diff --git a/apps/common/config.py b/apps/common/config.py index 8f487357a493e09843a41abba84a7647a253765e..12da81e2a7c53fafcc2230dc62ab7c8020f8a591 100644 --- a/apps/common/config.py +++ b/apps/common/config.py @@ -37,8 +37,10 @@ class ConfigModel(BaseModel): SESSION_TTL: int = Field(description="用户需要刷新Token的间隔(min)", default=30) # Logging LOG: str = Field(description="日志记录模式") - # Vectorize - VECTORIZE_HOST: str = Field(description="Vectorize服务域名") + # Embedding + EMBEDDING_URL: str = Field(description="Embedding模型地址") + EMBEDDING_KEY: str = Field(description="Embedding模型API Key") + EMBEDDING_MODEL: str = Field(description="Embedding模型名称") # RAG RAG_HOST: str = Field(description="RAG服务域名") # FastAPI diff --git a/apps/scheduler/vector.py b/apps/scheduler/vector.py index f789a3d9e41a30c01f01a8ee92d9d6755135af98..5cf2c7460bd6ed649c460c07d79bbd5f4a75c19d 100644 --- a/apps/scheduler/vector.py +++ b/apps/scheduler/vector.py @@ -27,15 +27,26 @@ def _get_embedding(text: list[str]) -> list[np.ndarray]: :param text: 待向量化文本(多条文本组成List) :return: 文本对应的向量(顺序与text一致,也为List) """ - api = config["VECTORIZE_HOST"].rstrip("/") + "/embedding" + api = config["EMBEDDING_URL"].rstrip("/") + "/embedding" + + headers = { + "Authorization": f"Bearer {config['EMBEDDING_KEY']}", + } + data = { + "encoding_format": "float", + "input": text, + "model": config["EMBEDDING_MODEL"], + } + response = requests.post( api, - json={"texts": text}, + json=data, + headers=headers, verify=False, # noqa: S501 timeout=30, ) - return [np.array(vec) for vec in response.json()] + return [np.array(item["embedding"]) for item in response.json()["data"]] # 模块内部类,不应在模块外部使用 diff --git a/deploy/chart/authhub/configs/backend/aops-config.yml b/deploy/chart/authhub/configs/backend/aops-config.yml index b43960d2124da1b2082b46403d7fe86ffa785d58..8ea4d5972ea12674dce69f675cb44422577fa570 100644 --- a/deploy/chart/authhub/configs/backend/aops-config.yml +++ b/deploy/chart/authhub/configs/backend/aops-config.yml @@ -1,19 +1,19 @@ infrastructure: mysql: - host: mysql-db-{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local + host: mysql-db.{{ .Release.Namespace }}.svc.cluster.local port: 3306 username: authhub pool_size: 100 pool_recycle: 7200 database: oauth2 - password: {{ .Values.authhub.mysql.password }} + password: ${mysql-password} redis: - host: redis-db-{{ .Values.globals.databases.app_name }}.{{ .Values.globals.databases.app_namespace }}.svc.cluster.local + host: redis-db.{{ .Release.Namespace }}.svc.cluster.local port: 6379 - password: {{ .Values.globals.databases.redis }} + password: ${redis-password} include: "/etc/aops/conf.d" -domain: {{ .Values.globals.domain }} +domain: {{ .Values.domain.authhub }} services: log: diff --git a/deploy/chart/authhub/configs/backend/copy-config.yml b/deploy/chart/authhub/configs/backend/copy-config.yml new file mode 100644 index 0000000000000000000000000000000000000000..5df98a45a86ed97c5235d59c20f55712972f4372 --- /dev/null +++ b/deploy/chart/authhub/configs/backend/copy-config.yml @@ -0,0 +1,7 @@ +copy: + - from: /config + to: /config-rw + mode: + uid: 1000 + gid: 1000 + mode: "0o750" \ No newline at end of file diff --git a/deploy/chart/authhub/configs/web/authhub.nginx.conf b/deploy/chart/authhub/configs/web/authhub.nginx.conf deleted file mode 100644 index 692df77b507c7e26aa9d68a1f4dee52c817c866c..0000000000000000000000000000000000000000 --- a/deploy/chart/authhub/configs/web/authhub.nginx.conf +++ /dev/null @@ -1,35 +0,0 @@ -server { - listen 8000; - server_name localhost; - - # gzip config - gzip on; - gzip_min_length 1k; - gzip_comp_level 6; - gzip_types text/plain text/css text/javascript application/json application/javascript application/x-javascript application/xml; - gzip_vary on; - gzip_disable "MSIE [1-6]\."; - - location / { - proxy_set_header X-Real-IP $remote_addr; - root /opt/authhub/web/dist; - index index.html; - try_files $uri $uri/ /index.html; - } - - location /authhub { - add_header Access-Control-Allow-Origin *; - add_header Access-Control-Allow-Methods 'GET, POST, DELETE, PUT, OPTIONS'; - alias /opt/authhub/web/dist; - index index.html; - try_files $uri $uri/ /index.html last; - } - - location /oauth2 { - proxy_pass http://authhub-backend-service-{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local:11120; - proxy_set_header