values.dcgmExporter.extraEnv | nindent 8 }}
+        {{- end }}
+        ports:
+        - name: "metrics"
+          containerPort: {{ .Values.dcgmExporter.service.port }}
+        volumeMounts:
+        - name: "pod-gpu-resources"
+          readOnly: true
+          mountPath: "/var/lib/kubelet/pod-resources"
+        {{- if and .Values.dcgmExporter.tlsServerConfig.enabled }}
+        - name: "tls"
+          mountPath: /etc/dcgm-exporter/tls
+        {{- end }}
+        {{- if or .Values.dcgmExporter.tlsServerConfig.enabled $.Values.dcgmExporter.basicAuth.users}}
+        - name: "web-config-yaml"
+          mountPath: /etc/dcgm-exporter/web-config.yaml
+          subPath: web-config.yaml
+        {{- end }}
+        {{- if .Values.dcgmExporter.extraVolumeMounts }}
+        {{- toYaml .Values.dcgmExporter.extraVolumeMounts | nindent 8 }}
+        {{- end }}
+        livenessProbe:
+          {{- if not $.Values.dcgmExporter.basicAuth.users }}
+          httpGet:
+            path: /health
+            port: {{ .Values.dcgmExporter.service.port }}
+            scheme: {{ ternary "HTTPS" "HTTP" $.Values.dcgmExporter.tlsServerConfig.enabled }}
+          {{- else }}
+          tcpSocket:
+              port: {{ .Values.dcgmExporter.service.port }}
+          {{- end }}
+          initialDelaySeconds: 45
+          periodSeconds: 5
+        readinessProbe:
+          {{- if not $.Values.dcgmExporter.basicAuth.users }}
+          httpGet:
+            path: /health
+            port: {{ .Values.dcgmExporter.service.port }}
+            scheme: {{ ternary "HTTPS" "HTTP" $.Values.dcgmExporter.tlsServerConfig.enabled }}
+          {{- else }}
+          tcpSocket:
+              port: {{ .Values.dcgmExporter.service.port }}
+          {{- end }}
+          initialDelaySeconds: 45
+        {{- if .Values.dcgmExporter.resources }}
+        resources:
+          {{- toYaml .Values.dcgmExporter.resources | nindent 10 }}
+        {{- end }}

frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/metrics-configmap.yaml

@@ -0,0 +1,96 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: exporter-metrics-config-map
+  namespace: {{ include "dcgm-exporter.namespace" . }}
+data:
+{{- if .Values.dcgmExporter.customMetrics }}
+  metrics: |
+{{- .Values.dcgmExporter.customMetrics | nindent 4 }}
+{{- else }}
+  metrics: |
+      # Format
+      # If line starts with a '#' it is considered a comment
+      # DCGM FIELD, Prometheus metric type, help message
+      
+      DCGM_FI_DRIVER_VERSION, label, Driver Version.
+
+      DCGM_FI_DEV_BRAND,  label, Device Brand.
+      
+      DCGM_FI_DEV_SERIAL, label, Device Serial Number.
+
+      # Clocks
+      DCGM_FI_DEV_SM_CLOCK,  gauge, SM clock frequency (in MHz).
+      DCGM_FI_DEV_MEM_CLOCK, gauge, Memory clock frequency (in MHz).
+      
+      # Temperature
+      DCGM_FI_DEV_MEMORY_TEMP, gauge, Memory temperature (in C).
+      DCGM_FI_DEV_GPU_TEMP,    gauge, GPU temperature (in C).
+      
+      # Power
+      DCGM_FI_DEV_POWER_USAGE,              gauge, Power draw (in W).
+      DCGM_FI_DEV_TOTAL_ENERGY_CONSUMPTION, counter, Total energy consumption since boot (in mJ).
+      
+      # PCIE
+      # DCGM_FI_PROF_PCIE_TX_BYTES,  counter, Total number of bytes transmitted through PCIe TX via NVML.
+      # DCGM_FI_PROF_PCIE_RX_BYTES,  counter, Total number of bytes received through PCIe RX via NVML.
+      DCGM_FI_DEV_PCIE_REPLAY_COUNTER, counter, Total number of PCIe retries.
+      
+      # Utilization (the sample period varies depending on the product)
+      DCGM_FI_DEV_GPU_UTIL,      gauge, GPU utilization (in %).
+      DCGM_FI_DEV_MEM_COPY_UTIL, gauge, Memory utilization (in %).
+      DCGM_FI_DEV_ENC_UTIL,      gauge, Encoder utilization (in %).
+      DCGM_FI_DEV_DEC_UTIL ,     gauge, Decoder utilization (in %).
+      
+      # Errors and violations
+      DCGM_FI_DEV_XID_ERRORS,            gauge,   Value of the last XID error encountered.
+      # DCGM_FI_DEV_POWER_VIOLATION,       counter, Throttling duration due to power constraints (in us).
+      # DCGM_FI_DEV_THERMAL_VIOLATION,     counter, Throttling duration due to thermal constraints (in us).
+      # DCGM_FI_DEV_SYNC_BOOST_VIOLATION,  counter, Throttling duration due to sync-boost constraints (in us).
+      # DCGM_FI_DEV_BOARD_LIMIT_VIOLATION, counter, Throttling duration due to board limit constraints (in us).
+      # DCGM_FI_DEV_LOW_UTIL_VIOLATION,    counter, Throttling duration due to low utilization (in us).
+      # DCGM_FI_DEV_RELIABILITY_VIOLATION, counter, Throttling duration due to reliability constraints (in us).
+      
+      # Memory usage
+      DCGM_FI_DEV_FB_FREE, gauge, Framebuffer memory free (in MiB).
+      DCGM_FI_DEV_FB_USED, gauge, Framebuffer memory used (in MiB).
+      
+      # ECC
+      # DCGM_FI_DEV_ECC_SBE_VOL_TOTAL, counter, Total number of single-bit volatile ECC errors.
+      # DCGM_FI_DEV_ECC_DBE_VOL_TOTAL, counter, Total number of double-bit volatile ECC errors.
+      # DCGM_FI_DEV_ECC_SBE_AGG_TOTAL, counter, Total number of single-bit persistent ECC errors.
+      # DCGM_FI_DEV_ECC_DBE_AGG_TOTAL, counter, Total number of double-bit persistent ECC errors.
+      
+      # Retired pages
+      # DCGM_FI_DEV_RETIRED_SBE,     counter, Total number of retired pages due to single-bit errors.
+      # DCGM_FI_DEV_RETIRED_DBE,     counter, Total number of retired pages due to double-bit errors.
+      # DCGM_FI_DEV_RETIRED_PENDING, counter, Total number of pages pending retirement.
+      
+      # NVLink
+      # DCGM_FI_DEV_NVLINK_CRC_FLIT_ERROR_COUNT_TOTAL, counter, Total number of NVLink flow-control CRC errors.
+      # DCGM_FI_DEV_NVLINK_CRC_DATA_ERROR_COUNT_TOTAL, counter, Total number of NVLink data CRC errors.
+      # DCGM_FI_DEV_NVLINK_REPLAY_ERROR_COUNT_TOTAL,   counter, Total number of NVLink retries.
+      # DCGM_FI_DEV_NVLINK_RECOVERY_ERROR_COUNT_TOTAL, counter, Total number of NVLink recovery errors.
+      DCGM_FI_DEV_NVLINK_BANDWIDTH_TOTAL,            counter, Total number of NVLink bandwidth counters for all lanes.
+      # DCGM_FI_DEV_NVLINK_BANDWIDTH_L0,               counter, The number of bytes of active NVLink rx or tx data including both header and payload.
+      
+      # VGPU License status
+      DCGM_FI_DEV_VGPU_LICENSE_STATUS, gauge, vGPU License status
+      
+      # Remapped rows
+      DCGM_FI_DEV_UNCORRECTABLE_REMAPPED_ROWS, counter, Number of remapped rows for uncorrectable errors
+      DCGM_FI_DEV_CORRECTABLE_REMAPPED_ROWS,   counter, Number of remapped rows for correctable errors
+      DCGM_FI_DEV_ROW_REMAP_FAILURE,           gauge,   Whether remapping of rows has failed
+      
+      # DCP metrics
+      DCGM_FI_PROF_GR_ENGINE_ACTIVE,   gauge, Ratio of time the graphics engine is active.
+      # DCGM_FI_PROF_SM_ACTIVE,          gauge, The ratio of cycles an SM has at least 1 warp assigned.
+      # DCGM_FI_PROF_SM_OCCUPANCY,       gauge, The ratio of number of warps resident on an SM.
+      DCGM_FI_PROF_PIPE_TENSOR_ACTIVE, gauge, Ratio of cycles the tensor (HMMA) pipe is active.
+      DCGM_FI_PROF_DRAM_ACTIVE,        gauge, Ratio of cycles the device memory interface is active sending or receiving data.
+      # DCGM_FI_PROF_PIPE_FP64_ACTIVE,   gauge, Ratio of cycles the fp64 pipes are active.
+      # DCGM_FI_PROF_PIPE_FP32_ACTIVE,   gauge, Ratio of cycles the fp32 pipes are active.
+      # DCGM_FI_PROF_PIPE_FP16_ACTIVE,   gauge, Ratio of cycles the fp16 pipes are active.
+      DCGM_FI_PROF_PCIE_TX_BYTES,      counter, The number of bytes of active pcie tx data including both header and payload.
+      DCGM_FI_PROF_PCIE_RX_BYTES,      counter, The number of bytes of active pcie rx data including both header and payload.
+{{- end }}

frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/role.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dcgm-exporter-read-cm
+  namespace: {{ include "dcgm-exporter.namespace" . }}
+  labels:
+    {{- include "dcgm-exporter.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "dcgm-exporter"
+rules:
+- apiGroups: [""]
+  resources: ["configmaps"]
+  resourceNames: ["exporter-metrics-config-map"]
+  verbs: ["get"]

frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/rolebinding.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "dcgm-exporter.fullname" . }}
+  namespace: {{ include "dcgm-exporter.namespace" . }}
+  labels:
+    {{- include "dcgm-exporter.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "dcgm-exporter"
+subjects:
+- kind: ServiceAccount
+  name: {{ include "dcgm-exporter.serviceAccountName" . }}
+  namespace: {{ include "dcgm-exporter.namespace" . }}
+roleRef:
+  kind: Role 
+  name: dcgm-exporter-read-cm
+  apiGroup: rbac.authorization.k8s.io

frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/service-monitor.yaml

@@ -0,0 +1,42 @@
+{{- if .Values.dcgmExporter.serviceMonitor.enabled }}
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: {{ .Values.dcgmExporter.serviceMonitor.apiVersion }}
+kind: ServiceMonitor
+metadata:
+  name: {{ include "dcgm-exporter.fullname" . }}
+  namespace: kubesphere-monitoring-system
+  labels:
+    {{- include "dcgm-exporter.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "dcgm-exporter"
+    {{- if .Values.dcgmExporter.serviceMonitor.additionalLabels }}
+    {{- toYaml .Values.dcgmExporter.serviceMonitor.additionalLabels | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "dcgm-exporter.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: "dcgm-exporter"
+  namespaceSelector:
+    matchNames:
+    - "{{ include "dcgm-exporter.namespace" . }}"
+  endpoints:
+  - port: "metrics"
+    path: "/metrics"
+    interval: "{{ .Values.dcgmExporter.serviceMonitor.interval }}"
+    honorLabels: {{ .Values.dcgmExporter.serviceMonitor.honorLabels }}
+    relabelings:
+      {{ toYaml .Values.dcgmExporter.serviceMonitor.relabelings | nindent 6 }}
+{{- end -}}

frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/service.yaml

@@ -0,0 +1,40 @@
+{{- if .Values.dcgmExporter.service.enable }}
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "dcgm-exporter.fullname" . }}
+  namespace: {{ include "dcgm-exporter.namespace" . }}
+  labels:
+    {{- include "dcgm-exporter.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "dcgm-exporter"
+  {{- with .Values.dcgmExporter.service.annotations }}
+  annotations:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.dcgmExporter.service.type }}
+  {{- if .Values.dcgmExporter.service.clusterIP }}
+  clusterIP: {{ .Values.dcgmExporter.service.clusterIP | quote }}
+  {{- end }}
+  ports:
+  - name: "metrics"
+    port: {{ .Values.dcgmExporter.service.port }}
+    targetPort: {{ .Values.dcgmExporter.service.port }}
+    protocol: TCP
+  selector:
+    {{- include "dcgm-exporter.selectorLabels" . | nindent 4 }}
+{{- end }}

frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/serviceaccount.yaml

@@ -0,0 +1,28 @@
+{{- if .Values.dcgmExporter.serviceAccount.create -}}
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "dcgm-exporter.serviceAccountName" . }}
+  namespace: {{ include "dcgm-exporter.namespace" . }}
+  labels:
+    {{- include "dcgm-exporter.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "dcgm-exporter"
+  {{- with .Values.dcgmExporter.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}

frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/tls-secret.yaml

@@ -0,0 +1,43 @@
+# Copyright (c) 2024, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+{{- if and .Values.dcgmExporter.tlsServerConfig.enabled (not .Values.dcgmExporter.tlsServerConfig.existingSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ (include "dcgm-exporter.tlsCertsSecretName" .) }}
+  namespace: {{ include "dcgm-exporter.namespace" . }}
+  labels:
+    app.kubernetes.io/component: "dcgm-exporter"
+    {{- include "dcgm-exporter.labels" . | nindent 4 }}
+type: Opaque
+data:
+  {{- if .Values.dcgmExporter.tlsServerConfig.autoGenerated }}
+  {{- $ca := genCA "dcgm-exporter-ca" 3650 }}
+  {{- $hostname := printf "%s" (include "dcgm-exporter.fullname" .) }}
+  {{- $cert := genSignedCert $hostname nil (list $hostname) 3650 $ca }}
+  {{ .Values.dcgmExporter.tlsServerConfig.certFilename }}: {{ $cert.Cert | b64enc | quote }}
+  {{ .Values.dcgmExporter.tlsServerConfig.keyFilename }}: {{ $cert.Key | b64enc | quote }}
+  {{- if .Values.dcgmExporter.tlsServerConfig.clientAuthType }}
+  {{ .Values.dcgmExporter.tlsServerConfig.caFilename }}: {{ $ca.Cert | b64enc | quote }}
+  {{- end }}
+  {{- else }}
+  {{ .Values.dcgmExporter.tlsServerConfig.certFilename }}: {{ required "'tlsServerConfig.cert' is required when 'tlsServerConfig.enabled=true'" .Values.dcgmExporter.tlsServerConfig.cert | b64enc | quote }}
+  {{ .Values.dcgmExporter.tlsServerConfig.keyFilename }}: {{ required "'tlsServerConfig.key' is required when 'tlsServerConfig.enabled=true'" .Values.dcgmExporter.tlsServerConfig.key | b64enc | quote }}
+  {{- if .Values.dcgmExporter.tlsServerConfig.clientAuthType }}
+  {{ .Values.dcgmExporter.tlsServerConfig.caFilename }}: {{ required "'tlsServerConfig.ca' is required when 'tlsServerConfig.clientAuthType' is provided" .Values.dcgmExporter.tlsServerConfig.ca | b64enc | quote }}
+  {{- end }}
+  {{- end }}
+{{- end }}

frameworks/GPU/config/gpu/hami/templates/dcgm-exporter/web-config-configmap.yaml

@@ -0,0 +1,40 @@
+# Copyright (c) 2024, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if or .Values.dcgmExporter.tlsServerConfig.enabled .Values.dcgmExporter.basicAuth.users }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "dcgm-exporter.webConfigConfigMap" . }}
+  namespace: {{ include "dcgm-exporter.namespace" . }}
+  labels:
+    app.kubernetes.io/component: "dcgm-exporter"
+    {{- include "dcgm-exporter.labels" . | nindent 4 }}
+data:
+  web-config.yaml: |
+{{- if .Values.dcgmExporter.tlsServerConfig.enabled }}
+    tls_server_config:
+       cert_file: {{ required "'tlsServerConfig.certFilename' is required when 'tlsServerConfig.enabled=true'" .Values.dcgmExporter.tlsServerConfig.certFilename | printf "/etc/dcgm-exporter/tls/%s" | quote }}
+       key_file: {{ required "'tlsServerConfig.keyFilename' is required when 'tlsServerConfig.enabled=true'" .Values.dcgmExporter.tlsServerConfig.keyFilename | printf "/etc/dcgm-exporter/tls/%s" | quote }}
+       {{- if .Values.dcgmExporter.tlsServerConfig.clientAuthType }}
+       client_auth_type: {{ .Values.dcgmExporter.tlsServerConfig.clientAuthType }}
+       client_ca_file: {{ required "'tlsServerConfig.caFilename' is required when 'tlsServerConfig.clientAuthType' is provided" .Values.dcgmExporter.tlsServerConfig.caFilename | printf "/etc/dcgm-exporter/tls/%s" | quote }}
+       {{- end }}
+{{- end }}
+{{- if .Values.dcgmExporter.basicAuth.users }}
+    basic_auth_users:
+      {{- range $user, $password := .Values.dcgmExporter.basicAuth.users }}
+      {{ $user }}: {{ (split ":" (htpasswd $user $password))._1 }}
+      {{- end }}
+{{- end }}
+{{- end }}

frameworks/GPU/config/gpu/hami/templates/device-plugin/configmap.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "hami-vgpu.device-plugin" . }}
+  labels:
+    app.kubernetes.io/component: hami-device-plugin
+    {{- include "hami-vgpu.labels" . | nindent 4 }}
+data:
+  config.json: |
+    {
+        "nodeconfig": [
+            {
+                "name": "m5-cloudinfra-online02",
+                "operatingmode": "hami-core",
+                "devicememoryscaling": 1.8,
+                "devicesplitcount": 10,
+                "migstrategy":"none",
+                "filterdevices": {
+                  "uuid": [],
+                  "index": []
+                }
+            }
+        ]
+    }

