From 71b6339308e52a144289e3e2862b44f9a64c1812 Mon Sep 17 00:00:00 2001 From: cuisongliu Date: Tue, 19 May 2026 23:30:56 +0800 Subject: [PATCH 1/7] feat(v1): add initial Devbox v1 Sealos deployment files and configuration --- .github/scripts/install-sealos.sh | 34 + .github/workflows/images.yml | 108 + .github/workflows/release.yml | 117 + v1/cri-shim/patch/Dockerfile | 23 + .../patch/devbox-v1/devbox-worker-remove.sh | 9 + .../patch/devbox-v1/devbox-worker-start.sh | 60 + .../patch/devbox-v1/devbox-worker-stop.sh | 20 + .../patch/devbox-v1/etc/10-kubeadm.conf | 14 + .../patch/devbox-v1/etc/12-cri-shim.conf | 3 + v1/deploy/Kubefile | 8 + v1/deploy/Makefile | 24 + v1/deploy/README.md | 28 + v1/deploy/charts/devbox-v1/Chart.yaml | 6 + v1/deploy/charts/devbox-v1/crds/.gitkeep | 1 + .../crds/devbox.sealos.io_devboxes.yaml | 3561 +++++++++++++++++ .../crds/devbox.sealos.io_devboxreleases.yaml | 78 + .../charts/devbox-v1/devbox-v1-values.yaml | 84 + .../charts/devbox-v1/templates/_helpers.tpl | 19 + v1/deploy/charts/devbox-v1/templates/app.yaml | 20 + .../devbox-v1/templates/controller-rbac.yaml | 336 ++ .../devbox-v1/templates/controller.yaml | 92 + .../devbox-v1/templates/extra-manifests.yaml | 4 + .../charts/devbox-v1/templates/frontend.yaml | 151 + .../charts/devbox-v1/templates/ingress.yaml | 53 + .../devbox-v1/templates/namespaces.yaml | 20 + v1/deploy/charts/devbox-v1/values.yaml | 84 + v1/deploy/install.sh | 158 + v1/deploy/scripts/sync-crds.sh | 14 + 28 files changed, 5129 insertions(+) create mode 100755 .github/scripts/install-sealos.sh create mode 100644 v1/cri-shim/patch/Dockerfile create mode 100644 v1/cri-shim/patch/devbox-v1/devbox-worker-remove.sh create mode 100644 v1/cri-shim/patch/devbox-v1/devbox-worker-start.sh create mode 100644 v1/cri-shim/patch/devbox-v1/devbox-worker-stop.sh create mode 100644 v1/cri-shim/patch/devbox-v1/etc/10-kubeadm.conf create mode 100644 v1/cri-shim/patch/devbox-v1/etc/12-cri-shim.conf create mode 100644 v1/deploy/Kubefile create mode 100644 v1/deploy/Makefile create mode 100644 v1/deploy/README.md create mode 100644 v1/deploy/charts/devbox-v1/Chart.yaml create mode 100644 v1/deploy/charts/devbox-v1/crds/.gitkeep create mode 100644 v1/deploy/charts/devbox-v1/crds/devbox.sealos.io_devboxes.yaml create mode 100644 v1/deploy/charts/devbox-v1/crds/devbox.sealos.io_devboxreleases.yaml create mode 100644 v1/deploy/charts/devbox-v1/devbox-v1-values.yaml create mode 100644 v1/deploy/charts/devbox-v1/templates/_helpers.tpl create mode 100644 v1/deploy/charts/devbox-v1/templates/app.yaml create mode 100644 v1/deploy/charts/devbox-v1/templates/controller-rbac.yaml create mode 100644 v1/deploy/charts/devbox-v1/templates/controller.yaml create mode 100644 v1/deploy/charts/devbox-v1/templates/extra-manifests.yaml create mode 100644 v1/deploy/charts/devbox-v1/templates/frontend.yaml create mode 100644 v1/deploy/charts/devbox-v1/templates/ingress.yaml create mode 100644 v1/deploy/charts/devbox-v1/templates/namespaces.yaml create mode 100644 v1/deploy/charts/devbox-v1/values.yaml create mode 100755 v1/deploy/install.sh create mode 100755 v1/deploy/scripts/sync-crds.sh diff --git a/.github/scripts/install-sealos.sh b/.github/scripts/install-sealos.sh new file mode 100755 index 0000000..8d2d48c --- /dev/null +++ b/.github/scripts/install-sealos.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash +set -euo pipefail + +if command -v sealos >/dev/null 2>&1; then + sealos version + exit 0 +fi + +tmp_dir="$(mktemp -d)" +trap 'rm -rf "${tmp_dir}"' EXIT + +arch="$(uname -m)" +case "${arch}" in + x86_64|amd64) + sealos_arch="amd64" + ;; + aarch64|arm64) + sealos_arch="arm64" + ;; + *) + echo "Unsupported architecture: ${arch}" >&2 + exit 1 + ;; +esac + +cd "${tmp_dir}" +until curl -sSfLo sealos.tar.gz "https://github.com/labring/sealos/releases/download/v5.1.0-beta3/sealos_5.1.0-beta3_linux_${sealos_arch}.tar.gz"; do + sleep 3 +done + +tar -zxf sealos.tar.gz sealos +chmod +x sealos +mv sealos /usr/bin/sealos +sealos version diff --git a/.github/workflows/images.yml b/.github/workflows/images.yml index 83e3bb1..8df905a 100644 --- a/.github/workflows/images.yml +++ b/.github/workflows/images.yml @@ -57,6 +57,11 @@ jobs: dockerfile: v2/sshgate/Dockerfile context: v2/sshgate platforms: linux/amd64,linux/arm64 + - name: v1-cri-shim-patch + image_name: devbox-v1-cri-shim-patch + dockerfile: v1/cri-shim/patch/Dockerfile + context: v1/cri-shim + platforms: linux/amd64,linux/arm64 steps: - name: Checkout uses: actions/checkout@v5 @@ -95,3 +100,106 @@ jobs: labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha,scope=${{ matrix.name }} cache-to: type=gha,mode=max,scope=${{ matrix.name }} + + v1-cluster-image: + name: Build / v1-cluster-image / ${{ matrix.arch }} + runs-on: ${{ matrix.runner }} + needs: + - build-and-push + strategy: + fail-fast: false + matrix: + include: + - arch: amd64 + runner: ubuntu-24.04 + - arch: arm64 + runner: ubuntu-24.04-arm + steps: + - name: Checkout + uses: actions/checkout@v5 + + - name: Install sealos + run: sudo bash ./.github/scripts/install-sealos.sh + + - name: Log in to GHCR + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Cache images for sealos + working-directory: v1/deploy + run: | + set -euo pipefail + sudo sealos login -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}" ghcr.io + ./scripts/sync-crds.sh + for values_file in charts/devbox-v1/values.yaml charts/devbox-v1/devbox-v1-values.yaml; do + sed -i "/^controller:/,/^frontend:/ s#^\([[:space:]]*repository:[[:space:]]*\).*#\1${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-controller#" "${values_file}" + sed -i "/^controller:/,/^frontend:/ s#^\([[:space:]]*tag:[[:space:]]*\).*#\1${GITHUB_REF_NAME}#" "${values_file}" + sed -i "/^frontend:/,/^ingress:/ s#^\([[:space:]]*repository:[[:space:]]*\).*#\1${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-frontend#" "${values_file}" + sed -i "/^frontend:/,/^ingress:/ s#^\([[:space:]]*tag:[[:space:]]*\).*#\1${GITHUB_REF_NAME}#" "${values_file}" + done + sudo sealos registry save --registry-dir=registry_${{ matrix.arch }} --arch ${{ matrix.arch }} . + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Compute image metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/devbox-v1-cluster + tags: | + type=ref,event=branch,suffix=-${{ matrix.arch }} + type=sha,prefix=sha-,suffix=-${{ matrix.arch }} + type=raw,value=latest-${{ matrix.arch }},enable=${{ github.ref_name == 'main' }} + + - name: Build and push cluster image + uses: docker/build-push-action@v6 + with: + context: v1/deploy + file: v1/deploy/Kubefile + platforms: linux/${{ matrix.arch }} + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha,scope=v1-cluster-${{ matrix.arch }} + cache-to: type=gha,mode=max,scope=v1-cluster-${{ matrix.arch }} + + v1-cluster-manifest: + name: Publish / v1-cluster-image manifest + runs-on: ubuntu-latest + needs: + - v1-cluster-image + steps: + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GHCR + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Create multi-arch manifests + run: | + set -euo pipefail + docker buildx imagetools create \ + -t "${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:${GITHUB_REF_NAME}" \ + "${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:${GITHUB_REF_NAME}-amd64" \ + "${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:${GITHUB_REF_NAME}-arm64" + + SHORT_SHA="$(echo "${GITHUB_SHA}" | cut -c1-7)" + docker buildx imagetools create \ + -t "${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:sha-${SHORT_SHA}" \ + "${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:sha-${SHORT_SHA}-amd64" \ + "${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:sha-${SHORT_SHA}-arm64" + + if [ "${GITHUB_REF_NAME}" = "main" ]; then + docker buildx imagetools create \ + -t "${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:latest" \ + "${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:latest-amd64" \ + "${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:latest-arm64" + fi diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9d92242..6873d52 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -58,6 +58,11 @@ jobs: dockerfile: v2/sshgate/Dockerfile context: v2/sshgate platforms: linux/amd64,linux/arm64 + - name: v1-cri-shim-patch + image_name: devbox-v1-cri-shim-patch + dockerfile: v1/cri-shim/patch/Dockerfile + context: v1/cri-shim + platforms: linux/amd64,linux/arm64 steps: - name: Checkout uses: actions/checkout@v5 @@ -97,6 +102,112 @@ jobs: cache-from: type=gha,scope=release-${{ matrix.name }} cache-to: type=gha,mode=max,scope=release-${{ matrix.name }} + v1-cluster-image: + name: Release Image / v1-cluster / ${{ matrix.arch }} + runs-on: ${{ matrix.runner }} + needs: + - images + strategy: + fail-fast: false + matrix: + include: + - arch: amd64 + runner: ubuntu-24.04 + - arch: arm64 + runner: ubuntu-24.04-arm + steps: + - name: Checkout + uses: actions/checkout@v5 + + - name: Install sealos + run: sudo bash ./.github/scripts/install-sealos.sh + + - name: Log in to GHCR + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Cache images for sealos + working-directory: v1/deploy + run: | + set -euo pipefail + sudo sealos login -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}" ghcr.io + ./scripts/sync-crds.sh + for values_file in charts/devbox-v1/values.yaml charts/devbox-v1/devbox-v1-values.yaml; do + sed -i "/^controller:/,/^frontend:/ s#^\([[:space:]]*repository:[[:space:]]*\).*#\1${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-controller#" "${values_file}" + sed -i "/^controller:/,/^frontend:/ s#^\([[:space:]]*tag:[[:space:]]*\).*#\1${GITHUB_REF_NAME}#" "${values_file}" + sed -i "/^frontend:/,/^ingress:/ s#^\([[:space:]]*repository:[[:space:]]*\).*#\1${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-frontend#" "${values_file}" + sed -i "/^frontend:/,/^ingress:/ s#^\([[:space:]]*tag:[[:space:]]*\).