Host $host; - proxy_set_header X-Real-URL $request_uri; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Request-Header $http_request_header; - } -} diff --git a/deploy/chart/authhub/templates/backend/authhub-backend-secret.yaml b/deploy/chart/authhub/templates/backend/authhub-backend-config.yaml similarity index 66% rename from deploy/chart/authhub/templates/backend/authhub-backend-secret.yaml rename to deploy/chart/authhub/templates/backend/authhub-backend-config.yaml index def2b8a0d53f5a526eba738e90e620080a520399..bb91d55a647c5b4878cc4f17d5f51e0e8ad86142 100644 --- a/deploy/chart/authhub/templates/backend/authhub-backend-secret.yaml +++ b/deploy/chart/authhub/templates/backend/authhub-backend-config.yaml @@ -1,13 +1,14 @@ {{- if .Values.authhub.backend.enabled }} apiVersion: v1 -kind: Secret +kind: ConfigMap metadata: - name: authhub-backend-secret-{{ .Release.Name }} + name: authhub-backend-config namespace: {{ .Release.Namespace }} -type: Opaque -stringData: +data: aops-config.yml: |- {{ tpl (.Files.Get "configs/backend/aops-config.yml") . | indent 4 }} authhub.yml: |- {{ tpl (.Files.Get "configs/backend/authhub.yml") . | indent 4 }} + copy-config.yml: |- +{{ tpl (.Files.Get "configs/backend/copy-config.yml") . | indent 4 }} {{- end }} diff --git a/deploy/chart/authhub/templates/backend/authhub-backend-deployment.yaml b/deploy/chart/authhub/templates/backend/authhub-backend-deployment.yaml deleted file mode 100644 index 99d6517548009377e257d00c4d4f12d7b5084779..0000000000000000000000000000000000000000 --- a/deploy/chart/authhub/templates/backend/authhub-backend-deployment.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- if .Values.authhub.backend.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: authhub-backend-deploy-{{ .Release.Name }} - namespace: {{ .Release.Namespace }} - labels: - app: authhub-backend-{{ .Release.Name }} -spec: - replicas: {{ .Values.globals.replicaCount }} - selector: - matchLabels: - app: authhub-backend-{{ .Release.Name }} - template: - metadata: - annotations: - checksum/secret: {{ include (print $.Template.BasePath "/backend/authhub-backend-secret.yaml") . | sha256sum }} - labels: - app: authhub-backend-{{ .Release.Name }} - spec: - automountServiceAccountToken: false - containers: - - name: authhub-backend - image: "{{if ne ( .Values.authhub.backend.image.registry | toString ) ""}}{{ .Values.authhub.backend.image.registry }}{{ else }}{{ .Values.globals.imageRegistry }}{{ end }}/{{ .Values.authhub.backend.image.name }}:{{ .Values.authhub.backend.image.tag | toString }}" - imagePullPolicy: {{ if ne ( .Values.authhub.backend.image.imagePullPolicy | toString ) "" }}{{ .Values.authhub.backend.image.imagePullPolicy }}{{ else }}{{ .Values.globals.imagePullPolicy }}{{ end }} - ports: - - containerPort: 11120 - protocol: TCP - volumeMounts: - - name: authhub-secret-volume - mountPath: /etc/aops - livenessProbe: - httpGet: - path: /oauth2/applications - port: 11120 - scheme: HTTP - failureThreshold: 5 - initialDelaySeconds: 60 - periodSeconds: 90 - securityContext: - readOnlyRootFilesystem: {{ .Values.authhub.backend.readOnly }} - volumes: - - name: authhub-secret-volume - secret: - secretName: authhub-backend-secret-{{ .Release.Name }} - items: - - key: aops-config.yml - path: aops-config.yml - - key: authhub.yml - path: conf.d/authhub.yml -{{- end }} \ No newline at end of file diff --git a/deploy/chart/authhub/templates/backend/authhub-backend-service.yaml b/deploy/chart/authhub/templates/backend/authhub-backend-service.yaml deleted file mode 100644 index 469c385e27334ad204da599de49f3a8ca9cdb6fe..0000000000000000000000000000000000000000 --- a/deploy/chart/authhub/templates/backend/authhub-backend-service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.authhub.backend.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: authhub-backend-service-{{ .Release.Name }} - namespace: {{ .Release.Namespace }} -spec: - type: {{ .Values.authhub.backend.service.type }} - selector: - app: authhub-backend-{{ .Release.Name }} - ports: - - port: 11120 - targetPort: 11120 - {{- if (and (eq .Values.authhub.backend.service.type "NodePort") .Values.authhub.backend.service.nodePort) }} - nodePort: {{ .Values.authhub.backend.service.nodePort }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/deploy/chart/authhub/templates/backend/authhub-backend.yaml b/deploy/chart/authhub/templates/backend/authhub-backend.yaml new file mode 100644 index 0000000000000000000000000000000000000000..83a475ccefa9ae8769f040082f3fc5f9fba5b945 --- /dev/null +++ b/deploy/chart/authhub/templates/backend/authhub-backend.yaml @@ -0,0 +1,91 @@ +{{- if .Values.authhub.backend.