frameworks/GPU/config/gpu/hami/templates/device-plugin/daemonsetnvidia.yaml

@@ -0,0 +1,170 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "hami-vgpu.device-plugin" . }}
+  labels:
+    app.kubernetes.io/component: hami-device-plugin
+    {{- include "hami-vgpu.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- if .Values.global.annotations }}
+  annotations: {{ toYaml .Values.global.annotations | nindent 4}}
+  {{- end }}
+spec:
+  updateStrategy:
+    {{- with .Values.devicePlugin.updateStrategy }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: hami-device-plugin
+      {{- include "hami-vgpu.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: hami-device-plugin
+        hami.io/webhook: ignore
+        {{- include "hami-vgpu.selectorLabels" . | nindent 8 }}
+      {{- if .Values.devicePlugin.podAnnotations }}
+      annotations: {{ toYaml .Values.devicePlugin.podAnnotations | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- if .Values.devicePlugin.runtimeClassName }}
+      runtimeClassName: {{ .Values.devicePlugin.runtimeClassName }}
+      {{- end }}
+      {{- include "hami-vgpu.imagePullSecrets" . | nindent 6}}
+      serviceAccountName: {{ include "hami-vgpu.device-plugin" . }}
+      priorityClassName: system-node-critical
+      hostPID: true
+      hostNetwork: true
+      containers:
+        - name: device-plugin
+          image: {{ .Values.devicePlugin.image }}:{{ .Values.version }}
+          imagePullPolicy: {{ .Values.devicePlugin.imagePullPolicy | quote }}
+          lifecycle:
+            postStart:
+              exec:
+                command: ["/bin/sh","-c", {{ printf "/k8s-vgpu/bin/vgpu-init.sh %s/vgpu/" .Values.global.gpuHookPath | quote }}]
+          command:
+            - nvidia-device-plugin
+            - --config-file=/device-config.yaml
+            - --mig-strategy={{ .Values.devicePlugin.migStrategy }}
+            - --disable-core-limit={{ .Values.devicePlugin.disablecorelimit }}
+            {{- range .Values.devicePlugin.extraArgs }}
+            - {{ . }}
+            {{- end }}
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: NVIDIA_MIG_MONITOR_DEVICES
+              value: all
+            - name: HOOK_PATH
+              value: {{ .Values.global.gpuHookPath }}
+            {{- if typeIs "bool" .Values.devicePlugin.passDeviceSpecsEnabled }}
+            - name: PASS_DEVICE_SPECS
+              value: {{ .Values.devicePlugin.passDeviceSpecsEnabled | quote }}
+            {{- end }}
+          securityContext:
+            privileged: true
+            allowPrivilegeEscalation: true
+            capabilities:
+              drop: ["ALL"]
+              add: ["SYS_ADMIN"]
+          resources:
+          {{- toYaml .Values.devicePlugin.resources | nindent 12 }}
+          volumeMounts:
+            - name: device-plugin
+              mountPath: /var/lib/kubelet/device-plugins
+            - name: lib
+              mountPath: {{ printf "%s%s" .Values.global.gpuHookPath "/vgpu" }}
+            - name: usrbin
+              mountPath: /usrbin
+            - name: deviceconfig
+              mountPath: /config
+            - name: hosttmp
+              mountPath: /tmp
+            - name: device-config
+              mountPath: /device-config.yaml
+              subPath: device-config.yaml
+        - name: vgpu-monitor
+          image: {{ .Values.devicePlugin.image }}:{{ .Values.version }}
+          imagePullPolicy: {{ .Values.devicePlugin.imagePullPolicy | quote }}
+          command:
+            - "vGPUmonitor"
+            {{- range .Values.devicePlugin.extraArgs }}
+            - {{ . }}
+            {{- end }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+              add: ["SYS_ADMIN"]
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: NVIDIA_VISIBLE_DEVICES
+              value: "all"
+            - name: NVIDIA_MIG_MONITOR_DEVICES
+              value: all
+            - name: HOOK_PATH
+              value: {{ .Values.global.gpuHookPath }}/vgpu
+          resources:
+          {{- toYaml .Values.devicePlugin.vgpuMonitor.resources | nindent 12 }}
+          volumeMounts:
+            - name: ctrs
+              mountPath: {{ .Values.devicePlugin.monitorctrPath }}
+            - name: dockers
+              mountPath: /run/docker
+            - name: containerds
+              mountPath: /run/containerd
+            - name: sysinfo
+              mountPath: /sysinfo
+            - name: hostvar
+              mountPath: /hostvar
+            - name: hosttmp
+              mountPath: /tmp
+      volumes:
+        - name: ctrs
+          hostPath:
+            path: {{ .Values.devicePlugin.monitorctrPath }}
+        - name: hosttmp
+          hostPath:
+            path: /tmp
+        - name: dockers
+          hostPath:
+            path: /run/docker
+        - name: containerds
+          hostPath:
+            path: /run/containerd
+        - name: device-plugin
+          hostPath:
+            path: {{ .Values.devicePlugin.pluginPath }}
+        - name: lib
+          hostPath:
+            path: {{ .Values.devicePlugin.libPath }}
+        - name: usrbin
+          hostPath:
+            path: /usr/bin
+        - name: sysinfo
+          hostPath:
+            path: /sys
+        - name: hostvar
+          hostPath:
+            path: /var
+        - name: deviceconfig
+          configMap:
+            name: {{ template "hami-vgpu.device-plugin" . }}
+        - name: device-config
+          configMap:
+            name: {{ include "hami-vgpu.scheduler" . }}-device
+      {{- if .Values.devicePlugin.nvidianodeSelector }}
+      nodeSelector: {{ toYaml .Values.devicePlugin.nvidianodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.devicePlugin.tolerations }}
+      tolerations: {{ toYaml .Values.devicePlugin.tolerations | nindent 8 }}
+      {{- end }}

frameworks/GPU/config/gpu/hami/templates/device-plugin/monitorrole.yaml

@@ -0,0 +1,27 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name:  {{ include "hami-vgpu.device-plugin" . }}-monitor
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - create
+      - watch
+      - list
+      - update
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+      - update
+      - list
+      - patch
+    
+    

frameworks/GPU/config/gpu/hami/templates/device-plugin/monitorrolebinding.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "hami-vgpu.device-plugin" . }}
+  labels:
+    app.kubernetes.io/component: "hami-device-plugin"
+    {{- include "hami-vgpu.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  #name: cluster-admin
+  name: {{ include "hami-vgpu.device-plugin" . }}-monitor
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "hami-vgpu.device-plugin" . }}
+    namespace: {{ .Release.Namespace | quote }}

frameworks/GPU/config/gpu/hami/templates/device-plugin/monitorservice.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "hami-vgpu.device-plugin" . }}-monitor
+  labels:
+    app.kubernetes.io/component: hami-device-plugin
+    {{- include "hami-vgpu.labels" . | nindent 4 }}
+    {{- if .Values.devicePlugin.service.labels }}  # Use devicePlugin instead of scheduler
+    {{ toYaml .Values.devicePlugin.service.labels | indent 4 }}
+    {{- end }}
+  {{- if .Values.devicePlugin.service.annotations }}  # Use devicePlugin instead of scheduler
+  annotations: {{ toYaml .Values.devicePlugin.service.annotations | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.devicePlugin.service.type | default "NodePort" }}  # Default type is NodePort
+  ports:
+    - name: monitorport
+      port: {{ .Values.devicePlugin.service.httpPort | default 31992 }}  # Default HTTP port is 31992
+      targetPort: 9394
+      {{- if eq (.Values.devicePlugin.service.type | default "NodePort") "NodePort" }}  # If type is NodePort, set nodePort
+      nodePort: {{ .Values.devicePlugin.service.httpPort | default 31992 }}
+      {{- end }}
+      protocol: TCP
+  selector:
+    app.kubernetes.io/component: hami-device-plugin
+    {{- include "hami-vgpu.selectorLabels" . | nindent 4 }}

frameworks/GPU/config/gpu/hami/templates/device-plugin/monitorserviceaccount.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "hami-vgpu.device-plugin" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app.kubernetes.io/component: "hami-device-plugin"
+    {{- include "hami-vgpu.labels" . | nindent 4 }}

frameworks/GPU/config/gpu/hami/templates/scheduler/configmap.yaml

@@ -0,0 +1,100 @@
+{{- if .Values.scheduler.kubeScheduler.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "hami-vgpu.scheduler" . }}
+  labels:
+    app.kubernetes.io/component: hami-scheduler
+    {{- include "hami-vgpu.labels" . | nindent 4 }}
+data:
+  config.json: |
+    {
+        "kind": "Policy",
+        "apiVersion": "v1",
+        "extenders": [
+            {
+                "urlPrefix": "https://127.0.0.1:443",
+                "filterVerb": "filter",
+                "bindVerb": "bind",
+                "enableHttps": true,
+                "weight": 1,
+                "nodeCacheCapable": true,
+                "httpTimeout": 30000000000,
+                "tlsConfig": {
+                    "insecure": true
+                },
+                "managedResources": [
+                    {{- if .Values.devices.ascend.enabled }}
+                    {{- range .Values.devices.ascend.customresources }}
+                    {
+                      "name": "{{ . }}",
+                      "ignoredByScheduler": true
+                    },
+                    {{- end }}
+                    {{- end }}
+                    {{- if .Values.devices.mthreads.enabled }}
+                    {{- range .Values.devices.mthreads.customresources }}
+                    {
+                      "name": "{{ . }}",
+                      "ignoredByScheduler": true
+                    },
+                    {{- end }}
+                    {{- end }}
+                    {
+                        "name": "{{ .Values.resourceName }}",
+                        "ignoredByScheduler": true
+                    },
+                    {
+                        "name": "{{ .Values.resourceMem }}",
+                        "ignoredByScheduler": true
+                    },
+                    {
+                        "name": "{{ .Values.resourceCores }}",
+                        "ignoredByScheduler": true
+                    },
+                    {
+                        "name": "{{ .Values.resourceMemPercentage }}",
+                        "ignoredByScheduler": true
+                    },
+                    {
+                        "name": "{{ .Values.resourcePriority }}",
+                        "ignoredByScheduler": true
+                    },
+                    {
+                        "name": "{{ .Values.mluResourceName }}",
+                        "ignoredByScheduler": true
+                    },
+                    {
+                        "name": "{{ .Values.dcuResourceName }}",
+                        "ignoredByScheduler": true
+                    },
+                    {
+                        "name": "{{ .Values.dcuResourceMem }}",
+                        "ignoredByScheduler": true 
+                    },
+                    {
+                        "name": "{{ .Values.dcuResourceCores }}",
+                        "ignoredByScheduler": true
+                    },
+                    {
+                        "name": "{{ .Values.iluvatarResourceName }}",
+                        "ignoredByScheduler": true
+                    },
+                    {
+                        "name": "{{ .Values.metaxResourceName }}",
+                        "ignoredByScheduler": true
+                    },
+                    {
+                        "name": "{{ .Values.metaxResourceCore }}",
+                        "ignoredByScheduler": true
+                    },
+                    {
+                        "name": "{{ .Values.metaxResourceMem }}",
+                        "ignoredByScheduler": true
+                    }
+                ],
+                "ignoreable": false
+            }
+        ]
+    }
+{{- end }}

frameworks/GPU/config/gpu/hami/templates/scheduler/configmapnew.yaml

@@ -0,0 +1,70 @@
+{{- if .Values.scheduler.kubeScheduler.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "hami-vgpu.scheduler" . }}-newversion
+  labels:
+    app.kubernetes.io/component: hami-scheduler
+    {{- include "hami-vgpu.labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    {{- if gt (regexReplaceAll "[^0-9]" .Capabilities.KubeVersion.Minor "" | int) 25}}
+    apiVersion: kubescheduler.config.k8s.io/v1
+    {{- else }}
+    apiVersion: kubescheduler.config.k8s.io/v1beta2
+    {{- end }}
+    kind: KubeSchedulerConfiguration
+    leaderElection:
+      leaderElect: false
+    profiles:
+    - schedulerName: {{ .Values.schedulerName }}
+    extenders:
+    - urlPrefix: "https://127.0.0.1:443"
+      filterVerb: filter
+      bindVerb: bind
+      nodeCacheCapable: true
+      weight: 1
+      httpTimeout: 30s
+      enableHTTPS: true
+      tlsConfig:
+        insecure: true
+      managedResources:
+      - name: {{ .Values.resourceName }}
+        ignoredByScheduler: true
+      - name: {{ .Values.resourceMem }}
+        ignoredByScheduler: true
+      - name: {{ .Values.resourceCores }}
+        ignoredByScheduler: true
+      - name: {{ .Values.resourceMemPercentage }}
+        ignoredByScheduler: true
+      - name: {{ .Values.resourcePriority }}
+        ignoredByScheduler: true
+      - name: {{ .Values.mluResourceName }}
+        ignoredByScheduler: true
+      - name: {{ .Values.dcuResourceName }}
+        ignoredByScheduler: true
+      - name: {{ .Values.dcuResourceMem }}
+        ignoredByScheduler: true
+      - name: {{ .Values.dcuResourceCores }}
+        ignoredByScheduler: true
+      - name: {{ .Values.iluvatarResourceName }}
+        ignoredByScheduler: true
+      - name: {{ .Values.metaxResourceName }}
+        ignoredByScheduler: true
+      - name: {{ .Values.metaxResourceCore }}
+        ignoredByScheduler: true
+      - name: {{ .Values.metaxResourceMem }}
+        ignoredByScheduler: true
+      {{- if .Values.devices.ascend.enabled }}
+      {{- range .Values.devices.ascend.customresources }}
+      - name: {{ . }}
+        ignoredByScheduler: true
+      {{- end }}
+      {{- end }}
+      {{- if .Values.devices.mthreads.enabled }}
+      {{- range .Values.devices.mthreads.customresources }}
+      - name: {{ . }}
+        ignoredByScheduler: true
+      {{- end }}
+      {{- end }}
+{{- end }}