*#\1${GITHUB_REF_NAME}#" "${values_file}" + done + sudo sealos registry save --registry-dir=registry_${{ matrix.arch }} --arch ${{ matrix.arch }} . + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build and push cluster image + uses: docker/build-push-action@v6 + with: + context: v1/deploy + file: v1/deploy/Kubefile + platforms: linux/${{ matrix.arch }} + push: true + tags: | + ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/devbox-v1-cluster:${{ github.ref_name }}-${{ matrix.arch }} + ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/devbox-v1-cluster:latest-${{ matrix.arch }} + labels: | + org.opencontainers.image.source=https://github.com/${{ github.repository }} + org.opencontainers.image.revision=${{ github.sha }} + org.opencontainers.image.version=${{ github.ref_name }} + org.opencontainers.image.architecture=${{ matrix.arch }} + runnumber=${{ github.run_id }} + cache-from: type=gha,scope=release-v1-cluster-${{ matrix.arch }} + cache-to: type=gha,mode=max,scope=release-v1-cluster-${{ matrix.arch }} + + - name: Save cluster image package + run: | + set -euo pipefail + docker pull "${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:${GITHUB_REF_NAME}-${{ matrix.arch }}" + mkdir -p release-assets + docker save "${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:${GITHUB_REF_NAME}-${{ matrix.arch }}" | gzip > "release-assets/devbox-v1-cluster-${GITHUB_REF_NAME}-${{ matrix.arch }}.tar.gz" + + - name: Upload cluster image package + uses: actions/upload-artifact@v4 + with: + name: v1-cluster-image-${{ github.ref_name }}-${{ matrix.arch }} + path: release-assets/devbox-v1-cluster-${{ github.ref_name }}-${{ matrix.arch }}.tar.gz + if-no-files-found: error + + v1-cluster-manifest: + name: Release Image / v1-cluster manifest + runs-on: ubuntu-latest + needs: + - v1-cluster-image + steps: + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GHCR + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Create multi-arch manifests + run: | + set -euo pipefail + docker buildx imagetools create \ + -t "${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:${GITHUB_REF_NAME}" \ + "${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:${GITHUB_REF_NAME}-amd64" \ + "${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:${GITHUB_REF_NAME}-arm64" + + docker buildx imagetools create \ + -t "${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:latest" \ + "${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:latest-amd64" \ + "${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:latest-arm64" + controller-manifests: name: Controller Manifest / ${{ matrix.target }} runs-on: ubuntu-latest @@ -278,6 +389,7 @@ jobs: runs-on: ubuntu-latest needs: - images + - v1-cluster-manifest - controller-manifests - v1-cri-shim-binaries - v2-server-binaries @@ -296,6 +408,8 @@ jobs: generate_release_notes: true files: | artifacts/v1-controller-install/dist-v1-controller-install.yaml + artifacts/v1-cluster-image-${{ github.ref_name }}-amd64/devbox-v1-cluster-${{ github.ref_name }}-amd64.tar.gz + artifacts/v1-cluster-image-${{ github.ref_name }}-arm64/devbox-v1-cluster-${{ github.ref_name }}-arm64.tar.gz artifacts/v2-controller-install/dist-v2-controller-install.yaml artifacts/v1-cri-shim-binaries/* artifacts/v2-server-binaries-amd64/devbox-api-amd64 @@ -308,6 +422,8 @@ jobs: - `ghcr.io/${{ github.repository_owner }}/devbox-v1-controller:${{ github.ref_name }}` - `ghcr.io/${{ github.repository_owner }}/devbox-v1-frontend:${{ github.ref_name }}` + - `ghcr.io/${{ github.repository_owner }}/devbox-v1-cluster:${{ github.ref_name }}` + - `ghcr.io/${{ github.repository_owner }}/devbox-v1-cri-shim-patch:${{ github.ref_name }}` - `ghcr.io/${{ github.repository_owner }}/devbox-v2-controller:${{ github.ref_name }}` - `ghcr.io/${{ github.repository_owner }}/devbox-v2-frontend:${{ github.ref_name }}` - `ghcr.io/${{ github.repository_owner }}/devbox-v2-server:${{ github.ref_name }}` @@ -317,6 +433,7 @@ jobs: Binary artifacts attached to this release: - `v1-cri-shim` Linux binaries + - `v1-cluster` Sealos cluster image packages (`amd64`, `arm64`) - `v2-server` Linux binaries (`amd64`, `arm64`) - `v2-httpgate` Helm chart package - `v2-sshgate` Helm chart package diff --git a/v1/cri-shim/patch/Dockerfile b/v1/cri-shim/patch/Dockerfile new file mode 100644 index 0000000..5df88c3 --- /dev/null +++ b/v1/cri-shim/patch/Dockerfile @@ -0,0 +1,23 @@ +FROM --platform=$BUILDPLATFORM golang:1.25 AS builder +ARG VERSION=dev +ARG COMMIT_HASH=unknown +ARG BUILD_TIME=unknown + +WORKDIR /workspace +COPY go.mod go.sum ./ +RUN go mod download +COPY . . + +RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \ + -ldflags "-X 'github.com/sealos-apps/devbox/v1/cri-shim/pkg/infoutil.Version=${VERSION}' -X 'github.com/sealos-apps/devbox/v1/cri-shim/pkg/infoutil.CommitHash=${COMMIT_HASH}' -X 'github.com/sealos-apps/devbox/v1/cri-shim/pkg/infoutil.BuildTime=${BUILD_TIME}'" \ + -o /out/cri-shim_linux-amd64 ./cmd/main.go && \ + CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build \ + -ldflags "-X 'github.com/sealos-apps/devbox/v1/cri-shim/pkg/infoutil.Version=${VERSION}' -X 'github.com/sealos-apps/devbox/v1/cri-shim/pkg/infoutil.CommitHash=${COMMIT_HASH}' -X 'github.com/sealos-apps/devbox/v1/cri-shim/pkg/infoutil.BuildTime=${BUILD_TIME}'" \ + -o /out/cri-shim_linux-arm64 ./cmd/main.go + +FROM scratch +LABEL sealos.io.type="patch" + +COPY devbox-v1 devbox-v1 +COPY --from=builder /out/cri-shim_linux-amd64 devbox-v1/bin/cri-shim_linux-amd64 +COPY --from=builder /out/cri-shim_linux-arm64 devbox-v1/bin/cri-shim_linux-arm64 diff --git a/v1/cri-shim/patch/devbox-v1/devbox-worker-remove.sh b/v1/cri-shim/patch/devbox-v1/devbox-worker-remove.sh new file mode 100644 index 0000000..2e9f9e1 --- /dev/null +++ b/v1/cri-shim/patch/devbox-v1/devbox-worker-remove.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +systemctl stop cri-shim >/dev/null 2>&1 +systemctl disable cri-shim >/dev/null 2>&1 + +rm -rf /etc/systemd/system/kubelet.service.d/12-cri-shim.conf +rm -rf /etc/systemd/system/cri-shim.service +rm -rf /usr/bin/cri-shim +systemctl daemon-reload \ No newline at end of file diff --git a/v1/cri-shim/patch/devbox-v1/devbox-worker-start.sh b/v1/cri-shim/patch/devbox-v1/devbox-worker-start.sh new file mode 100644 index 0000000..50cd4a1 --- /dev/null +++ b/v1/cri-shim/patch/devbox-v1/devbox-worker-start.sh @@ -0,0 +1,60 @@ +#!/bin/bash +TAINT=${1:-"true"} +larch=$(arch) +if [[ $larch == "x86_64" ]]; then + larch="amd64" +elif [[ $larch == "aarch64" ]]; then + larch="arm64" +fi +systemctl stop cri-shim.service >/dev/null 2>&1 +cp bin/cri-shim_linux-"${larch}" /usr/bin/cri-shim +registryDevboxConfigPwd=$(kubectl get cm -n sealos-system registry-config -o jsonpath='{.data.ADMIN_PASSWORD}') +registryDevboxConfigUsr=$(kubectl get cm -n sealos-system registry-config -o jsonpath='{.data.ADMIN_USER}') +registryDevboxConfigAddr=$(kubectl get cm -n sealos-system registry-config -o jsonpath='{.data.REGISTRY_ADDR}') +containerdRoot=$(containerd config dump | awk -F' = ' '/^root *=/ {gsub(/"/,"",$2); print $2; exit}') +cat << EOF > /etc/systemd/system/cri-shim.service +[Unit] +Description=sealos cri shim + +[Service] +ExecStart= /bin/bash -c 'mkdir -p /var/run/sealos && /usr/bin/cri-shim server --containerd-root=${containerdRoot} --cri-socket=unix:///var/run/containerd/containerd.sock --shim-socket=/var/run/sealos/cri-shim.sock --global-registry-addr=${registryDevboxConfigAddr} --global-registry-user=${registryDevboxConfigUsr} --global-registry-password=${registryDevboxConfigPwd}' +ExecStop=rm /var/run/sealos/cri-shim.sock +Restart=always +StartLimitInterval=0 +RestartSec=10 +LimitNOFILE=1048576 +# Having non-zero Limit*s causes performance problems due to accounting overhead +# in the kernel. We recommend using cgroups to do container-local accounting. +LimitNPROC=infinity +LimitCORE=infinity +LimitNOFILE=1048576 +# Comment TasksMax if your systemd version does not supports it. +# Only systemd 226 and above support this version. +TasksMax=infinity +[Install] +WantedBy=multi-user.target + +EOF +cp -rf ./etc/12-cri-shim.conf /etc/systemd/system/kubelet.service.d/ +cp -rf ./etc/10-kubeadm.conf /etc/systemd/system/kubelet.service.d/10-kubeadm.conf +chmod a+x /usr/bin/cri-shim +systemctl enable cri-shim.service +systemctl daemon-reload +systemctl restart cri-shim.service +systemctl restart kubelet +echo "init cri shim success" + + +hn=$(hostname); +until + #to lower case + hn=${hn,,}; + kubectl get node "$hn" >/dev/null 2>&1 && + if [ "$TAINT" == "true" ]; then + kubectl taint --overwrite node "$hn" devbox.sealos.io/node=:NoSchedule + else + kubectl taint node "$hn" devbox.sealos.io/node- || true + fi + kubectl label --overwrite node "$hn" devbox.sealos.io/node= ; + do sleep 3; +done diff --git a/v1/cri-shim/patch/devbox-v1/devbox-worker-stop.sh b/v1/cri-shim/patch/devbox-v1/devbox-worker-stop.sh new file mode 100644 index 0000000..62dd73e --- /dev/null +++ b/v1/cri-shim/patch/devbox-v1/devbox-worker-stop.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +systemctl stop cri-shim +systemctl disable cri-shim + +rm -rf /etc/systemd/system/kubelet.service.d/12-cri-shim.conf +rm -rf /etc/systemd/system/cri-shim.service +systemctl daemon-reload +systemctl restart kubelet +rm -rf /usr/bin/cri-shim + +hn=$(hostname); +until + #to lower case + hn=${hn,,}; + kubectl get node "$hn" >/dev/null 2>&1 && + kubectl taint node "$hn" devbox.sealos.io/node- || true + kubectl label node "$hn" devbox.sealos.io/node- || true + do sleep 3; +done \ No newline at end of file diff --git a/v1/cri-shim/patch/devbox-v1/etc/10-kubeadm.conf b/v1/cri-shim/patch/devbox-v1/etc/10-kubeadm.conf new file mode 100644 index 0000000..0348d6a --- /dev/null +++ b/v1/cri-shim/patch/devbox-v1/etc/10-kubeadm.conf @@ -0,0 +1,14 @@ +# Note: This dropin only works with kubeadm and kubelet v1.11+ +[Service] +Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf" +Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml" +# This is a file that "kubeadm init" and "kubeadm join" generates at runtime, populating the KUBELET_KUBEADM_ARGS variable dynamically +EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env +# This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably, the user should use +# the .NodeRegistration.KubeletExtraArgs object in the configuration files instead. KUBELET_EXTRA_ARGS should be sourced from this file. +Environment="KUBELET_EXTRA_ARGS= \ + \ + \ + --runtime-request-timeout=15m --container-runtime-endpoint=unix:///var/run/containerd/containerd.sock --image-service-endpoint=unix:///var/run/image-cri-shim.sock" +ExecStart= +ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS $KUBELET_CRI_ARGS \ No newline at end of file diff --git a/v1/cri-shim/patch/devbox-v1/etc/12-cri-shim.conf b/v1/cri-shim/patch/devbox-v1/etc/12-cri-shim.conf new file mode 100644 index 0000000..489faa1 --- /dev/null +++ b/v1/cri-shim/patch/devbox-v1/etc/12-cri-shim.conf @@ -0,0 +1,3 @@ +# Note: This uses the image shim config. +[Service] +Environment="KUBELET_CRI_ARGS=--container-runtime-endpoint=unix:///var/run/sealos/cri-shim.sock" diff --git a/v1/deploy/Kubefile b/v1/deploy/Kubefile new file mode 100644 index 0000000..322f9f7 --- /dev/null +++ b/v1/deploy/Kubefile @@ -0,0 +1,8 @@ +FROM --platform=$BUILDPLATFORM scratch +ARG TARGETARCH + +COPY registry_${TARGETARCH} registry +COPY install.sh install.sh +COPY charts charts + +CMD ["bash install.sh"] diff --git a/v1/deploy/Makefile b/v1/deploy/Makefile new file mode 100644 index 0000000..4eee708 --- /dev/null +++ b/v1/deploy/Makefile @@ -0,0 +1,24 @@ +SEALOS ?