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: authhub-backend-service + namespace: {{ .Release.Namespace }} +spec: + type: {{ default "ClusterIP" .Values.authhub.backend.service.type }} + selector: + app: authhub-backend + ports: + - port: 11120 + targetPort: 11120 + nodePort: {{ default nil .Values.authhub.backend.service.nodePort }} + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: authhub-backend-deploy + namespace: {{ .Release.Namespace }} + labels: + app: authhub-backend +spec: + replicas: {{ default 1 .Values.globals.replicaCount }} + selector: + matchLabels: + app: authhub-backend + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/backend/authhub-backend-config.yaml") . | sha256sum }} + labels: + app: authhub-backend + spec: + automountServiceAccountToken: false + containers: + - name: authhub-backend + image: {{ default "hub.oepkgs.net/neocopilot/authhub:0.9.3-x86" .Values.authhub.backend.image }} + imagePullPolicy: {{ default "IfNotPresent" .Values.globals.imagePullPolicy }} + ports: + - containerPort: 11120 + protocol: TCP + volumeMounts: + - name: authhub-shared + mountPath: /etc/aops + livenessProbe: + httpGet: + path: /oauth2/applications + port: 11120 + scheme: HTTP + failureThreshold: 5 + initialDelaySeconds: 60 + periodSeconds: 90 + initContainers: + - name: authhub-backend-copy-secret + image: {{ default "hub.oepkgs.net/neocopilot/secret_inject:x86" .Values.authhub.secret_inject.image }} + imagePullPolicy: {{ default "IfNotPresent" .Values.globals.imagePullPolicy }} + volumeMounts: + - mountPath: /secrets/mysql-password + name: authhub-secret-vl + subPath: mysql-password + - mountPath: /secrets/redis-password + name: euler-copilot-database-vl + subPath: redis-password + - mountPath: /config/aops-config.yml + name: authhub-config + subPath: aops-config.yml + - mountPath: /config/conf.d/authhub.yml + name: authhub-config + subPath: authhub.yml + - mountPath: /config-rw + name: authhub-shared + - mountPath: /app/config.yaml + name: authhub-config + subPath: copy-config.yml + volumes: + - name: authhub-shared + emptyDir: + medium: Memory + - name: authhub-config + configMap: + name: authhub-backend-config + - name: authhub-secret-vl + secret: + secretName: authhub-secret + - name: euler-copilot-database-vl + secret: + secretName: euler-copilot-database +{{- end }} \ No newline at end of file diff --git a/deploy/chart/authhub/templates/mysql/mysql-secret.yaml b/deploy/chart/authhub/templates/mysql/mysql-config.yaml similarity index 54% rename from deploy/chart/authhub/templates/mysql/mysql-secret.yaml rename to deploy/chart/authhub/templates/mysql/mysql-config.yaml index d34cd531c676c307ac0cec73d0b8c10810300b7f..57e2dab9291d39165de4ff9ea835970f50167665 100644 --- a/deploy/chart/authhub/templates/mysql/mysql-secret.yaml +++ b/deploy/chart/authhub/templates/mysql/mysql-config.yaml @@ -1,12 +1,10 @@ {{- if .Values.authhub.mysql.enabled }} apiVersion: v1 -kind: Secret +kind: ConfigMap metadata: - name: mysql-secret-{{ .Release.Name }} + name: mysql-config namespace: {{ .Release.Namespace }} -type: Opaque -stringData: - mysql-password: {{ .Values.authhub.mysql.password }} - init.sql: | +data: + init.sql: |- {{ tpl (.Files.Get "configs/mysql/init.sql") . | indent 4 }} {{- end }} \ No newline at end of file diff --git a/deploy/chart/authhub/templates/mysql/mysql-service.yaml b/deploy/chart/authhub/templates/mysql/mysql-service.yaml deleted file mode 100644 index 5d0cfd9418461c04e55a17ae50197a5e95f6c878..0000000000000000000000000000000000000000 --- a/deploy/chart/authhub/templates/mysql/mysql-service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.authhub.mysql.