frameworks/GPU/config/gpu/hami/templates/scheduler/deployment.yaml

@@ -0,0 +1,156 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "hami-vgpu.scheduler" . }}
+  labels:
+    app.kubernetes.io/component: hami-scheduler
+    {{- include "hami-vgpu.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- if .Values.global.annotations }}
+  annotations: {{ toYaml .Values.global.annotations | nindent 4}}
+  {{- end }}
+spec:
+  {{- if .Values.scheduler.leaderElect }}
+  replicas: {{ .Values.scheduler.replicas }}
+  {{- else }}
+  replicas: 1
+  {{- end }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: hami-scheduler
+      {{- include "hami-vgpu.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: hami-scheduler
+        {{- include "hami-vgpu.selectorLabels" . | nindent 8 }}
+        hami.io/webhook: ignore
+      {{- if .Values.scheduler.podAnnotations }}
+      annotations: {{ toYaml .Values.scheduler.podAnnotations | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include "hami-vgpu.imagePullSecrets" . | nindent 6}}
+      serviceAccountName: {{ include "hami-vgpu.scheduler" . }}
+      priorityClassName: system-node-critical
+      containers:
+      {{- if .Values.scheduler.kubeScheduler.enabled }}
+        - name: kube-scheduler
+          image: "{{ .Values.scheduler.kubeScheduler.image }}:{{ include "resolvedKubeSchedulerTag" . }}"
+          imagePullPolicy: {{ .Values.scheduler.kubeScheduler.imagePullPolicy | quote }}
+          command:
+            - kube-scheduler
+             {{- if ge (regexReplaceAll "[^0-9]" .Capabilities.KubeVersion.Minor "" | int) 22 }}
+            {{- range .Values.scheduler.kubeScheduler.extraNewArgs }}
+            - {{ . }}
+            {{- end }}
+            {{- else }}
+            - --scheduler-name={{ .Values.schedulerName }}
+            {{- range .Values.scheduler.kubeScheduler.extraArgs }}
+            - {{ . }}
+            {{- end }}
+            {{- end }}
+            - --leader-elect={{ .Values.scheduler.leaderElect }}
+            - --leader-elect-resource-name={{ .Values.schedulerName }}
+            - --leader-elect-resource-namespace={{ .Release.Namespace }}
+          resources:
+          {{- toYaml .Values.scheduler.kubeScheduler.resources | nindent 12 }}
+          volumeMounts:
+            - name: scheduler-config
+              mountPath: /config
+        {{- end }}
+          {{- if .Values.scheduler.livenessProbe }}
+          livenessProbe:
+            failureThreshold: 8
+            httpGet:
+              path: /healthz
+              port: 10259
+              scheme: HTTPS
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 15
+          {{- end }}
+        - name: vgpu-scheduler-extender
+          image: {{ .Values.scheduler.extender.image }}:{{ .Values.version }}
+          imagePullPolicy: {{ .Values.scheduler.extender.imagePullPolicy | quote }}
+          env:
+          {{- if .Values.global.managedNodeSelectorEnable }}
+          {{- range $key, $value := .Values.global.managedNodeSelector }}
+            - name: NODE_SELECTOR_{{ $key | upper | replace "-" "_" }}
+              value: "{{ $value }}"
+          {{- end }}
+          {{- end }}
+          command:
+            - scheduler
+            - --http_bind=0.0.0.0:443
+            - --cert_file=/tls/tls.crt
+            - --key_file=/tls/tls.key
+            - --scheduler-name={{ .Values.schedulerName }}
+            - --metrics-bind-address={{ .Values.scheduler.metricsBindAddress }}
+            - --node-scheduler-policy={{ .Values.scheduler.defaultSchedulerPolicy.nodeSchedulerPolicy }}
+            - --gpu-scheduler-policy={{ .Values.scheduler.defaultSchedulerPolicy.gpuSchedulerPolicy }}
+            - --device-config-file=/device-config.yaml
+            {{- if .Values.devices.ascend.enabled }}
+            - --enable-ascend=true
+            {{- end }}
+            {{- if .Values.scheduler.nodeLabelSelector }}
+            - --node-label-selector={{- $first := true -}}
+              {{- range $key, $value := .Values.scheduler.nodeLabelSelector -}}
+              {{- if not $first }},{{ end -}}
+              {{- $key }}={{ $value -}}
+              {{- $first = false -}}
+              {{- end -}}
+            {{- end }}
+            {{- range .Values.scheduler.extender.extraArgs }}
+            - {{ . }}
+            {{- end }}
+          ports:
+            - name: http
+              containerPort: 443
+              protocol: TCP
+          resources:
+          {{- toYaml .Values.scheduler.extender.resources | nindent 12 }}
+          volumeMounts:
+            - name: tls-config
+              mountPath: /tls
+            - name: device-config
+              mountPath: /device-config.yaml
+              subPath: device-config.yaml
+          {{- if .Values.scheduler.livenessProbe }}
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 443
+              scheme: HTTPS
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            failureThreshold: 3
+            timeoutSeconds: 5
+          {{- end }}
+      volumes:
+        - name: tls-config
+          secret:
+            secretName: {{ template "hami-vgpu.scheduler.tls" . }}
+        {{- if .Values.scheduler.kubeScheduler.enabled }}
+        - name: scheduler-config
+          configMap:
+            {{- if ge (regexReplaceAll "[^0-9]" .Capabilities.KubeVersion.Minor "" | int) 22 }}
+            name: {{ template "hami-vgpu.scheduler" . }}-newversion
+            {{- else }}
+            name: {{ template "hami-vgpu.scheduler" . }}
+            {{- end }}
+        {{- end }}
+        - name: device-config
+          configMap:
+            name: {{ include "hami-vgpu.scheduler" . }}-device
+      {{- if .Values.scheduler.nodeSelector }}
+      nodeSelector: {{ toYaml .Values.scheduler.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.scheduler.tolerations }}
+      tolerations: {{ toYaml .Values.scheduler.tolerations | nindent 8 }}
+      {{- end }}
+      {{- if .Values.scheduler.nodeName }}
+      nodeName: {{ .Values.scheduler.nodeName }}
+      {{- end }}