= sealos +DOCKER ?= docker +ARCH ?= amd64 +IMAGE ?= devbox-v1-cluster:latest + +.PHONY: all +all: lint + +.PHONY: sync-crds +sync-crds: + ./scripts/sync-crds.sh + +.PHONY: lint +lint: sync-crds + helm lint charts/devbox-v1 + helm template devbox-v1 charts/devbox-v1 --include-crds >/tmp/devbox-v1-rendered.yaml + +.PHONY: registry-save +registry-save: sync-crds + $(SEALOS) registry save --registry-dir=registry_$(ARCH) --arch $(ARCH) . + +.PHONY: docker-build +docker-build: + $(DOCKER) buildx build --platform linux/$(ARCH) -f Kubefile -t $(IMAGE)-$(ARCH) . diff --git a/v1/deploy/README.md b/v1/deploy/README.md new file mode 100644 index 0000000..5ea21b2 --- /dev/null +++ b/v1/deploy/README.md @@ -0,0 +1,28 @@ +# Devbox v1 Sealos Packaging + +This directory contains the aggregated Sealos cluster-image packaging for Devbox v1. + +## Layout + +- `Kubefile`: cluster image build recipe +- `install.sh`: install entrypoint executed by the cluster image +- `charts/devbox-v1`: Helm chart for v1 controller, frontend, ingress, App CR, and future components +- `scripts/sync-crds.sh`: copies generated v1 controller CRDs into the chart before packaging + +## Local Packaging Flow + +1. Build and push `devbox-v1-controller` and `devbox-v1-frontend` runtime images. +2. Update `charts/devbox-v1/values.yaml` image repositories and tags, or override them in the user values file. +3. Run `./scripts/sync-crds.sh`. +4. Run `sealos registry save --registry-dir=registry_ --arch .` in this directory. +5. Build `Kubefile` to produce the final cluster image. + +## User Overrides + +During install, `install.sh` ensures this file exists: + +- `/root/.sealos/cloud/values/apps/devbox-v1/devbox-v1-values.yaml` + +When it does not exist yet, it is initialized from: + +- `charts/devbox-v1/devbox-v1-values.yaml` diff --git a/v1/deploy/charts/devbox-v1/Chart.yaml b/v1/deploy/charts/devbox-v1/Chart.yaml new file mode 100644 index 0000000..a622a82 --- /dev/null +++ b/v1/deploy/charts/devbox-v1/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: devbox-v1 +description: Devbox v1 aggregated Sealos deployment +type: application +version: 0.1.0 +appVersion: "latest" diff --git a/v1/deploy/charts/devbox-v1/crds/.gitkeep b/v1/deploy/charts/devbox-v1/crds/.gitkeep new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/v1/deploy/charts/devbox-v1/crds/.gitkeep @@ -0,0 +1 @@ + diff --git a/v1/deploy/charts/devbox-v1/crds/devbox.sealos.io_devboxes.yaml b/v1/deploy/charts/devbox-v1/crds/devbox.sealos.io_devboxes.yaml new file mode 100644 index 0000000..20982b2 --- /dev/null +++ b/v1/deploy/charts/devbox-v1/crds/devbox.sealos.io_devboxes.yaml @@ -0,0 +1,3561 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.20.1 + name: devboxes.devbox.sealos.io +spec: + group: devbox.sealos.io + names: + kind: Devbox + listKind: DevboxList + plural: devboxes + singular: devbox + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.state + name: State + type: string + - jsonPath: .status.network.type + name: NetworkType + type: string + - jsonPath: .status.network.nodePort + name: NodePort + type: integer + - jsonPath: .status.phase + name: Phase + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: Devbox is the Schema for the devboxes API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: DevboxSpec defines the desired state of Devbox + properties: + affinity: + description: Affinity is a group of affinity scheduling rules. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the + pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding + nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate + this pod in the same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. + avoid putting this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and subtracting + "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + config: + properties: + annotations: + additionalProperties: + type: string + type: object + appPorts: + default: + - name: devbox-app-port + port: 8080 + protocol: TCP + items: + description: ServicePort contains information on service's port. + properties: + appProtocol: + description: |- + The application protocol for this port. + This is used as a hint for implementations to offer richer behavior for protocols that they understand. + This field follows standard Kubernetes label syntax. + Valid values are either: + + * Un-prefixed protocol names - reserved for IANA standard service names (as per + RFC-6335 and https://www.iana.org/assignments/service-names). + + * Kubernetes-defined prefixed names: + * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- + * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 + * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 + + * Other protocols should use implementation-defined prefixed names such as + mycompany.com/my-custom-protocol. + type: string + name: + description: |- + The name of this port within the service. This must be a DNS_LABEL. + All ports within a ServiceSpec must have unique names. When considering + the endpoints for a Service, this must match the 'name' field in the + EndpointPort. + Optional if only one ServicePort is defined on this service. + type: string + nodePort: + description: |- + The port on each node on which this service is exposed when type is + NodePort or LoadBalancer. Usually assigned by the system. If a value is + specified, in-range, and not in use it will be used, otherwise the + operation will fail. If not specified, a port will be allocated if this + Service requires one. If this field is specified when creating a + Service which does not need it, creation will fail. This field will be + wiped when updating a Service to no longer need it (e.g. changing type + from NodePort to ClusterIP). + More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + format: int32 + type: integer + port: + description: The port that will be exposed by this service. + format: int32 + type: integer + protocol: + default: TCP + description: |- + The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". + Default is TCP. + type: string + targetPort: + anyOf: + - type: integer + - type: string + description: |- + Number or name of the port to access on the pods targeted by the service. + Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + If this is a string, it will be looked up as a named port in the + target Pod's container ports. If this is not specified, the value + of the 'port' field is used (an identity map). + This field is ignored for services with clusterIP=None, and should be + omitted or set equal to the 'port' field. + More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service + x-kubernetes-int-or-string: true + required: + - port + type: object + type: array + args: + description: kubebuilder:validation:Optional + items: + type: string + type: array + command: + items: + type: string + type: array + env: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. + type: string + value: + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume mount containing + the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + labels: + additionalProperties: + type: string + type: object + ports: + default: + - containerPort: 22 + name: devbox-ssh-port + protocol: TCP + items: + description: ContainerPort represents a network port in a single + container. + properties: + containerPort: + description: |- + Number of port to expose on the pod's IP address. + This must be a valid port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external port to. + type: string + hostPort: + description: |- + Number of port to expose on the host. + If specified, this must be a valid port number, 0 < x < 65536. + If HostNetwork is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: |- + If specified, this must be an IANA_SVC_NAME and unique within the pod. Each + named port in a pod must have a unique name. Name for the port that can be + referred to by services. + type: string + protocol: + default: TCP + description: |- + Protocol for port. Must be UDP, TCP, or SCTP. + Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + releaseArgs: + default: + - /home/devbox/project/entrypoint.sh + items: + type: string + type: array + releaseCommand: + default: + - /bin/bash + - -c + items: + type: string + type: array + user: + default: devbox + type: string + volumeMounts: + items: + description: VolumeMount describes a mounting of a Volume within + a container. + properties: + mountPath: + description: |- + Path within the container at which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: |- + mountPropagation determines how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is used. + This field is beta in 1.10. + When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified + (which defaults to None). + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: |- + Mounted read-only if true, read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + recursiveReadOnly: + description: |- + RecursiveReadOnly specifies whether read-only mounts should be handled + recursively. + + If ReadOnly is false, this field has no meaning and must be unspecified. + + If ReadOnly is true, and this field is set to Disabled, the mount is not made + recursively read-only. If this field is set to IfPossible, the mount is made + recursively read-only, if it is supported by the container runtime. If this + field is set to Enabled, the mount is made recursively read-only if it is + supported by the container runtime, otherwise the pod will not be started and + an error will be generated to indicate the reason. + + If this field is set to IfPossible or Enabled, MountPropagation must be set to + None (or be unspecified, which defaults to None). + + If this field is not specified, it is treated as an equivalent of Disabled. + type: string + subPath: + description: |- + Path within the volume from which the container's volume should be mounted. + Defaults to "" (volume's root). + type: string + subPathExpr: + description: |- + Expanded path within the volume from which the container's volume should be mounted. + Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. + Defaults to "" (volume's root). + SubPathExpr and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + volumes: + items: + description: Volume represents a named volume in a pod that + may be accessed by any container in the pod. + properties: + awsElasticBlockStore: + description: |- + awsElasticBlockStore represents an AWS Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree + awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + format: int32 + type: integer + readOnly: + description: |- + readOnly value true will force the readOnly setting in VolumeMounts. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: boolean + volumeID: + description: |- + volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + required: + - volumeID + type: object + azureDisk: + description: |- + azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type + are redirected to the disk.csi.azure.com CSI driver. + properties: + cachingMode: + description: 'cachingMode is the Host Caching mode: + None, Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data disk in + the blob storage + type: string + diskURI: + description: diskURI is the URI of data disk in the + blob storage + type: string + fsType: + default: ext4 + description: |- + fsType is Filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + kind: + description: 'kind expected values are Shared: multiple + blob disks per storage account Dedicated: single + blob disk per storage account Managed: azure managed + data disk (only in managed availability set). defaults + to shared' + type: string + readOnly: + default: false + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: |- + azureFile represents an Azure File Service mount on the host and bind mount to the pod. + Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type + are redirected to the file.csi.azure.com CSI driver. + properties: + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret that + contains Azure Storage Account Name and Key + type: string + shareName: + description: shareName is the azure share Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: |- + cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. + Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported. + properties: + monitors: + description: |- + monitors is Required: Monitors is a collection of Ceph monitors + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + description: 'path is Optional: Used as the mounted + root, rather than the full Ceph tree, default is /' + type: string + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: boolean + secretFile: + description: |- + secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + secretRef: + description: |- + secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: |- + user is optional: User is the rados user name, default is admin + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + required: + - monitors + type: object + cinder: + description: |- + cinder represents a cinder volume attached and mounted on kubelets host machine. + Deprecated: Cinder is deprecated. All operations for the in-tree cinder type + are redirected to the cinder.csi.openstack.org CSI driver. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: boolean + secretRef: + description: |- + secretRef is optional: points to a secret object containing parameters used to connect + to OpenStack. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: |- + volumeID used to identify the volume in cinder. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap that should + populate this volume + properties: + defaultMode: + description: |- + defaultMode is optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) represents + ephemeral storage that is handled by certain external + CSI drivers. + properties: + driver: + description: |- + driver is the name of the CSI driver that handles this volume. + Consult with your admin for the correct name as registered in the cluster. + type: string + fsType: + description: |- + fsType to mount. Ex. "ext4", "xfs", "ntfs". + If not provided, the empty value is passed to the associated CSI driver + which will determine the default filesystem to apply. + type: string + nodePublishSecretRef: + description: |- + nodePublishSecretRef is a reference to the secret object containing + sensitive information to pass to the CSI driver to complete the CSI + NodePublishVolume and NodeUnpublishVolume calls. + This field is optional, and may be empty if no secret is required. If the + secret object contains more than one secret, all secret references are passed. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: |- + readOnly specifies a read-only configuration for the volume. + Defaults to false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: |- + volumeAttributes stores driver-specific properties that are passed to the CSI + driver. Consult your driver's documentation for supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API about the + pod that should populate this volume + properties: + defaultMode: + description: |- + Optional: mode bits to use on created files by default. Must be a + Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: Items is a list of downward API volume + file + items: + description: DownwardAPIVolumeFile represents information + to create the file containing the pod field + properties: + fieldRef: + description: 'Required: Selects a field of the + pod: only annotations, labels, name, namespace + and uid are supported.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in + the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the relative + path name of the file to be created. Must not + be absolute or contain the ''..'' path. Must + be utf-8 encoded. The first item of the relative + path must not start with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: required for + volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of + the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + description: |- + emptyDir represents a temporary directory that shares a pod's lifetime. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + properties: + medium: + description: |- + medium represents what type of storage medium should back this directory. + The default is "" which means to use the node's default medium. + Must be an empty string (default) or Memory. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: |- + sizeLimit is the total amount of local storage required for this EmptyDir volume. + The size limit is also applicable for memory medium. + The maximum usage on memory medium EmptyDir would be the minimum value between + the SizeLimit specified here and the sum of memory limits of all containers in a pod. + The default is nil which means that the limit is undefined. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: |- + ephemeral represents a volume that is handled by a cluster storage driver. + The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, + and deleted when the pod is removed. + + Use this if: + a) the volume is only needed while the pod runs, + b) features of normal volumes like restoring from snapshot or capacity + tracking are needed, + c) the storage driver is specified through a storage class, and + d) the storage driver supports dynamic volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + + Use PersistentVolumeClaim or one of the vendor-specific + APIs for volumes that persist for longer than the lifecycle + of an individual pod. + + Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to + be used that way - see the documentation of the driver for + more information. + + A pod can use both types of ephemeral volumes and + persistent volumes at the same time. + properties: + volumeClaimTemplate: + description: |- + Will be used to create a stand-alone PVC to provision the volume. + The pod in which this EphemeralVolumeSource is embedded will be the + owner of the PVC, i.e. the PVC will be deleted together with the + pod. The name of the PVC will be `-` where + `` is the name from the `PodSpec.Volumes` array + entry. Pod validation will reject the pod if the concatenated name + is not valid for a PVC (for example, too long). + + An existing PVC with that name that is not owned by the pod + will *not* be used for the pod to avoid using an unrelated + volume by mistake. Starting the pod is then blocked until + the unrelated PVC is removed. If such a pre-created PVC is + meant to be used by the pod, the PVC has to updated with an + owner reference to the pod once the pod exists. Normally + this should not be necessary, but it may be useful when + manually reconstructing a broken cluster. + + This field is read-only and no changes will be made by Kubernetes + to the PVC after it has been created. + + Required, must not be nil. + properties: + metadata: + description: |- + May contain labels and annotations that will be copied into the PVC + when creating it. No other fields are allowed and will be rejected during + validation. + type: object + spec: + description: |- + The specification for the PersistentVolumeClaim. The entire content is + copied unchanged into the PVC that gets created from this + template. The same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non + core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + namespace: + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: |- + resources represents the minimum resources the volume should have. + Users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: selector is a label query over + volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string or nil value indicates that no + VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, + this field can be reset to its previous value (including nil) to cancel the modification. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + type: string + volumeMode: + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference + to the PersistentVolume backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource that + is attached to a kubelet's host machine and then exposed + to the pod. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + lun: + description: 'lun is Optional: FC target lun number' + format: int32 + type: integer + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target worldwide + names (WWNs)' + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + description: |- + wwids Optional: FC volume world wide identifiers (wwids) + Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + description: |- + flexVolume represents a generic volume resource that is + provisioned/attached using an exec based plugin. + Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead. + properties: + driver: + description: driver is the name of the driver to use + for this volume. + type: string + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field holds + extra command options if any.' + type: object + readOnly: + description: |- + readOnly is Optional: defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef is Optional: secretRef is reference to the secret object containing + sensitive information to pass to the plugin scripts. This may be + empty if no secret object is specified. If the secret object + contains more than one secret, all secrets are passed to the plugin + scripts. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: |- + flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. + Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported. + properties: + datasetName: + description: |- + datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker + should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the dataset. + This is unique identifier of a Flocker dataset + type: string + type: object + gcePersistentDisk: + description: |- + gcePersistentDisk represents a GCE Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree + gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + properties: + fsType: + description: |- + fsType is filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + format: int32 + type: integer + pdName: + description: |- + pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: boolean + required: + - pdName + type: object + gitRepo: + description: |- + gitRepo represents a git repository at a particular revision. + Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an + EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir + into the Pod's container. + properties: + directory: + description: |- + directory is the target directory name. + Must not contain or start with '..'. If '.' is supplied, the volume directory will be the + git repository. Otherwise, if specified, the volume will contain the git repository in + the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for the specified + revision. + type: string + required: + - repository + type: object + glusterfs: + description: |- + glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. + properties: + endpoints: + description: endpoints is the endpoint name that details + Glusterfs topology. + type: string + path: + description: |- + path is the Glusterfs volume path. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: string + readOnly: + description: |- + readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + Defaults to false. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: |- + hostPath represents a pre-existing file or directory on the host + machine that is directly exposed to the container. This is generally + used for system agents or other privileged things that are allowed + to see the host machine. Most containers will NOT need this. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + properties: + path: + description: |- + path of the directory on the host. + If the path is a symlink, it will follow the link to the real path. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + type: + description: |- + type for HostPath Volume + Defaults to "" + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + required: + - path + type: object + image: + description: |- + image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. + The volume is resolved at pod startup depending on which PullPolicy value is provided: + + - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + + The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. + A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. + The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. + The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. + The volume will be mounted read-only (ro) and non-executable files (noexec). + Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. + The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. + properties: + pullPolicy: + description: |- + Policy for pulling OCI objects. Possible values are: + Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + type: string + reference: + description: |- + Required: Image or artifact reference to be used. + Behaves in the same way as pod.spec.containers[*].image. + Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + type: object + iscsi: + description: |- + iscsi represents an ISCSI Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether support + iSCSI Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether support + iSCSI Session CHAP authentication + type: boolean + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + type: string + initiatorName: + description: |- + initiatorName is the custom iSCSI Initiator Name. + If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + : will be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified Name. + type: string + iscsiInterface: + default: default + description: |- + iscsiInterface is the interface Name that uses an iSCSI transport. + Defaults to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun number. + format: int32 + type: integer + portals: + description: |- + portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret for iSCSI + target and initiator authentication + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: |- + targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: |- + name of the volume. + Must be a DNS_LABEL and unique within the pod. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + nfs: + description: |- + nfs represents an NFS mount on the host that shares a pod's lifetime + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + properties: + path: + description: |- + path that is exported by the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + readOnly: + description: |- + readOnly here will force the NFS export to be mounted with read-only permissions. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: boolean + server: + description: |- + server is the hostname or IP address of the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: |- + persistentVolumeClaimVolumeSource represents a reference to a + PersistentVolumeClaim in the same namespace. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + claimName: + description: |- + claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + type: string + readOnly: + description: |- + readOnly Will force the ReadOnly setting in VolumeMounts. + Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: |- + photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. + Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + pdID: + description: pdID is the ID that identifies Photon Controller + persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: |- + portworxVolume represents a portworx volume attached and mounted on kubelets host machine. + Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type + are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate + is on. + properties: + fsType: + description: |- + fSType represents the filesystem type to mount + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies a Portworx + volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources secrets, + configmaps, and downward API + properties: + defaultMode: + description: |- + defaultMode are the mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + sources: + description: |- + sources is the list of volume projections. Each entry in this list + handles one source. + items: + description: |- + Projection that may be projected along with other supported volume types. + Exactly one of these fields must be set. + properties: + clusterTrustBundle: + description: |- + ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field + of ClusterTrustBundle objects in an auto-updating file. + + Alpha, gated by the ClusterTrustBundleProjection feature gate. + + ClusterTrustBundle objects can either be selected by name, or by the + combination of signer name and a label selector. + + Kubelet performs aggressive normalization of the PEM contents written + into the pod filesystem. Esoteric PEM features such as inter-block + comments and block headers are stripped. Certificates are deduplicated. + The ordering of certificates within the file is arbitrary, and Kubelet + may change the order over time. + properties: + labelSelector: + description: |- + Select all ClusterTrustBundles that match this label selector. Only has + effect if signerName is set. Mutually-exclusive with name. If unset, + interpreted as "match nothing". If set but empty, interpreted as "match + everything". + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: |- + Select a single ClusterTrustBundle by object name. Mutually-exclusive + with signerName and labelSelector. + type: string + optional: + description: |- + If true, don't block pod startup if the referenced ClusterTrustBundle(s) + aren't available. If using name, then the named ClusterTrustBundle is + allowed not to exist. If using signerName, then the combination of + signerName and labelSelector is allowed to match zero + ClusterTrustBundles. + type: boolean + path: + description: Relative path from the volume + root to write the bundle. + type: string + signerName: + description: |- + Select all ClusterTrustBundles that match this signer name. + Mutually-exclusive with name. The contents of all selected + ClusterTrustBundles will be unified and deduplicated. + type: string + required: + - path + type: object + configMap: + description: configMap information about the configMap + data to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path + within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: optional specify whether the + ConfigMap or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about the + downwardAPI data to project + properties: + items: + description: Items is a list of DownwardAPIVolume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects a field + of the pod: only annotations, labels, + name, namespace and uid are supported.