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: mysql-db-{{ .Release.Name }} - namespace: {{ .Release.Namespace }} -spec: - type: {{ .Values.authhub.mysql.service.type }} - selector: - app: mysql-{{ .Release.Name }} - ports: - - port: 3306 - targetPort: 3306 - {{- if (and (eq .Values.authhub.mysql.service.type "NodePort") .Values.authhub.mysql.service.nodePort) }} - nodePort: {{ .Values.authhub.mysql.service.nodePort }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/deploy/chart/authhub/templates/mysql/mysql-pvc.yaml b/deploy/chart/authhub/templates/mysql/mysql-storage.yaml similarity index 59% rename from deploy/chart/authhub/templates/mysql/mysql-pvc.yaml rename to deploy/chart/authhub/templates/mysql/mysql-storage.yaml index 462a4a898e07e21d8bf4a952eadb77fc64f4020a..8197ac3412b1958c62afb69f1c0b4cfe641ce94e 100644 --- a/deploy/chart/authhub/templates/mysql/mysql-pvc.yaml +++ b/deploy/chart/authhub/templates/mysql/mysql-storage.yaml @@ -2,14 +2,15 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: mysql-pvc-{{ .Release.Name }} + name: mysql-pvc namespace: {{ .Release.Namespace }} annotations: helm.sh/resource-policy: keep spec: + storageClassName: {{ default "local-path" .Values.globals.storageClassName }} accessModes: - ReadWriteOnce resources: requests: - storage: {{ .Values.authhub.mysql.persistentVolumeSize }} + storage: {{ default "10Gi" .Values.authhub.mysql.persistentVolumeSize }} {{- end }} \ No newline at end of file diff --git a/deploy/chart/authhub/templates/mysql/mysql-deployment.yaml b/deploy/chart/authhub/templates/mysql/mysql.yaml similarity index 59% rename from deploy/chart/authhub/templates/mysql/mysql-deployment.yaml rename to deploy/chart/authhub/templates/mysql/mysql.yaml index 511290e76d996dee391cfbbae3c8ed86674bb06d..5e5db762223346d5b9343c993eaefde3acfbcc98 100644 --- a/deploy/chart/authhub/templates/mysql/mysql-deployment.yaml +++ b/deploy/chart/authhub/templates/mysql/mysql.yaml @@ -1,28 +1,44 @@ {{- if .Values.authhub.mysql.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: mysql-db + namespace: {{ .Release.Namespace }} +spec: + type: {{ default "ClusterIP" .Values.authhub.mysql.service.type }} + selector: + app: mysql + ports: + - port: 3306 + targetPort: 3306 + nodePort: {{ default nil .Values.authhub.mysql.service.nodePort }} + +--- apiVersion: apps/v1 kind: Deployment metadata: - name: mysql-deploy-{{ .Release.Name }} + name: mysql-deploy namespace: {{ .Release.Namespace }} labels: - app: mysql-{{ .Release.Name }} + app: mysql spec: - replicas: {{ .Values.globals.replicaCount }} + replicas: {{ default 1 .Values.globals.replicaCount }} selector: matchLabels: - app: mysql-{{ .Release.Name }} + app: mysql template: metadata: annotations: - checksum/secret: {{ include (print $.Template.BasePath "/mysql/mysql-secret.yaml") . | sha256sum }} + checksum/config: {{ include (print $.Template.BasePath "/mysql/mysql-config.yaml") . | sha256sum }} labels: - app: mysql-{{ .Release.Name }} + app: mysql spec: automountServiceAccountToken: false containers: - name: mysql - image: "{{ if ne (.Values.authhub.mysql.image.registry | toString ) "" }}{{ .Values.authhub.mysql.image.registry }}{{ else }}{{ .Values.globals.imageRegistry }}{{ end }}/{{ .Values.authhub.mysql.image.name }}:{{ .Values.authhub.mysql.image.tag | toString }}" - imagePullPolicy: {{ if ne (.Values.authhub.mysql.image.imagePullPolicy | toString) "" }}{{ .Values.authhub.mysql.image.imagePullPolicy }}{{ else }}{{ .Values.globals.imagePullPolicy }}{{ end }} + image: {{ default "hub.oepkgs.net/neocopilot/mysql:8-x86" .Values.authhub.mysql.image }} + imagePullPolicy: {{ default "IfNotPresent" .Values.globals.imagePullPolicy }} args: - "--character-set-server=utf8mb4" - "--collation-server=utf8mb4_unicode_ci" @@ -48,7 +64,7 @@ spec: - name: MYSQL_PASSWORD valueFrom: secretKeyRef: - name: mysql-secret-{{ .Release.Name }} + name: authhub-secret key: mysql-password volumeMounts: - mountPath: /var/lib/mysql @@ -57,13 +73,17 @@ spec: name: mysql-init subPath: init.sql resources: - {{- toYaml .Values.authhub.mysql.resources | nindent 12 }} + requests: + cpu: 0.1 + memory: 256Mi + limits: + {{- toYaml .Values.authhub.mysql.resourceLimits | nindent 14 }} restartPolicy: Always volumes: - name: mysql-data persistentVolumeClaim: - claimName: mysql-pvc-{{ .Release.Name }} + claimName: mysql-pvc - name: mysql-init - secret: - secretName: mysql-secret-{{ .Release.Name }} + configMap: + name: mysql-config {{- end }} diff --git a/deploy/chart/authhub/templates/web/authhub-web-secret.yaml