frameworks/GPU/config/gpu/hami/templates/scheduler/device-configmap.yaml

@@ -0,0 +1,203 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "hami-vgpu.scheduler" . }}-device
+  labels:
+    app.kubernetes.io/component: hami-scheduler
+    {{- include "hami-vgpu.labels" . | nindent 4 }}
+data:
+  device-config.yaml: |-
+  {{- if .Files.Glob "files/device-config.yaml" }}
+  {{- .Files.Get "files/device-config.yaml" | nindent 4}}
+  {{- else }}
+    nvidia:
+      resourceCountName: {{ .Values.resourceName }}
+      resourceMemoryName: {{ .Values.resourceMem }}
+      resourceMemoryPercentageName: {{ .Values.resourceMemPercentage }}
+      resourceCoreName: {{ .Values.resourceCores }}
+      resourcePriorityName: {{ .Values.resourcePriority }}
+      overwriteEnv: false
+      defaultMemory: 16000
+      defaultCores: 0
+      defaultGPUNum: 1
+      deviceSplitCount: {{ .Values.devicePlugin.deviceSplitCount }}
+      deviceMemoryScaling: {{ .Values.devicePlugin.deviceMemoryScaling }}
+      deviceCoreScaling: {{ .Values.devicePlugin.deviceCoreScaling }}
+      gpuCorePolicy: {{ .Values.devices.nvidia.gpuCorePolicy }}
+      knownMigGeometries:
+      - models: [ "A30" ]
+        allowedGeometries:
+          - 
+            - name: 1g.6gb
+              memory: 6144
+              count: 4
+          - 
+            - name: 2g.12gb
+              memory: 12288
+              count: 2
+          - 
+            - name: 4g.24gb
+              memory: 24576
+              count: 1
+      - models: [ "A100-SXM4-40GB", "A100-40GB-PCIe", "A100-PCIE-40GB", "A100-SXM4-40GB" ]
+        allowedGeometries:
+          - 
+            - name: 1g.5gb
+              memory: 5120
+              count: 7
+          - 
+            - name: 2g.10gb
+              memory: 10240
+              count: 3
+            - name: 1g.5gb
+              memory: 5120
+              count: 1
+          - 
+            - name: 3g.20gb
+              memory: 20480
+              count: 2
+          - 
+            - name: 7g.40gb
+              memory: 40960
+              count: 1
+      - models: [ "A100-SXM4-80GB", "A100-80GB-PCIe", "A100-PCIE-80GB"]
+        allowedGeometries:
+          - 
+            - name: 1g.10gb
+              memory: 10240
+              count: 7
+          - 
+            - name: 2g.20gb
+              memory: 20480
+              count: 3
+            - name: 1g.10gb
+              memory: 10240
+              count: 1
+          - 
+            - name: 3g.40gb
+              memory: 40960
+              count: 2
+          - 
+            - name: 7g.79gb
+              memory: 80896
+              count: 1
+    cambricon:
+      resourceCountName: {{ .Values.mluResourceName }}
+      resourceMemoryName: {{ .Values.mluResourceMem }}
+      resourceCoreName: {{ .Values.mluResourceCores }}
+    hygon:
+      resourceCountName: {{ .Values.dcuResourceName }}
+      resourceMemoryName: {{ .Values.dcuResourceMem }}
+      resourceCoreName: {{ .Values.dcuResourceCores }}
+    metax:
+      resourceCountName: "metax-tech.com/gpu"
+
+      resourceVCountName: {{ .Values.metaxResourceName }}
+      resourceVMemoryName: {{ .Values.metaxResourceMem }}
+      resourceVCoreName: {{ .Values.metaxResourceCore }}
+    mthreads:
+      resourceCountName: "mthreads.com/vgpu"
+      resourceMemoryName: "mthreads.com/sgpu-memory"
+      resourceCoreName: "mthreads.com/sgpu-core"
+    iluvatar:
+      resourceCountName: {{ .Values.iluvatarResourceName }}
+      resourceMemoryName: {{ .Values.iluvatarResourceMem }}
+      resourceCoreName: {{ .Values.iluvatarResourceCore }}
+    vnpus:
+    - chipName: 910B
+      commonWord: Ascend910A
+      resourceName: huawei.com/Ascend910A
+      resourceMemoryName: huawei.com/Ascend910A-memory
+      memoryAllocatable: 32768
+      memoryCapacity: 32768
+      aiCore: 30
+      templates:
+        - name: vir02
+          memory: 2184
+          aiCore: 2
+        - name: vir04
+          memory: 4369
+          aiCore: 4
+        - name: vir08
+          memory: 8738
+          aiCore: 8
+        - name: vir16
+          memory: 17476
+          aiCore: 16
+    - chipName: 910B2
+      commonWord: Ascend910B2
+      resourceName: huawei.com/Ascend910B2
+      resourceMemoryName: huawei.com/Ascend910B2-memory
+      memoryAllocatable: 65536
+      memoryCapacity: 65536
+      aiCore: 24
+      aiCPU: 6
+      templates:
+        - name: vir03_1c_8g
+          memory: 8192
+          aiCore: 3
+          aiCPU: 1
+        - name: vir06_1c_16g
+          memory: 16384
+          aiCore: 6
+          aiCPU: 1
+        - name: vir12_3c_32g
+          memory: 32768
+          aiCore: 12
+          aiCPU: 3
+    - chipName: 910B3
+      commonWord: Ascend910B
+      resourceName: huawei.com/Ascend910B
+      resourceMemoryName: huawei.com/Ascend910B-memory
+      memoryAllocatable: 65536
+      memoryCapacity: 65536
+      aiCore: 20
+      aiCPU: 7
+      templates:
+        - name: vir05_1c_16g
+          memory: 16384
+          aiCore: 5
+          aiCPU: 1
+        - name: vir10_3c_32g
+          memory: 32768
+          aiCore: 10
+          aiCPU: 3
+    - chipName: 910B4
+      commonWord: Ascend910B4
+      resourceName: huawei.com/Ascend910B4
+      resourceMemoryName: huawei.com/Ascend910B4-memory
+      memoryAllocatable: 32768
+      memoryCapacity: 32768
+      aiCore: 20
+      aiCPU: 7
+      templates:
+        - name: vir05_1c_8g
+          memory: 8192
+          aiCore: 5
+          aiCPU: 1
+        - name: vir10_3c_16g
+          memory: 16384
+          aiCore: 10
+          aiCPU: 3
+    - chipName: 310P3
+      commonWord: Ascend310P
+      resourceName: huawei.com/Ascend310P
+      resourceMemoryName: huawei.com/Ascend310P-memory
+      memoryAllocatable: 21527
+      memoryCapacity: 24576
+      aiCore: 8
+      aiCPU: 7
+      templates:
+        - name: vir01
+          memory: 3072
+          aiCore: 1
+          aiCPU: 1
+        - name: vir02
+          memory: 6144
+          aiCore: 2
+          aiCPU: 2
+        - name: vir04
+          memory: 12288
+          aiCore: 4
+          aiCPU: 4
+  {{ end }}

frameworks/GPU/config/gpu/hami/templates/scheduler/job-patch/clusterrole.yaml

@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "hami-vgpu.fullname" . }}-admission
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "hami-vgpu.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+rules:
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      #- validatingwebhookconfigurations
+      - mutatingwebhookconfigurations
+    verbs:
+      - get
+      - update
+{{- if .Values.podSecurityPolicy.enabled }}
+  - apiGroups: ['extensions']
+    resources: ['podsecuritypolicies']
+    verbs:     ['use']
+    resourceNames:
+    - {{ include "hami-vgpu.fullname" . }}-admission
+{{- end }}

frameworks/GPU/config/gpu/hami/templates/scheduler/job-patch/clusterrolebinding.yaml

@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name:  {{ include "hami-vgpu.fullname" . }}-admission
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "hami-vgpu.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "hami-vgpu.fullname" . }}-admission
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "hami-vgpu.fullname" . }}-admission
+    namespace: {{ .Release.Namespace | quote }}

frameworks/GPU/config/gpu/hami/templates/scheduler/job-patch/job-createSecret.yaml

@@ -0,0 +1,60 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "hami-vgpu.fullname" . }}-admission-create
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "hami-vgpu.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+spec:
+  {{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
+  # Alpha feature since k8s 1.12
+  ttlSecondsAfterFinished: 0
+  {{- end }}
+  template:
+    metadata:
+      name: {{ include "hami-vgpu.fullname" . }}-admission-create
+      {{- if .Values.scheduler.patch.podAnnotations }}
+      annotations: {{ toYaml .Values.scheduler.patch.podAnnotations | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "hami-vgpu.labels" . | nindent 8 }}
+        app.kubernetes.io/component: admission-webhook
+        hami.io/webhook: ignore
+    spec:
+      {{- include "hami-vgpu.imagePullSecrets" . | nindent 6}}
+      {{- if .Values.scheduler.patch.priorityClassName }}
+      priorityClassName: {{ .Values.scheduler.patch.priorityClassName }}
+      {{- end }}
+      containers:
+        - name: create
+           {{- if ge (regexReplaceAll "[^0-9]" .Capabilities.KubeVersion.Minor "" | int) 22 }}
+          image: {{ .Values.scheduler.patch.imageNew }}
+          {{- else }}
+          image: {{ .Values.scheduler.patch.image }}
+          {{- end }}
+          imagePullPolicy: {{ .Values.scheduler.patch.imagePullPolicy }}
+          args:
+            - create
+            - --cert-name=tls.crt
+            - --key-name=tls.key
+            {{- if .Values.scheduler.admissionWebhook.customURL.enabled }}
+            - --host={{ printf "%s.%s.svc,127.0.0.1,%s" (include "hami-vgpu.scheduler" .) .Release.Namespace .Values.scheduler.admissionWebhook.customURL.host}}
+            {{- else }}
+            - --host={{ printf "%s.%s.svc,127.0.0.1" (include "hami-vgpu.scheduler" .) .Release.Namespace }}
+            {{- end }}
+            - --namespace={{ .Release.Namespace }}
+            - --secret-name={{ include "hami-vgpu.scheduler.tls" . }}
+      restartPolicy: OnFailure
+      serviceAccountName: {{ include "hami-vgpu.fullname" . }}-admission
+      {{- if .Values.scheduler.patch.nodeSelector }}
+      nodeSelector: {{ toYaml .Values.scheduler.patch.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.scheduler.patch.tolerations }}
+      tolerations: {{ toYaml .Values.scheduler.patch.tolerations | nindent 8 }}
+      {{- end }}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: {{ .Values.scheduler.patch.runAsUser }}

frameworks/GPU/config/gpu/hami/templates/scheduler/job-patch/job-patchWebhook.yaml

@@ -0,0 +1,55 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "hami-vgpu.fullname" . }}-admission-patch
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "hami-vgpu.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+spec:
+  {{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
+  # Alpha feature since k8s 1.12
+  ttlSecondsAfterFinished: 0
+  {{- end }}
+  template:
+    metadata:
+      name: {{ include "hami-vgpu.fullname" . }}-admission-patch
+      {{- if .Values.scheduler.patch.podAnnotations }}
+      annotations: {{ toYaml .Values.scheduler.patch.podAnnotations | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "hami-vgpu.labels" . | nindent 8 }}
+        app.kubernetes.io/component: admission-webhook
+        hami.io/webhook: ignore
+    spec:
+      {{- include "hami-vgpu.imagePullSecrets" . | nindent 6}}
+      {{- if .Values.scheduler.patch.priorityClassName }}
+      priorityClassName: {{ .Values.scheduler.patch.priorityClassName }}
+      {{- end }}
+      containers:
+        - name: patch
+          {{- if ge (regexReplaceAll "[^0-9]" .Capabilities.KubeVersion.Minor "" | int) 22 }}
+          image: {{ .Values.scheduler.patch.imageNew }}
+          {{- else }}
+          image: {{ .Values.scheduler.patch.image }}
+          {{- end }}
+          imagePullPolicy: {{ .Values.scheduler.patch.imagePullPolicy }}
+          args:
+            - patch
+            - --webhook-name={{ include "hami-vgpu.scheduler.webhook" . }}
+            - --namespace={{ .Release.Namespace }}
+            - --patch-validating=false
+            - --secret-name={{ include "hami-vgpu.scheduler.tls" . }}
+      restartPolicy: OnFailure
+      serviceAccountName: {{ include "hami-vgpu.fullname" . }}-admission
+      {{- if .Values.scheduler.patch.nodeSelector }}
+      nodeSelector: {{ toYaml .Values.scheduler.patch.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.scheduler.patch.tolerations }}
+      tolerations: {{ toYaml .Values.scheduler.patch.tolerations | nindent 8 }}
+      {{- end }}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: {{ .Values.scheduler.patch.runAsUser }}

frameworks/GPU/config/gpu/hami/templates/scheduler/job-patch/psp.yaml

@@ -0,0 +1,36 @@
+{{- if .Values.podSecurityPolicy.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ include "hami-vgpu.fullname" . }}-admission
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "hami-vgpu.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+spec:
+  allowPrivilegeEscalation: false
+  fsGroup:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  requiredDropCapabilities:
+  - ALL
+  runAsUser:
+    rule: MustRunAsNonRoot
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  volumes:
+  - configMap
+  - emptyDir
+  - projected
+  - secret
+  - downwardAPI
+{{- end }}

frameworks/GPU/config/gpu/hami/templates/scheduler/job-patch/role.yaml

@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name:  {{ include "hami-vgpu.fullname" . }}-admission
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "hami-vgpu.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create

frameworks/GPU/config/gpu/hami/templates/scheduler/job-patch/rolebinding.yaml

@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "hami-vgpu.fullname" . }}-admission
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "hami-vgpu.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "hami-vgpu.fullname" . }}-admission
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "hami-vgpu.fullname" . }}-admission
+    namespace: {{ .Release.Namespace | quote }}

frameworks/GPU/config/gpu/hami/templates/scheduler/job-patch/serviceaccount.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "hami-vgpu.fullname" . }}-admission
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "hami-vgpu.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook

frameworks/GPU/config/gpu/hami/templates/scheduler/rolebinding.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "hami-vgpu.scheduler" . }}
+  labels:
+    app.kubernetes.io/component: "hami-scheduler"
+    {{- include "hami-vgpu.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "hami-vgpu.scheduler" . }}
+    namespace: {{ .Release.Namespace | quote }}

frameworks/GPU/config/gpu/hami/templates/scheduler/service.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "hami-vgpu.scheduler" . }}
+  labels:
+    app.kubernetes.io/component: hami-scheduler
+    {{- include "hami-vgpu.labels" . | nindent 4 }}
+    {{- if .Values.scheduler.service.labels }}
+    {{ toYaml .Values.scheduler.service.labels | indent 4 }}
+    {{- end }}
+  {{- if .Values.scheduler.service.annotations }}
+  annotations: {{ toYaml .Values.scheduler.service.annotations | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.scheduler.service.type | default "NodePort" }}  # Default type is NodePort
+  ports:
+    - name: http
+      port: {{ .Values.scheduler.service.httpPort | default 443 }}  # Default HTTP port is 443
+      targetPort: {{ .Values.scheduler.service.httpTargetPort | default 443 }}
+      {{- if eq (.Values.scheduler.service.type | default "NodePort") "NodePort" }}  # If type is NodePort, set nodePort
+      nodePort: {{ .Values.scheduler.service.schedulerPort | default 31998 }}
+      {{- end }}
+      protocol: TCP
+    - name: monitor
+      port: {{ .Values.scheduler.service.monitorPort | default 31993 }}  # Default monitoring port is 31993
+      targetPort: {{ .Values.scheduler.service.monitorTargetPort | default 31993 }}
+      {{- if eq (.Values.scheduler.service.type | default "NodePort") "NodePort" }}  # If type is NodePort, set nodePort
+      nodePort: {{ .Values.scheduler.service.monitorPort | default 31993 }}
+      {{- end }}
+      protocol: TCP
+  selector:
+    app.kubernetes.io/component: hami-scheduler
+    {{- include "hami-vgpu.selectorLabels" . | nindent 4 }}

frameworks/GPU/config/gpu/hami/templates/scheduler/serviceaccount.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "hami-vgpu.scheduler" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app.kubernetes.io/component: "hami-scheduler"
+    {{- include "hami-vgpu.labels" . | nindent 4 }}

frameworks/GPU/config/gpu/hami/templates/scheduler/webhook.yaml

@@ -0,0 +1,51 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ include "hami-vgpu.scheduler.webhook" . }}
+webhooks:
+  - admissionReviewVersions:
+    - v1beta1
+    clientConfig:
+      {{- if .Values.scheduler.admissionWebhook.customURL.enabled }}
+      url: https://{{ .Values.scheduler.admissionWebhook.customURL.host}}:{{.Values.scheduler.admissionWebhook.customURL.port}}{{.Values.scheduler.admissionWebhook.customURL.path}}
+      {{- else }}
+      service:
+        name: {{ include "hami-vgpu.scheduler" . }}
+        namespace: {{ .Release.Namespace }}
+        path: /webhook
+        port: {{ .Values.scheduler.service.httpPort }}
+      {{- end }}
+    failurePolicy: {{ .Values.scheduler.admissionWebhook.failurePolicy }}
+    matchPolicy: Equivalent
+    name: vgpu.hami.io
+    namespaceSelector:
+      matchExpressions:
+      - key: hami.io/webhook
+        operator: NotIn
+        values:
+        - ignore
+      {{- if .Values.scheduler.admissionWebhook.whitelistNamespaces }}
+      - key: kubernetes.io/metadata.name
+        operator: NotIn
+        values:
+        {{- toYaml .Values.scheduler.admissionWebhook.whitelistNamespaces | nindent 10 }}
+      {{- end }}
+    objectSelector:
+      matchExpressions:
+      - key: hami.io/webhook
+        operator: NotIn
+        values:
+        - ignore
+    reinvocationPolicy: {{ .Values.scheduler.admissionWebhook.reinvocationPolicy }}
+    rules:
+      - apiGroups:
+          - ""
+        apiVersions:
+          - v1
+        operations:
+          - CREATE
+        resources:
+          - pods
+        scope: '*'
+    sideEffects: None
+    timeoutSeconds: 10

frameworks/GPU/config/gpu/hami/templates/webui/configmap.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "hami-webui.fullname" . }}-config
+  namespace: {{ include "hami-webui.namespace" . }}
+data:
+  config.yaml: |
+    server:
+      http:
+        addr: 0.0.0.0:8000
+        timeout: 1s
+      grpc:
+        addr: 0.0.0.0:9000
+        timeout: 1s
+    prometheus:
+      address: {{ ternary .Values.webui.externalPrometheus.address (printf "http://%s-kube-prometh-prometheus.%s.svc.cluster.local:9090" (include "hami-webui.fullname" .) (include "hami-webui.namespace" .)) .Values.webui.externalPrometheus.enabled }}
+      timeout: 1m
+    node_selectors:
+    {{- range $key, $value := .Values.webui.vendorNodeSelectors }}
+      {{ $key }}: {{ $value }}
+    {{- end }}

frameworks/GPU/config/gpu/hami/templates/webui/deployment.yaml

@@ -0,0 +1,82 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "hami-webui.fullname" . }}
+  namespace: {{ include "hami-webui.namespace" . }}
+  labels:
+    {{- include "hami-webui.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "hami-webui"
+spec:
+  replicas: {{ .Values.webui.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "hami-webui.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: "hami-webui"
+  template:
+    metadata:
+      {{- with .Values.webui.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "hami-webui.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: "hami-webui"
+    spec:
+      serviceAccountName: {{ include "hami-webui.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.webui.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Release.Name }}-fe-oss
+          securityContext:
+            {{- toYaml .Values.webui.securityContext | nindent 12 }}
+          image: "{{ .Values.webui.image.frontend.repository }}:{{ .Values.webui.image.frontend.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.webui.image.frontend.pullPolicy }}
+          env:
+            {{- toYaml .Values.webui.env.frontend | nindent 12 }}
+          ports:
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+          command:
+            - "node"
+          args:
+            - "/apps/dist/main"
+          resources:
+            {{- toYaml .Values.webui.resources.frontend | nindent 12 }}
+        - name: {{ .Release.Name }}-be-oss
+          securityContext:
+                  {{- toYaml .Values.webui.securityContext | nindent 12 }}
+          image: "{{ .Values.webui.image.backend.repository }}:{{ .Values.webui.image.backend.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.webui.image.backend.pullPolicy }}
+          env:
+            {{- toYaml .Values.webui.env.backend | nindent 12 }}
+          ports:
+            - name: metrics
+              containerPort: 8000
+              protocol: TCP
+          command:
+            - "/apps/server"
+          args:
+            - "--conf"
+            - "/apps/config/config.yaml"
+          resources:
+            {{- toYaml .Values.webui.resources.backend | nindent 12 }}
+          volumeMounts:
+            - name: config
+              mountPath: /apps/config/
+      {{- with .Values.webui.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.webui.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: config
+          configMap:
+            name: {{ include "hami-webui.fullname" . }}-config

frameworks/GPU/config/gpu/hami/templates/webui/hamiservicemonitor.yaml

@@ -0,0 +1,27 @@
+{{- if .Values.webui.hamiServiceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "hami-webui.fullname" . }}-hami-svc-monitor
+  namespace: kubesphere-monitoring-system
+  labels:
+    {{- include "hami-webui.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "hami-webui"
+    {{- if .Values.webui.hamiServiceMonitor.additionalLabels }}
+    {{- toYaml .Values.webui.hamiServiceMonitor.additionalLabels | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: hami-device-plugin
+  namespaceSelector:
+    matchNames:
+      - "{{ .Values.webui.hamiServiceMonitor.svcNamespace }}"
+  endpoints:
+  - path: /metrics
+    port: monitorport
+    interval: "{{ .Values.webui.hamiServiceMonitor.interval }}"
+    honorLabels: {{ .Values.webui.hamiServiceMonitor.honorLabels }}
+    relabelings:
+      {{ toYaml .Values.webui.hamiServiceMonitor.relabelings | nindent 6 }}
+{{- end -}}

frameworks/GPU/config/gpu/hami/templates/webui/role.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: hami-webui-reader
+  namespace: {{ include "hami-webui.namespace" . }}
+  labels:
+    {{- include "hami-webui.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "hami-webui"
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "nodes" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: [ "get", "list", "watch" ]

frameworks/GPU/config/gpu/hami/templates/webui/rolebinding.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "hami-webui.fullname" . }}
+  namespace: {{ include "hami-webui.namespace" . }}
+  labels:
+    {{- include "hami-webui.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "hami-webui"
+subjects:
+- kind: ServiceAccount
+  name: {{ include "hami-webui.serviceAccountName" . }}
+  namespace: {{ include "hami-webui.namespace" . }}
+roleRef:
+  kind: ClusterRole
+  name: hami-webui-reader
+  apiGroup: rbac.authorization.k8s.io

frameworks/GPU/config/gpu/hami/templates/webui/service.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "hami-webui.fullname" . }}
+  namespace: {{ include "hami-webui.namespace" . }}
+  labels:
+    {{- include "hami-webui.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "hami-webui"
+spec:
+  type: {{ .Values.webui.service.type }}
+  ports:
+    - port: {{ .Values.webui.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+    - port: 8000
+      targetPort: metrics
+      protocol: TCP
+      name: metrics
+  selector:
+    {{- include "hami-webui.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: "hami-webui"