b/deploy/chart/authhub/templates/secrets.yaml similarity index 33% rename from deploy/chart/authhub/templates/web/authhub-web-secret.yaml rename to deploy/chart/authhub/templates/secrets.yaml index b2447d5b0ddc4542e402e065486cb1449355f5a2..aca33aa25d9e71880e17dbb4fc0503acafa08708 100644 --- a/deploy/chart/authhub/templates/web/authhub-web-secret.yaml +++ b/deploy/chart/authhub/templates/secrets.yaml @@ -1,11 +1,13 @@ -{{- if .Values.authhub.web.enabled }} +{{- $authhubSecret := (lookup "v1" "Secret" .Release.Namespace "authhub-secret") }} +{{- if not $authhubSecret}} apiVersion: v1 kind: Secret metadata: - name: authhub-web-secret-{{ .Release.Name }} + name: authhub-secret namespace: {{ .Release.Namespace }} + annotations: + helm.sh/resource-policy: keep type: Opaque stringData: - authhub.nginx.conf: |- -{{ tpl (.Files.Get "configs/web/authhub.nginx.conf") . | indent 4 }} + mysql-password: {{ randAlphaNum 20 }} {{- end }} \ No newline at end of file diff --git a/deploy/chart/authhub/templates/web/authhub-web-config.yaml b/deploy/chart/authhub/templates/web/authhub-web-config.yaml new file mode 100644 index 0000000000000000000000000000000000000000..0d1cdf153dc3cbe41f98b4d22059676b59b18ad2 --- /dev/null +++ b/deploy/chart/authhub/templates/web/authhub-web-config.yaml @@ -0,0 +1,44 @@ +{{- if .Values.authhub.web.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: authhub-web-config + namespace: {{ .Release.Namespace }} +data: + authhub.nginx.conf: |- + server { + listen 8000; + server_name localhost; + + # gzip config + gzip on; + gzip_min_length 1k; + gzip_comp_level 6; + gzip_types text/plain text/css text/javascript application/json application/javascript application/x-javascript application/xml; + gzip_vary on; + gzip_disable "MSIE [1-6]\."; + + location / { + proxy_set_header X-Real-IP $remote_addr; + root /opt/authhub/web/dist; + index index.html; + try_files $uri $uri/ /index.html; + } + + location /authhub { + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Methods 'GET, POST, DELETE, PUT, OPTIONS'; + alias /opt/authhub/web/dist; + index index.html; + try_files $uri $uri/ /index.html last; + } + + location /oauth2 { + proxy_pass http://authhub-backend-service.{{ .Release.Namespace }}.svc.cluster.local:11120; + proxy_set_header Host $host; + proxy_set_header X-Real-URL $request_uri; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Request-Header $http_request_header; + } + } +{{- end }} \ No newline at end of file diff --git a/deploy/chart/authhub/templates/web/authhub-web-deployment.yaml b/deploy/chart/authhub/templates/web/authhub-web-deployment.yaml deleted file mode 100644 index 220249235d691c7401e7dfa35774f92f9f7a0e62..0000000000000000000000000000000000000000 --- a/deploy/chart/authhub/templates/web/authhub-web-deployment.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- if .Values.authhub.web.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: authhub-web-deploy-{{ .Release.Name }} - namespace: {{ .Release.Namespace }} - labels: - app: authhub-web-{{ .Release.Name }} -spec: - replicas: {{ .Values.globals.replicaCount }} - selector: - matchLabels: - app: authhub-web-{{ .Release.Name }} - template: - metadata: - annotations: - checksum/secret: {{ include (print $.Template.BasePath "/web/authhub-web-secret.yaml") . | sha256sum }} - labels: - app: authhub-web-{{ .Release.Name }} - spec: - automountServiceAccountToken: false - containers: - - name: authhub-web - image: "{{if ne ( .Values.authhub.web.image.registry | toString ) ""}}{{ .Values.authhub.web.image.registry }}{{ else }}{{ .Values.globals.imageRegistry }}{{ end }}/{{ .Values.authhub.web.image.name }}:{{ .Values.authhub.web.image.tag | toString }}" - imagePullPolicy: {{ if ne ( .Values.authhub.web.image.imagePullPolicy | toString ) "" }}{{ .Values.authhub.web.image.imagePullPolicy }}{{ else }}{{ .Values.globals.imagePullPolicy }}{{ end }} - ports: - - containerPort: 8000 - protocol: TCP - livenessProbe: - httpGet: - path: / - port: 8000 - scheme: HTTP - failureThreshold: 5 - initialDelaySeconds: 60 - periodSeconds: 90 - volumeMounts: - - name: authhub-web-secret-volume - mountPath: /etc/nginx/conf.d - securityContext: - readOnlyRootFilesystem: {{ .Values.authhub.web.readOnly }} - resources: - {{- toYaml .Values.authhub.web.resources | nindent 12 }} - volumes: - - name: authhub-web-secret-volume - secret: - secretName: authhub-web-secret-{{ .Release.Name }} - items: - - key: authhub.nginx.conf - path: authhub.nginx.conf -{{- end }} diff --git a/deploy/chart/authhub/templates/web/authhub-web-ingress.yaml b/deploy/chart/authhub/templates/web/authhub-web-ingress.yaml deleted file mode 100644 index 4d08eb0f0d59697107f3ecc1c48e18aa48d16b57..0000000000000000000000000000000000000000 --- a/deploy/chart/authhub/templates/web/authhub-web-ingress.