frameworks/GPU/config/gpu/hami/templates/webui/serviceaccount.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.webui.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "hami-webui.serviceAccountName" . }}
+  namespace: {{ include "hami-webui.namespace" . }}
+  labels:
+    {{- include "hami-webui.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "hami-webui"
+  {{- with .Values.webui.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

frameworks/GPU/config/gpu/hami/templates/webui/servicemonitor.yaml

@@ -0,0 +1,42 @@
+{{- if .Values.webui.serviceMonitor.enabled }}
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "hami-webui.fullname" . }}-svc-monitor
+  namespace: kubesphere-monitoring-system
+  labels:
+    {{- include "hami-webui.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "hami-webui"
+    {{- if .Values.webui.serviceMonitor.additionalLabels }}
+    {{- toYaml .Values.webui.serviceMonitor.additionalLabels | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "hami-webui.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: "hami-webui"
+  namespaceSelector:
+    matchNames:
+    - "{{ include "hami-webui.namespace" . }}"
+  endpoints:
+  - port: "metrics"
+    path: "/metrics"
+    interval: "{{ .Values.webui.serviceMonitor.interval }}"
+    honorLabels: {{ .Values.webui.serviceMonitor.honorLabels }}
+    relabelings:
+      {{ toYaml .Values.webui.serviceMonitor.relabelings | nindent 6 }}
+{{- end -}}

frameworks/GPU/config/gpu/hami/values.yaml

@@ -0,0 +1,530 @@
+# Default values for hami-vgpu.
+
+nameOverride: ""
+fullnameOverride: ""
+imagePullSecrets: [ ]
+version: "v2.5.1"
+
+#Nvidia GPU Parameters
+resourceName: "nvidia.com/gpu"
+resourceMem: "nvidia.com/gpumem"
+resourceMemPercentage: "nvidia.com/gpumem-percentage"
+resourceCores: "nvidia.com/gpucores"
+resourcePriority: "nvidia.com/priority"
+
+#MLU Parameters
+mluResourceName: "cambricon.com/vmlu"
+mluResourceMem: "cambricon.com/mlu.smlu.vmemory"
+mluResourceCores: "cambricon.com/mlu.smlu.vcore"
+
+#Hygon DCU Parameters
+dcuResourceName: "hygon.com/dcunum"
+dcuResourceMem: "hygon.com/dcumem"
+dcuResourceCores: "hygon.com/dcucores"
+
+#Iluvatar GPU Parameters
+iluvatarResourceName: "iluvatar.ai/vgpu"
+iluvatarResourceMem: "iluvatar.ai/vcuda-memory"
+iluvatarResourceCore: "iluvatar.ai/vcuda-core"
+
+#Metax SGPU Parameters
+metaxResourceName: "metax-tech.com/sgpu"
+metaxResourceCore: "metax-tech.com/vcore"
+metaxResourceMem: "metax-tech.com/vmemory"
+
+schedulerName: "hami-scheduler"
+
+podSecurityPolicy:
+  enabled: false
+
+global:
+  gpuHookPath: /usr/local
+  labels: {}
+  annotations: {}
+  managedNodeSelectorEnable: false
+  managedNodeSelector:
+    usage: "gpu"
+
+
+scheduler:
+  # @param nodeName defines the node name and the nvidia-vgpu-scheduler-scheduler will schedule to the node.
+  # if we install the nvidia-vgpu-scheduler-scheduler as default scheduler, we need to remove the k8s default
+  # scheduler pod from the cluster first, we must specify node name to skip the schedule workflow.
+  nodeName: ""
+  #nodeLabelSelector:
+  #  "gpu": "on"
+  overwriteEnv: "false"
+  defaultSchedulerPolicy:
+    nodeSchedulerPolicy: binpack
+    gpuSchedulerPolicy: spread
+  metricsBindAddress: ":9395"
+  livenessProbe: false
+  leaderElect: true
+  # when leaderElect is true, replicas is available, otherwise replicas is 1.
+  replicas: 1
+  kubeScheduler:
+    # @param enabled indicate whether to run kube-scheduler container in the scheduler pod, it's true by default.
+    enabled: true
+    image: registry.k8s.io/kube-scheduler
+    imageTag: ""
+    imagePullPolicy: IfNotPresent
+    resources: {}
+      # If you do want to specify resources, uncomment the following lines, adjust them as necessary.
+      # and remove the curly braces after 'resources:'.
+#      limits:
+#        cpu: 1000m
+#        memory: 1000Mi
+#      requests:
+#        cpu: 100m
+#        memory: 100Mi
+    extraNewArgs:
+      - --config=/config/config.yaml
+      - -v=4
+    extraArgs:
+      - --policy-config-file=/config/config.json
+      - -v=4
+  extender:
+    image: "beclab/hami"
+    imagePullPolicy: IfNotPresent
+    resources: {}
+      # If you do want to specify resources, uncomment the following lines, adjust them as necessary,
+      # and remove the curly braces after 'resources:'.
+#      limits:
+#        cpu: 1000m
+#        memory: 1000Mi
+#      requests:
+#        cpu: 100m
+#        memory: 100Mi
+    extraArgs:
+      - --debug
+      - -v=4
+  podAnnotations: {}
+  tolerations: []
+  #serviceAccountName: "hami-vgpu-scheduler-sa"
+  admissionWebhook:
+    customURL:
+      enabled: false
+      # must be an endpoint using https.
+      # should generate host certs here
+      host: 127.0.0.1 # hostname or ip, can be your node'IP if you want to use https://<nodeIP>:<schedulerPort>/<path>
+      port: 31998
+      path: /webhook
+    whitelistNamespaces:
+    # Specify the namespaces that the webhook will not be applied to.
+      # - default
+      # - kube-system
+      # - istio-system
+    reinvocationPolicy: Never
+    failurePolicy: Ignore
+  patch:
+    image: jettech/kube-webhook-certgen:v1.5.2
+    imageNew: liangjw/kube-webhook-certgen:v1.1.1
+    imagePullPolicy: IfNotPresent
+    priorityClassName: ""
+    podAnnotations: {}
+    nodeSelector: {}
+    tolerations: []
+    runAsUser: 2000
+  service:
+    type: ClusterIP  # Default type is NodePort, can be changed to ClusterIP
+    httpPort: 443   # HTTP port
+    schedulerPort: 31998  # NodePort for HTTP
+    monitorPort: 31993    # Monitoring port
+    labels: {}
+    annotations: {}
+
+devicePlugin:
+  image: "beclab/hami"
+  monitorimage: "beclab/hami"
+  monitorctrPath: /usr/local/vgpu/containers
+  imagePullPolicy: IfNotPresent
+  deviceSplitCount: 100
+  deviceMemoryScaling: 100
+  deviceCoreScaling: 100
+  runtimeClassName: ""
+  migStrategy: "none"
+  disablecorelimit: "false"
+  passDeviceSpecsEnabled: false
+  extraArgs:
+    - -v=4
+  
+  service:
+    type: ClusterIP  # Default type is NodePort, can be changed to ClusterIP
+    httpPort: 31992
+    labels: {}
+    annotations: {}
+    
+  pluginPath: /var/lib/kubelet/device-plugins
+  libPath: /usr/local/vgpu
+
+  podAnnotations: {}
+  nvidianodeSelector:
+    gpu.bytetrade.io/cuda-supported: 'true'
+  tolerations: []
+  # The updateStrategy for DevicePlugin DaemonSet.
+  # If you want to update the DaemonSet by manual, set type as "OnDelete".
+  # We recommend use OnDelete update strategy because DevicePlugin pod restart will cause business pod restart, this behavior is destructive.
+  # Otherwise, you can use RollingUpdate update strategy to rolling update DevicePlugin pod.
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+
+  resources: {}
+    # If you do want to specify resources, uncomment the following lines, adjust them as necessary.
+    # and remove the curly braces after 'resources:'.
+#    limits:
+#       cpu: 1000m
+#       memory: 1000Mi
+#    requests:
+#      cpu: 100m
+#      memory: 100Mi
+
+  vgpuMonitor:
+    resources: {}
+      # If you do want to specify resources, uncomment the following lines, adjust them as necessary.
+      # and remove the curly braces after 'resources:'.
+#      limits:
+#        cpu: 1000m
+#        memory: 1000Mi
+#      requests:
+#        cpu: 100m
+#        memory: 100Mi
+
+devices:
+  mthreads:
+    enabled: false
+    customresources:
+      - mthreads.com/vgpu
+  nvidia:
+    gpuCorePolicy: default
+  ascend:
+    enabled: false
+    image: ""
+    imagePullPolicy: IfNotPresent
+    extraArgs: []
+    nodeSelector:
+      ascend: "on"
+    tolerations: []
+    customresources:
+      - huawei.com/Ascend910A
+      - huawei.com/Ascend910A-memory
+      - huawei.com/Ascend910B2
+      - huawei.com/Ascend910B2-memory
+      - huawei.com/Ascend910B
+      - huawei.com/Ascend910B-memory
+      - huawei.com/Ascend910B4
+      - huawei.com/Ascend910B4-memory
+      - huawei.com/Ascend310P
+      - huawei.com/Ascend310P-memory
+
+dcgmExporter:
+  image:
+    repository: nvidia/dcgm-exporter
+    pullPolicy: IfNotPresent
+    tag: 4.1.1-4.0.4-ubuntu22.04
+
+  # Change the following reference to "/etc/dcgm-exporter/default-counters.csv"
+  # to stop profiling metrics from DCGM
+  arguments: ["-f", "/etc/dcgm-exporter/default-counters.csv"]
+  # NOTE: in general, add any command line arguments to arguments above
+  # and they will be passed through.
+  # Use "-r", "<HOST>:<PORT>" to connect to an already running hostengine
+  # Example arguments: ["-r", "host123:5555"]
+  # Use "-n" to remove the hostname tag from the output.
+  # Example arguments: ["-n"]
+  # Use "-d" to specify the devices to monitor. -d must be followed by a string
+  # in the following format: [f] or [g[:numeric_range][+]][i[:numeric_range]]
+  # Where a numeric range is something like 0-4 or 0,2,4, etc.
+  # Example arguments: ["-d", "g+i"] to monitor all GPUs and GPU instances or
+  # ["-d", "g:0-3"] to monitor GPUs 0-3.
+  # Use "-m" to specify the namespace and name of a configmap containing
+  # the watched exporter fields.
+  # Example arguments: ["-m", "default:exporter-metrics-config-map"]
+
+  # Overrides the chart's name
+  nameOverride: "nvidia-dcgm-exporter"
+
+  # Overrides the chart's computed fullname
+  fullnameOverride: ""
+
+  # Overrides the deployment namespace
+  namespaceOverride: ""
+
+  # Defines the runtime class that will be used by the pod
+  runtimeClassName: ""
+  # Defines serviceAccount names for components.
+  serviceAccount:
+    # Specifies whether a service account should be created
+    create: true
+    # Annotations to add to the service account
+    annotations: {}
+    # The name of the service account to use.
+    # If not set and create is true, a name is generated using the fullname template
+    name:
+
+  rollingUpdate:
+    # Specifies maximum number of DaemonSet pods that can be unavailable during the update
+    maxUnavailable: 1
+    # Specifies maximum number of nodes with an existing available DaemonSet pod that can have an updated DaemonSet pod during during an update
+    maxSurge: 0
+
+  # Labels to be added to dcgm-exporter pods
+  podLabels: {}
+
+  # Annotations to be added to dcgm-exporter pods
+  podAnnotations: {}
+  # Using this annotation which is required for prometheus scraping
+    # prometheus.io/scrape: "true"
+    # prometheus.io/port: "9400"
+
+  # The SecurityContext for the dcgm-exporter pods
+  podSecurityContext: {}
+    # fsGroup: 2000
+
+  # The SecurityContext for the dcgm-exporter containers
+  securityContext:
+    runAsNonRoot: false
+    runAsUser: 0
+    capabilities:
+      add: ["SYS_ADMIN"]
+    # readOnlyRootFilesystem: true
+
+  # Defines the dcgm-exporter service
+  service:
+    # When enabled, the helm chart will create service
+    enable: true
+    type: ClusterIP
+    clusterIP: ""
+    port: 9400
+    address: ":9400"
+    # Annotations to add to the service
+    annotations: {}
+
+  # Allows to control pod resources
+  resources: {}
+    # limits:
+    #   cpu: 100m
+    #   memory: 128Mi
+    # requests:
+    #   cpu: 100m
+    #   memory: 128Mi
+  serviceMonitor:
+    apiVersion: "monitoring.coreos.com/v1"
+    enabled: true
+    interval: 15s
+    honorLabels: false
+    additionalLabels: {}
+      #monitoring: prometheus
+    relabelings: []
+      # - sourceLabels: [__meta_kubernetes_pod_node_name]
+      #   separator: ;
+      #   regex: ^(.*)$
+      #   targetLabel: nodename
+      #   replacement: $1
+      #   action: replace
+
+  nodeSelector: {}
+    #node: gpu
+
+  tolerations: []
+  #- operator: Exists
+
+  affinity: {}
+    #nodeAffinity:
+    #  requiredDuringSchedulingIgnoredDuringExecution:
+    #    nodeSelectorTerms:
+    #    - matchExpressions:
+    #      - key: nvidia-gpu
+    #        operator: Exists
+
+  extraHostVolumes: []
+  #- name: host-binaries
+  #  hostPath: /opt/bin
+
+  extraConfigMapVolumes:
+    - name: exporter-metrics-volume
+      configMap:
+        name: exporter-metrics-config-map
+        items:
+        - key: metrics
+          path: default-counters.csv
+
+  extraVolumeMounts:
+    - name: exporter-metrics-volume
+      mountPath: /etc/dcgm-exporter/default-counters.csv
+      subPath: default-counters.csv
+
+  extraEnv: []
+  #- name: EXTRA_VAR
+  #  value: "TheStringValue"
+
+  # Path to the kubelet socket for /pod-resources
+  kubeletPath: "/var/lib/kubelet/pod-resources"
+
+  # HTTPS configuration
+  tlsServerConfig:
+    # Enable or disable HTTPS configuration
+    enabled: false
+    # Use autogenerated self-signed TLS certificates. Not recommended for production environments.
+    autoGenerated: true
+    # Existing secret containing your own server key and certificate
+    existingSecret: ""
+    # Certificate file name
+    certFilename: "tls.crt"
+    # Key file name
+    keyFilename: "tls.key"
+    # CA certificate file name
+    caFilename: "ca.crt"
+    # Server policy for client authentication. Maps to ClientAuth Policies.
+    # For more detail on clientAuth options:
+    # https://golang.org/pkg/crypto/tls/#ClientAuthType
+    #
+    # NOTE: If you want to enable client authentication, you need to use
+    # RequireAndVerifyClientCert. Other values are insecure.
+    clientAuthType: ""
+    # TLS Key for HTTPS - ignored if existingSecret is provided
+    key: ""
+    # TLS Certificate for HTTPS - ignored if existingSecret is provided
+    cert: ""
+    # CA Certificate for HTTPS - ignored if existingSecret is provided
+    ca: ""
+
+  basicAuth:
+    #Object containing <user>:<passwords> key-value pairs for each user that will have access via basic authentication
+    users: {}
+
+  # Customized list of metrics to emit. Expected to be in the same format (CSV) as the default list.
+  # Must be the complete list and is not additive. If unset, the default list will take effect.
+  # customMetrics: |
+    # Format
+    # If line starts with a '#' it is considered a comment
+    # DCGM FIELD, Prometheus metric type, help message
+
+webui:
+  replicaCount: 1
+
+  vendorNodeSelectors:
+    NVIDIA: gpu.bytetrade.io/cuda-supported=true
+    Ascend: ascend=on
+    DCU: dcu=on
+    MLU: mlu=on
+
+  image:
+    frontend:
+      repository: projecthami/hami-webui-fe-oss
+      pullPolicy: IfNotPresent
+      # Overrides the image tag whose default is the chart appVersion.
+      tag: "v1.0.5"
+    backend:
+      repository: projecthami/hami-webui-be-oss
+      pullPolicy: IfNotPresent
+      tag: "v1.0.5"
+
+  imagePullSecrets: []
+  nameOverride: "webui"
+  fullnameOverride: ""
+  namespaceOverride: ""
+
+  serviceAccount:
+    # Specifies whether a service account should be created
+    create: true
+    # Annotations to add to the service account
+    annotations: {}
+    # The name of the service account to use.
+    # If not set and create is true, a name is generated using the fullname template
+    name: ""
+
+  podAnnotations: {}
+
+  podSecurityContext: {}
+  # fsGroup: 2000
+
+  securityContext: {}
+    # capabilities:
+    #   drop:
+    #   - ALL
+    # readOnlyRootFilesystem: true
+    # runAsNonRoot: true
+  # runAsUser: 1000
+
+  service:
+    type: ClusterIP
+    port: 3000
+
+  ingress:
+    enabled: false
+    className: ""
+    annotations: {}
+      # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+    hosts:
+      - host: chart-example.local
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+    tls: []
+    #  - secretName: chart-example-tls
+    #    hosts:
+    #      - chart-example.local
+
+  resources:
+    frontend:
+      limits:
+        cpu: 200m
+        memory: 500Mi
+      requests:
+        cpu: 200m
+        memory: 500Mi
+    backend:
+      limits:
+        cpu: 50m
+        memory: 250Mi
+      requests:
+        cpu: 50m
+        memory: 250Mi
+      # We usually recommend not to specify default resources and to leave this as a conscious
+      # choice for the user. This also increases chances charts run on environments with little
+      # resources, such as Minikube. If you do want to specify resources, uncomment the following
+      # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+      # requests:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+  env:
+    frontend:
+      - name: TZ
+        value: "Asia/Shanghai"
+    backend:
+      - name: TZ
+        value: "Asia/Shanghai"
+
+  serviceMonitor:
+    enabled: true
+    interval: 15s
+    honorLabels: false
+    additionalLabels:
+      jobRelease: hami-webui-prometheus
+    relabelings: []
+
+  hamiServiceMonitor:
+    enabled: true
+    interval: 15s
+    honorLabels: false
+    additionalLabels:
+      jobRelease: hami-webui-prometheus
+    svcNamespace: kube-system
+    relabelings: []
+
+  nodeSelector: {}
+
+  tolerations: []
+
+  affinity: {}
+
+  externalPrometheus:
+    address: "http://prometheus-k8s.kubesphere-monitoring-system:9090"
+    enabled: true