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.authhub.web.ingress.enabled }} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: authhub-web-ingress-{{ .Release.Name }} - namespace: {{ .Release.Namespace }} -spec: - rules: - - host: {{ .Values.globals.domain }} - http: - paths: - - path: {{ .Values.authhub.web.ingress.prefix }} - pathType: Prefix - backend: - service: - name: authhub-web-service-{{ .Release.Name }} - port: - number: 8000 -{{- end }} \ No newline at end of file diff --git a/deploy/chart/authhub/templates/web/authhub-web-service.yaml b/deploy/chart/authhub/templates/web/authhub-web-service.yaml deleted file mode 100644 index 774f2017a3478c5ebf6bcd0935754837b20da242..0000000000000000000000000000000000000000 --- a/deploy/chart/authhub/templates/web/authhub-web-service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.authhub.web.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: authhub-web-service-{{ .Release.Name }} - namespace: {{ .Release.Namespace }} -spec: - type: {{ .Values.authhub.web.service.type }} - selector: - app: authhub-web-{{ .Release.Name }} - ports: - - port: 8000 - targetPort: 8000 - {{- if (and (eq .Values.authhub.web.service.type "NodePort") .Values.authhub.web.service.nodePort) }} - nodePort: {{ .Values.authhub.web.service.nodePort }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/deploy/chart/authhub/templates/web/authhub-web.yaml b/deploy/chart/authhub/templates/web/authhub-web.yaml new file mode 100644 index 0000000000000000000000000000000000000000..86528dd93298848a2242939f1e27fc3bd9089ec5 --- /dev/null +++ b/deploy/chart/authhub/templates/web/authhub-web.yaml @@ -0,0 +1,86 @@ +{{- if .Values.authhub.web.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: authhub-web-service + namespace: {{ .Release.Namespace }} +spec: + type: {{ default "ClusterIP" .Values.authhub.web.service.type }} + selector: + app: authhub-web + ports: + - port: 8000 + targetPort: 8000 + nodePort: {{ default nil .Values.authhub.web.service.nodePort }} + +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: authhub-web-ingress + namespace: {{ .Release.Namespace }} +spec: + rules: + - host: {{ default "authhub.eulercopilot.local" .Values.domain.authhub }} + http: + paths: + - path: {{ default "/" .Values.authhub.web.ingress.prefix }} + pathType: Prefix + backend: + service: + name: authhub-web-service + port: + number: 8000 + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: authhub-web-deploy + namespace: {{ .Release.Namespace }} + labels: + app: authhub-web +spec: + replicas: {{ default 1 .Values.globals.replicaCount }} + selector: + matchLabels: + app: authhub-web + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/web/authhub-web-config.yaml") . | sha256sum }} + labels: + app: authhub-web + spec: + automountServiceAccountToken: false + containers: + - name: authhub-web + image: {{ default "hub.oepkgs.net/neocopilot/authhub-web:0.9.3-x86" .Values.authhub.web.image }} + imagePullPolicy: {{ default "IfNotPresent" .Values.globals.imagePullPolicy }} + ports: + - containerPort: 8000 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: 8000 + scheme: HTTP + failureThreshold: 5 + initialDelaySeconds: 60 + periodSeconds: 90 + volumeMounts: + - name: web-config + mountPath: /etc/nginx/conf.d/authhub.nginx.conf + subPath: authhub.nginx.conf + resources: + requests: + cpu: 0.05 + memory: 64Mi + limits: + {{- toYaml .Values.authhub.web.resourceLimits | nindent 14 }} + volumes: + - name: web-config + configMap: + name: authhub-web-config +{{- end }} diff --git a/deploy/chart/authhub/values.yaml b/deploy/chart/authhub/values.yaml index 15684c00996133a578e670dbd9d6a5516cc90f17..4e98e533d493198241ad79f37587acc97b2d3a12 100644 --- a/deploy/chart/authhub/values.yaml +++ b/deploy/chart/authhub/values.yaml @@ -1,101 +1,73 @@ # 全局设置 globals: - # [必填] 镜像仓库 - imageRegistry: "hub.oepkgs.net/neocopilot" - # [必填] 镜像拉取策略 - imagePullPolicy: IfNotPresent - # [必填] AuthHub部署域名 - # 需要修改为AuthHub域名。单机部署时,服务基于Host进行区分,无法使用IP地址 - domain: "" - # [必填] 副本数 - replicaCount: 1 - # [必填] databases chart的信息 - databases: - # [必填] helm安装时的release name - app_name: "databases" - # [必填] helm安装时的namespace - app_namespace: "euler-copilot" - # [必填] redis密码 - redis: "admin123" + # 镜像拉取策略;默认为IfNotPresent + imagePullPolicy: + # 副本数,默认为1 + replicaCount: + # 存储类名称;默认为local-path + storageClassName: + +storage: + # MySQL持久化存储大小,默认为10Gi + mysql: + +domain: + # AuthHub域名,默认为authhub.eulercopilot.local。单机部署时,服务基于Host进行区分,无法使用IP地址 + authhub: # 部署AuthHub本地鉴权服务 authhub: + # 配置文件工具 + secret_inject: + # 镜像设置;默认为hub.oepkgs.net/neocopilot/secret_inject:x86 + # 镜像标签:["x86", "arm"] + image: hub.oepkgs.net/neocopilot/secret_inject:dev + web: # [必填] 是否部署AuthHub前端服务 enabled: true - # 镜像设置 + # 镜像设置;默认为hub.oepkgs.net/neocopilot/authhub-web:0.9.3-x86 + # 镜像标签:["0.9.3-x86", "0.9.3-arm"] image: - # 镜像仓库。留空则使用全局设置。 - registry: "" - # [必填] 镜像名 - name: authhub-web - # [必填] 镜像Tag, 为0.9.3-x86或0.9.3-arm - tag: "0.9.3-x86" - # 拉取策略。留空则使用全局设置。 - imagePullPolicy: "" - # [必填] 容器根目录只读 - readOnly: false # 性能限制设置 - resources: {} + resourceLimits: {} # Service设置 service: - # [必填] Service类型,ClusterIP或NodePort - type: ClusterIP - # 当类型为nodePort时,填写主机的端口号 - nodePort: "" + # Service类型,例如NodePort + type: + # 当类型为NodePort时,填写主机的端口号 + nodePort: # Ingress设置 ingress: - # [必填] 是否启用Ingress - enabled: true - # [必填] URI前缀 - prefix: / + # Ingress前缀,默认为/ + prefix: + backend: # [必填] 是否部署AuthHub后端服务 enabled: true - # 镜像设置 + # 镜像设置;默认为hub.oepkgs.net/neocopilot/authhub:0.9.3-x86 + # 镜像标签:["0.9.3-x86", "0.9.3-arm"] image: - # 镜像仓库。留空则使用全局设置。 - registry: "" - # [必填] 镜像名 - name: authhub - # 镜像Tag,为0.9.3-x86或0.9.3-arm - tag: "0.9.3-x86" - # 拉取策略。留空则使用全局设置。 - imagePullPolicy: "" - # [必填] 容器根目录只读 - readOnly: false # 性能限制设置 - resources: {} + resourceLimits: {} # Service设置 service: - # [必填] Service类型,ClusterIP或NodePort - type: ClusterIP - # 当类型为nodePort时,填写主机的端口号 - nodePort: "" + # Service类型,例如NodePort + type: + # 当类型为NodePort时,填写主机的端口号 + nodePort: + mysql: # [必填] 是否启用MySQL enabled: true - # 镜像设置 + # 镜像设置;默认为hub.oepkgs.net/neocopilot/mysql:8-x86 + # 镜像标签:["8-x86", "8-arm"] image: - # 镜像仓库。留空则使用全局设置。 - registry: "" - # [必填] 镜像名 - name: mysql - # [必填] 镜像Tag,为8-x86或8-arm - tag: "8-x86" - # 拉取策略。留空则使用全局设置。 - imagePullPolicy: "" - # [必填] 容器根目录只读 - readOnly: false # 性能限制设置 - resources: {} + resourceLimits: {} # Service设置 service: - # [必填] Service类型,ClusterIP或NodePort - type: ClusterIP - # 当类型为nodePort时,填写主机的端口号 - nodePort: "" - # [必填] 密码 - password: "admin123" - # [必填] 持久化存储大小 - persistentVolumeSize: 10Gi + # Service类型,例如NodePort + type: + # 当类型为NodePort时,填写主机的端口号 + nodePort: diff --git a/deploy/chart/databases/templates/mongo/mongo.yaml b/deploy/chart/databases/templates/mongo/mongo.yaml index 46dbdd8e2c4387d3353b50013a981e969f8508d0..1d058a91596d05aa4ea7fcea437c4ff2399840b9 100644 --- a/deploy/chart/databases/templates/mongo/mongo.yaml +++ b/deploy/chart/databases/templates/mongo/mongo.yaml @@ -29,6 +29,8 @@ spec: app: mongo template: metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/mongo/mongo-config.yaml") . | sha256sum }} labels: app: mongo spec: diff --git a/deploy/chart/databases/templates/pgsql/pgsql.yaml b/deploy/chart/databases/templates/pgsql/pgsql.yaml index 3ade7ee1bc5b4ea997ed92406086d6dcd4a9826c..9d5e06c3c8ca28607f319509a2e62dca4456f902 100644 --- a/deploy/chart/databases/templates/pgsql/pgsql.yaml +++ b/deploy/chart/databases/templates/pgsql/pgsql.yaml @@ -29,6 +29,8 @@ spec: app: pgsql template: metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/pgsql/pgsql-config.yaml") . | sha256sum }} labels: app: pgsql spec: diff --git a/deploy/secret_helper/Dockerfile b/deploy/secret_helper/Dockerfile new file mode 100644 index 0000000000000000000000000000000000000000..ca8421e351ae14edb2efc4adccda0dadd17bc1d1 --- /dev/null +++ b/deploy/secret_helper/Dockerfile @@ -0,0 +1,11 @@ +FROM hub.oepkgs.net/openeuler/openeuler:22.03-lts-sp4 +RUN mkdir /app && \ + mkdir /secrets +WORKDIR /app +COPY . . +RUN yum update -y && \ + yum install python3 python3-pip -y && \ + yum clean all && \ + pip3 install --no-cache-dir -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple +ENV PYTHONPATH=/app +ENTRYPOINT ["python3", "./main.py"] \ No newline at end of file diff --git a/deploy/secret_helper/__init__.py b/deploy/secret_helper/__init__.py new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/deploy/secret_helper/config.example.yaml b/deploy/secret_helper/config.example.yaml new file mode 100644 index 0000000000000000000000000000000000000000..bde10ed50987b5355b1b19f450e4767a7f459963 --- /dev/null +++ b/deploy/secret_helper/config.example.yaml @@ -0,0 +1,14 @@ +copy: + - from: /config + to: /config-rw + mode: + uid: 1000 + gid: 1000 + mode: "0o750" + + - from: /etc/config + to: /config-rw/secret + mode: + uid: 1000 + gid: 1000 + mode: "0o750" diff --git a/deploy/secret_helper/file_copy.py b/deploy/secret_helper/file_copy.py new file mode 100644 index 0000000000000000000000000000000000000000..dd41618572a151e680bfe73dca0bb0bcfe277f35 --- /dev/null +++ b/deploy/secret_helper/file_copy.py @@ -0,0 +1,67 @@ +"""Copy files and directories + +Copyright (c) Huawei Technologies Co., Ltd. 2023-2024. All rights reserved. +""" +import os +from pathlib import Path +from typing import Any + + +def chown_chmod(path: Path, mode_number: int, uid: int, gid: int) -> None: + """Change ownership and permissions""" + path.chmod(mode_number) + os.chown(str(path), uid, gid) # type: ignore[] + + for file in path.rglob("*"): + os.chown(str(file), uid, gid) # type: ignore[] + file.chmod(mode_number) + + +def copy_single_file(from_path: Path, to_path: Path, secrets: dict[str, str]) -> None: + """Copy a single file""" + for file in from_path.rglob("*"): + print(f"found: {file}") + if any(p for p in file.parts if p.startswith(".")): + print(f"skipping: {file}") + continue + out_path = to_path / file.relative_to(from_path) + if file.is_file(): + print(f"copying: {file} to {out_path}") + with file.open("r", encoding="utf-8") as f: + data = f.read() + if secrets: + for key, value in secrets.items(): + data = data.replace(r"${" + key + "}", value) + with out_path.open("w", encoding="utf-8") as f: + f.write(data) + else: + out_path.mkdir(parents=True, exist_ok=True) + + +def copy(from_path_str: str, to_path_str: str, mode: dict[str, Any]) -> None: + """Copy files and directories""" + # 校验Secrets是否存在 + secrets_path = Path("/secrets") + if not secrets_path.exists(): + secrets = {} + else: + # 读取secrets + secrets = {} + for secret in secrets_path.iterdir(): + with secret.open("r") as f: + secrets[secret.name] = f.read() + + # 检查文件位置 + from_path = Path(from_path_str) + to_path = Path(to_path_str) + + # 检查文件是否存在 + if not from_path.exists(): + raise FileNotFoundError + + # 递归复制文件 + copy_single_file(from_path, to_path, secrets) + + # 设置权限 + mode_number = int(mode["mode"], 8) + chown_chmod(to_path, mode_number, mode["uid"], mode["gid"]) diff --git a/deploy/secret_helper/job.py b/deploy/secret_helper/job.py new file mode 100644 index 0000000000000000000000000000000000000000..928be73e11a8203053da18e7153a41a11e0f8d78 --- /dev/null +++ b/deploy/secret_helper/job.py @@ -0,0 +1,9 @@ +"""Recreate failed pods + +Copyright (c) Huawei Technologies Co., Ltd. 2023-2024. All rights reserved. +""" +import pykube + + +def job() -> None: + pass diff --git a/deploy/secret_helper/main.py b/deploy/secret_helper/main.py new file mode 100644 index 0000000000000000000000000000000000000000..be90de10d7da50bad617be57a12124e339923909 --- /dev/null +++ b/deploy/secret_helper/main.py @@ -0,0 +1,22 @@ +"""Secret Injector + +Copyright (c) Huawei Technologies Co., Ltd. 2023-2024. All rights reserved. +""" +from pathlib import Path + +import yaml + +from file_copy import copy +from job import job + +if __name__ == "__main__": + config = Path("config.yaml") + if not config.exists(): + job() + + else: + with config.open("r") as f: + config = yaml.safe_load(f) + + for copy_config in config["copy"]: + copy(copy_config["from"], copy_config["to"], copy_config["mode"]) diff --git a/deploy/secret_helper/requirements.txt b/deploy/secret_helper/requirements.txt new file mode 100644 index 0000000000000000000000000000000000000000..425af8d854393b2d612aca31795f36a38dd235dc --- /dev/null +++ b/deploy/secret_helper/requirements.txt @@ -0,0 +1 @@ +pykube-ng==23.6.0 \ No newline at end of file