frameworks/GPU/config/gpu/values.yaml

@@ -1,4 +0,0 @@
-
-
-gpu:
-  server: 'host:30123'

frameworks/app-service/config/cluster/crds/app.bytetrade.io_applications.yaml

@@ -54,7 +54,7 @@ spec:
             properties:
               appid:
                 description: the unique id of the application for sys application
-                  appid equal name otherwise appid equal md5(name)[:8]  
+                  appid equal name otherwise appid equal md5(name)[:8]
                 type: string
               deployment:
                 description: the deployment of the application
@@ -116,6 +116,8 @@ spec:
               ports:
                 items:
                   properties:
+                    addToTailscaleAcl:
+                      type: boolean
                     exposePort:
                       format: int32
                       type: integer
@@ -128,7 +130,7 @@ spec:
                       type: integer
                     protocol:
                       description: The protocol for this entrance. Supports "tcp"
-                        and "udp". Default is tcp.
+                        and "udp","". Default is tcp/udp, "" mean tcp and udp.
                       type: string
                   required:
                   - host
@@ -141,6 +143,53 @@ spec:
                   type: string
                 description: the extend settings of the application
                 type: object
+              tailscale:
+                properties:
+                  acls:
+                    items:
+                      properties:
+                        action:
+                          type: string
+                        dst:
+                          items:
+                            type: string
+                          type: array
+                        proto:
+                          type: string
+                        src:
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - dst
+                      - proto
+                      type: object
+                    type: array
+                  subRoutes:
+                    items:
+                      type: string
+                    type: array
+                type: object
+              tailscaleAcls:
+                items:
+                  properties:
+                    action:
+                      type: string
+                    dst:
+                      items:
+                        type: string
+                      type: array
+                    proto:
+                      type: string
+                    src:
+                      items:
+                        type: string
+                      type: array
+                  required:
+                  - dst
+                  - proto
+                  type: object
+                type: array
             required:
             - appid
             - isSysApp