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the + relative path name of the file to + be created. Must not be absolute or + contain the ''..'' path. Must be utf-8 + encoded. The first item of the relative + path must not start with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podCertificate: + description: |- + Projects an auto-rotating credential bundle (private key and certificate + chain) that the pod can use either as a TLS client or server. + + Kubelet generates a private key and uses it to send a + PodCertificateRequest to the named signer. Once the signer approves the + request and issues a certificate chain, Kubelet writes the key and + certificate chain to the pod filesystem. The pod does not start until + certificates have been issued for each podCertificate projected volume + source in its spec. + + Kubelet will begin trying to rotate the certificate at the time indicated + by the signer using the PodCertificateRequest.Status.BeginRefreshAt + timestamp. + + Kubelet can write a single file, indicated by the credentialBundlePath + field, or separate files, indicated by the keyPath and + certificateChainPath fields. + + The credential bundle is a single file in PEM format. The first PEM + entry is the private key (in PKCS#8 format), and the remaining PEM + entries are the certificate chain issued by the signer (typically, + signers will return their certificate chain in leaf-to-root order). + + Prefer using the credential bundle format, since your application code + can read it atomically. If you use keyPath and certificateChainPath, + your application must make two separate file reads. If these coincide + with a certificate rotation, it is possible that the private key and leaf + certificate you read may not correspond to each other. Your application + will need to check for this condition, and re-read until they are + consistent. + + The named signer controls chooses the format of the certificate it + issues; consult the signer implementation's documentation to learn how to + use the certificates it issues. + properties: + certificateChainPath: + description: |- + Write the certificate chain at this path in the projected volume. + + Most applications should use credentialBundlePath. When using keyPath + and certificateChainPath, your application needs to check that the key + and leaf certificate are consistent, because it is possible to read the + files mid-rotation. + type: string + credentialBundlePath: + description: |- + Write the credential bundle at this path in the projected volume. + + The credential bundle is a single file that contains multiple PEM blocks. + The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private + key. + + The remaining blocks are CERTIFICATE blocks, containing the issued + certificate chain from the signer (leaf and any intermediates). + + Using credentialBundlePath lets your Pod's application code make a single + atomic read that retrieves a consistent key and certificate chain. If you + project them to separate files, your application code will need to + additionally check that the leaf certificate was issued to the key. + type: string + keyPath: + description: |- + Write the key at this path in the projected volume. + + Most applications should use credentialBundlePath. When using keyPath + and certificateChainPath, your application needs to check that the key + and leaf certificate are consistent, because it is possible to read the + files mid-rotation. + type: string + keyType: + description: |- + The type of keypair Kubelet will generate for the pod. + + Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", + "ECDSAP521", and "ED25519". + type: string + maxExpirationSeconds: + description: |- + maxExpirationSeconds is the maximum lifetime permitted for the + certificate. + + Kubelet copies this value verbatim into the PodCertificateRequests it + generates for this projection. + + If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver + will reject values shorter than 3600 (1 hour). The maximum allowable + value is 7862400 (91 days). + + The signer implementation is then free to issue a certificate with any + lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 + seconds (1 hour). This constraint is enforced by kube-apiserver. + `kubernetes.io` signers will never issue certificates with a lifetime + longer than 24 hours. + format: int32 + type: integer + signerName: + description: Kubelet's generated CSRs will + be addressed to this signer. + type: string + userAnnotations: + additionalProperties: + type: string + description: |- + userAnnotations allow pod authors to pass additional information to + the signer implementation. Kubernetes does not restrict or validate this + metadata in any way. + + These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of + the PodCertificateRequest objects that Kubelet creates. + + Entries are subject to the same validation as object metadata annotations, + with the addition that all keys must be domain-prefixed. No restrictions + are placed on values, except an overall size limitation on the entire field. + + Signers should document the keys and values they support. Signers should + deny requests that contain keys they do not recognize. + type: object + required: + - keyType + - signerName + type: object + secret: + description: secret information about the secret + data to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path + within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: optional field specify whether + the Secret or its key must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information + about the serviceAccountToken data to project + properties: + audience: + description: |- + audience is the intended audience of the token. A recipient of a token + must identify itself with an identifier specified in the audience of the + token, and otherwise should reject the token. The audience defaults to the + identifier of the apiserver. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service + account token. As the token approaches expiration, the kubelet volume + plugin will proactively rotate the service account token. The kubelet will + start trying to rotate the token if the token is older than 80 percent of + its time to live or if the token is older than 24 hours.Defaults to 1 hour + and must be at least 10 minutes. + format: int64 + type: integer + path: + description: |- + path is the path relative to the mount point of the file to project the + token into. + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + description: |- + quobyte represents a Quobyte mount on the host that shares a pod's lifetime. + Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported. + properties: + group: + description: |- + group to map volume access to + Default is no group + type: string + readOnly: + description: |- + readOnly here will force the Quobyte volume to be mounted with read-only permissions. + Defaults to false. + type: boolean + registry: + description: |- + registry represents a single or multiple Quobyte Registry services + specified as a string as host:port pair (multiple entries are separated with commas) + which acts as the central registry for volumes + type: string + tenant: + description: |- + tenant owning the given Quobyte volume in the Backend + Used with dynamically provisioned Quobyte volumes, value is set by the plugin + type: string + user: + description: |- + user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: volume is a string that references an already + created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: |- + rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + type: string + image: + description: |- + image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + keyring: + default: /etc/ceph/keyring + description: |- + keyring is the path to key ring for RBDUser. + Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + monitors: + description: |- + monitors is a collection of Ceph monitors. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + default: rbd + description: |- + pool is the rados pool name. + Default is rbd. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: boolean + secretRef: + description: |- + secretRef is name of the authentication secret for RBDUser. If provided + overrides keyring. + Default is nil. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + user: + default: admin + description: |- + user is the rados user name. + Default is admin. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + required: + - image + - monitors + type: object + scaleIO: + description: |- + scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported. + properties: + fsType: + default: xfs + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". + Default is "xfs". + type: string + gateway: + description: gateway is the host address of the ScaleIO + API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name of the ScaleIO + Protection Domain for the configured storage. + type: string + readOnly: + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef references to the secret for ScaleIO user and other + sensitive information. If this is not provided, Login operation will fail. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable SSL communication + with Gateway, default false + type: boolean + storageMode: + default: ThinProvisioned + description: |- + storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. + Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage Pool + associated with the protection domain. + type: string + system: + description: system is the name of the storage system + as configured in ScaleIO. + type: string + volumeName: + description: |- + volumeName is the name of a volume already created in the ScaleIO system + that is associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: |- + secret represents a secret that should populate this volume. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + properties: + defaultMode: + description: |- + defaultMode is Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values + for mode bits. Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items If unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + description: optional field specify whether the Secret + or its keys must be defined + type: boolean + secretName: + description: |- + secretName is the name of the secret in the pod's namespace to use. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + type: string + type: object + storageos: + description: |- + storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. + Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef specifies the secret to use for obtaining the StorageOS API + credentials. If not specified, default values will be attempted. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: |- + volumeName is the human-readable name of the StorageOS volume. Volume + names are only unique within a namespace. + type: string + volumeNamespace: + description: |- + volumeNamespace specifies the scope of the volume within StorageOS. If no + namespace is specified then the Pod's namespace will be used. This allows the + Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + Set VolumeName to any name to override the default behaviour. + Set to "default" if you are not using namespaces within StorageOS. + Namespaces that do not pre-exist within StorageOS will be created. + type: string + type: object + vsphereVolume: + description: |- + vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. + Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type + are redirected to the csi.vsphere.vmware.com CSI driver. + properties: + fsType: + description: |- + fsType is filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage Policy Based + Management (SPBM) profile ID associated with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage Policy + Based Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + workingDir: + default: /home/devbox/project + type: string + type: object + image: + type: string + network: + properties: + extraPorts: + items: + description: ContainerPort represents a network port in a single + container. + properties: + containerPort: + description: |- + Number of port to expose on the pod's IP address. + This must be a valid port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external port to. + type: string + hostPort: + description: |- + Number of port to expose on the host. + If specified, this must be a valid port number, 0 < x < 65536. + If HostNetwork is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: |- + If specified, this must be an IANA_SVC_NAME and unique within the pod. Each + named port in a pod must have a unique name. Name for the port that can be + referred to by services. + type: string + protocol: + default: TCP + description: |- + Protocol for port. Must be UDP, TCP, or SCTP. + Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + type: + enum: + - NodePort + - Tailnet + type: string + required: + - type + type: object + nodeSelector: + additionalProperties: + type: string + type: object + resource: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: ResourceList is a set of (resource name, quantity) pairs. + type: object + runtimeClassName: + type: string + squash: + default: false + type: boolean + state: + enum: + - Running + - Stopped + - Shutdown + type: string + templateID: + type: string + tolerations: + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + required: + - config + - image + - network + - resource + - state + type: object + status: + description: DevboxStatus defines the observed state of Devbox + properties: + commitHistory: + items: + properties: + containerID: + description: ContainerID is the container id + type: string + image: + description: Image is the image of the commit + type: string + node: + description: Node is the node name + type: string + pod: + description: Pod is the pod name + type: string + predicatedStatus: + description: predicatedStatus default `pending`, will be set + to `success` if pod status is running successfully. + type: string + status: + description: status will be set based on expectedStatus after + devbox pod delete or stop. if expectedStatus is still pending, + it means the pod is not running successfully, so we need to + set it to `failed` + type: string + time: + description: Time is the time when the commit is created + format: date-time + type: string + required: + - containerID + - image + - node + - pod + - predicatedStatus + - status + - time + type: object + type: array + lastState: + description: |- + ContainerState holds a possible state of container. + Only one of its members may be specified. + If none of them is specified, the default one is ContainerStateWaiting. + properties: + running: + description: Details about a running container + properties: + startedAt: + description: Time at which the container was last (re-)started + format: date-time + type: string + type: object + terminated: + description: Details about a terminated container + properties: + containerID: + description: Container's ID in the format '://' + type: string + exitCode: + description: Exit status from the last termination of the + container + format: int32 + type: integer + finishedAt: + description: Time at which the container last terminated + format: date-time + type: string + message: + description: Message regarding the last termination of the + container + type: string + reason: + description: (brief) reason from the last termination of the + container + type: string + signal: + description: Signal from the last termination of the container + format: int32 + type: integer + startedAt: + description: Time at which previous execution of the container + started + format: date-time + type: string + required: + - exitCode + type: object + waiting: + description: Details about a waiting container + properties: + message: + description: Message regarding why the container is not yet + running. + type: string + reason: + description: (brief) reason the container is not yet running. + type: string + type: object + type: object + network: + properties: + nodePort: + format: int32 + type: integer + tailnet: + description: todo TailNet + type: string + type: + default: NodePort + enum: + - NodePort + - Tailnet + type: string + required: + - type + type: object + phase: + type: string + state: + description: |- + ContainerState holds a possible state of container. + Only one of its members may be specified. + If none of them is specified, the default one is ContainerStateWaiting. + properties: + running: + description: Details about a running container + properties: + startedAt: + description: Time at which the container was last (re-)started + format: date-time + type: string + type: object + terminated: + description: Details about a terminated container + properties: + containerID: + description: Container's ID in the format '://' + type: string + exitCode: + description: Exit status from the last termination of the + container + format: int32 + type: integer + finishedAt: + description: Time at which the container last terminated + format: date-time + type: string + message: + description: Message regarding the last termination of the + container + type: string + reason: + description: (brief) reason from the last termination of the + container + type: string + signal: + description: Signal from the last termination of the container + format: int32 + type: integer + startedAt: + description: Time at which previous execution of the container + started + format: date-time + type: string + required: + - exitCode + type: object + waiting: + description: Details about a waiting container + properties: + message: + description: Message regarding why the container is not yet + running. + type: string + reason: + description: (brief) reason the container is not yet running. + type: string + type: object + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/v1/deploy/charts/devbox-v1/crds/devbox.sealos.io_devboxreleases.yaml b/v1/deploy/charts/devbox-v1/crds/devbox.sealos.io_devboxreleases.yaml new file mode 100644 index 0000000..84be9ce --- /dev/null +++ b/v1/deploy/charts/devbox-v1/crds/devbox.sealos.io_devboxreleases.yaml @@ -0,0 +1,78 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.20.1 + name: devboxreleases.devbox.sealos.io +spec: + group: devbox.sealos.io + names: + kind: DevBoxRelease + listKind: DevBoxReleaseList + plural: devboxreleases + singular: devboxrelease + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.devboxName + name: DevboxName + type: string + - jsonPath: .spec.newTag + name: NewTag + type: string + - jsonPath: .status.phase + name: Phase + type: string + - jsonPath: .status.originalImage + name: OriginalImage + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: DevBoxRelease is the Schema for the devboxreleases API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: DevBoxReleaseSpec defines the desired state of DevBoxRelease + properties: + devboxName: + type: string + newTag: + type: string + notes: + type: string + required: + - devboxName + - newTag + type: object + status: + description: DevBoxReleaseStatus defines the observed state of DevBoxRelease + properties: + originalImage: + type: string + phase: + default: Pending + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/v1/deploy/charts/devbox-v1/devbox-v1-values.yaml b/v1/deploy/charts/devbox-v1/devbox-v1-values.yaml new file mode 100644 index 0000000..1176b31 --- /dev/null +++ b/v1/deploy/charts/devbox-v1/devbox-v1-values.yaml @@ -0,0 +1,84 @@ +cloudDomain: "127.0.0.1.nip.io" +cloudPort: "" +certSecretName: "wildcard-cert" + +registry: + addr: "sealos.hub:5000" + user: "admin" + password: "passw0rd" + +platform: + databaseUrl: "" + jwtSecret: "" + regionUid: "" + tlsRejectUnauthorized: "1" + +controller: + enabled: true + namespace: devbox-system + replicas: 1 + image: + repository: ghcr.io/sealos-apps/devbox-v1-controller + tag: latest + pullPolicy: Always + requestCpuRate: "20" + requestMemoryRate: "10" + matchers: + enablePodEphemeralStorageMatcher: false + enablePodAnnotationsMatcher: true + enablePodEnvMatcher: true + enablePodResourceMatcher: true + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + defaultUserRoleBinding: + enabled: true + +frontend: + enabled: true + namespace: devbox-frontend + replicas: 1 + image: + repository: ghcr.io/sealos-apps/devbox-v1-frontend + tag: latest + pullPolicy: Always + resources: + limits: + cpu: 2000m + memory: 2048Mi + requests: + cpu: 100m + memory: 128Mi + env: + documentUrlZh: https://sealos.run/docs/overview/intro + documentUrlEn: https://sealos.io/docs/overview/intro + privacyUrlZh: https://sealos.run/docs/msa/privacy-policy + privacyUrlEn: https://sealos.io/docs/msa/privacy-policy + monitorUrl: http://launchpad-monitor.sealos.svc.cluster.local:8428 + accountUrl: http://account-service.account-system.svc.cluster.local:2333 + currencySymbol: usd + gpuEnable: "false" + squashEnable: "false" + devboxAffinityEnable: "true" + enableImportFeature: "false" + enableWebideFeature: "false" + config: + addr: ":3000" + +ingress: + enabled: true + className: nginx + hostPrefix: devbox + +app: + enabled: true + namespace: app-system + name: devbox + displayType: normal + type: iframe + +extraManifests: [] diff --git a/v1/deploy/charts/devbox-v1/templates/_helpers.tpl b/v1/deploy/charts/devbox-v1/templates/_helpers.tpl new file mode 100644 index 0000000..4216457 --- /dev/null +++ b/v1/deploy/charts/devbox-v1/templates/_helpers.tpl @@ -0,0 +1,19 @@ +{{- define "devbox-v1.image" -}} +{{- printf "%s:%s" .repository .tag -}} +{{- end -}} + +{{- define "devbox-v1.frontendHost" -}} +{{- printf "%s.%s" (default "devbox" .Values.ingress.hostPrefix) .Values.cloudDomain -}} +{{- end -}} + +{{- define "devbox-v1.frontendExternalURL" -}} +{{- printf "https://%s" (include "devbox-v1.frontendHost" .) -}}{{- if .Values.cloudPort -}}:{{ .Values.cloudPort }}{{- end -}} +{{- end -}} + +{{- define "devbox-v1.frontendImage" -}} +{{- include "devbox-v1.image" .Values.frontend.image -}} +{{- end -}} + +{{- define "devbox-v1.controllerImage" -}} +{{- include "devbox-v1.image" .Values.controller.image -}} +{{- end -}} diff --git a/v1/deploy/charts/devbox-v1/templates/app.yaml b/v1/deploy/charts/devbox-v1/templates/app.yaml new file mode 100644 index 0000000..c9b3055 --- /dev/null +++ b/v1/deploy/charts/devbox-v1/templates/app.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.frontend.enabled .Values.app.enabled }} +apiVersion: app.sealos.io/v1 +kind: App +metadata: + name: {{ .Values.app.name | quote }} + namespace: {{ .Values.app.namespace | quote }} +spec: + data: + desc: Devbox + url: {{ include "devbox-v1.frontendExternalURL" . | quote }} + icon: {{ printf "%s/logo.svg" (include "devbox-v1.frontendExternalURL" .) | quote }} + i18n: + zh: + name: Devbox + zh-Hans: + name: Devbox + name: {{ .Values.app.name | quote }} + type: {{ .Values.app.type | quote }} + displayType: {{ .Values.app.displayType | quote }} +{{- end }} diff --git a/v1/deploy/charts/devbox-v1/templates/controller-rbac.yaml b/v1/deploy/charts/devbox-v1/templates/controller-rbac.yaml new file mode 100644 index 0000000..4cbb6f5 --- /dev/null +++ b/v1/deploy/charts/devbox-v1/templates/controller-rbac.yaml @@ -0,0 +1,336 @@ +{{- if .Values.controller.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: devbox + name: devbox-controller-manager + namespace: {{ .Values.controller.namespace | quote }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: devbox + name: devbox-leader-election-role + namespace: {{ .Values.controller.namespace | quote }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: devbox + name: devbox-devbox-admin-role +rules: +- apiGroups: + - devbox.sealos.io + resources: + - devboxes + verbs: + - '*' +- apiGroups: + - devbox.sealos.io + resources: + - devboxes/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: devbox + name: devbox-devbox-editor-role +rules: +- apiGroups: + - devbox.sealos.io + resources: + - devboxes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - devbox.sealos.io + resources: + - devboxes/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: devbox + name: devbox-devbox-viewer-role +rules: +- apiGroups: + - devbox.sealos.io + resources: + - devboxes + verbs: + - get + - list + - watch +- apiGroups: + - devbox.sealos.io + resources: + - devboxes/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: devbox + name: devbox-devboxrelease-admin-role +rules: +- apiGroups: + - devbox.sealos.io + resources: + - devboxreleases + verbs: + - '*' +- apiGroups: + - devbox.sealos.io + resources: + - devboxreleases/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: devbox + name: devbox-devboxrelease-editor-role +rules: +- apiGroups: + - devbox.sealos.io + resources: + - devboxreleases + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - devbox.sealos.io + resources: + - devboxreleases/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: devbox + name: devbox-devboxrelease-viewer-role +rules: +- apiGroups: + - devbox.sealos.io + resources: + - devboxreleases + verbs: + - get + - list + - watch +- apiGroups: + - devbox.sealos.io + resources: + - devboxreleases/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: devbox-manager-role +rules: +- apiGroups: + - "" + resources: + - configmaps + - events + - pods + - secrets + - services + verbs: + - '*' +- apiGroups: + - "" + resources: + - pods/status + verbs: + - get + - patch + - update +- apiGroups: + - devbox.sealos.io + resources: + - devboxes + - devboxreleases + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - devbox.sealos.io + resources: + - devboxes/finalizers + - devboxreleases/finalizers + verbs: + - update +- apiGroups: + - devbox.sealos.io + resources: + - devboxes/status + - devboxreleases/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: devbox-metrics-auth-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: devbox-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: devbox + name: devbox-leader-election-rolebinding + namespace: {{ .Values.controller.namespace | quote }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: devbox-leader-election-role +subjects: +- kind: ServiceAccount + name: devbox-controller-manager + namespace: {{ .Values.controller.namespace | quote }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: devbox + name: devbox-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: devbox-manager-role +subjects: +- kind: ServiceAccount + name: devbox-controller-manager + namespace: {{ .Values.controller.namespace | quote }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: devbox-metrics-auth-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: devbox-metrics-auth-role +subjects: +- kind: ServiceAccount + name: devbox-controller-manager + namespace: {{ .Values.controller.namespace | quote }} +{{- if .Values.controller.defaultUserRoleBinding.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: devbox-default-user-rolebinding + namespace: {{ .Values.controller.namespace | quote }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: devbox-default-user +subjects: +- kind: Group + name: system:serviceaccounts + apiGroup: rbac.authorization.k8s.io +{{- end }} +{{- end }} diff --git a/v1/deploy/charts/devbox-v1/templates/controller.yaml b/v1/deploy/charts/devbox-v1/templates/controller.yaml new file mode 100644 index 0000000..a091775 --- /dev/null +++ b/v1/deploy/charts/devbox-v1/templates/controller.yaml @@ -0,0 +1,92 @@ +{{- if .Values.controller.enabled }} +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: devbox + control-plane: controller-manager + name: devbox-controller-manager-metrics-service + namespace: {{ .Values.controller.namespace | quote }} +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/name: devbox + control-plane: controller-manager +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: devbox + control-plane: controller-manager + name: devbox-controller-manager + namespace: {{ .Values.controller.namespace | quote }} +spec: + replicas: {{ .Values.controller.replicas }} + selector: + matchLabels: + app.kubernetes.io/name: devbox + control-plane: controller-manager + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + app.kubernetes.io/name: devbox + control-plane: controller-manager + spec: + containers: + - args: + - --metrics-bind-address=:8443 + - --leader-elect + - --health-probe-bind-address=:8081 + - --request-cpu-rate={{ .Values.controller.requestCpuRate }} + - --request-memory-rate={{ .Values.controller.requestMemoryRate }} + - --enable-pod-ephemeral-storage-matcher={{ .Values.controller.matchers.enablePodEphemeralStorageMatcher }} + - --enable-pod-expected-annotations-matcher={{ .Values.controller.matchers.enablePodAnnotationsMatcher }} + - --enable-pod-env-matcher={{ .Values.controller.matchers.enablePodEnvMatcher }} + - --enable-pod-extra-resource-matcher={{ .Values.controller.matchers.enablePodResourceMatcher }} + - --registry-addr={{ .Values.registry.addr }} + - --registry-user={{ .Values.registry.user }} + - --registry-password={{ .Values.registry.password }} + command: + - /manager + image: {{ include "devbox-v1.controllerImage" . | quote }} + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + ports: [] + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + {{- toYaml .Values.controller.resources | nindent 10 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: [] + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: devbox-controller-manager + terminationGracePeriodSeconds: 10 + volumes: [] +{{- end }} diff --git a/v1/deploy/charts/devbox-v1/templates/extra-manifests.yaml b/v1/deploy/charts/devbox-v1/templates/extra-manifests.yaml new file mode 100644 index 0000000..0e5456b --- /dev/null +++ b/v1/deploy/charts/devbox-v1/templates/extra-manifests.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraManifests }} +--- +{{ tpl (toYaml .) $ }} +{{- end }} diff --git a/v1/deploy/charts/devbox-v1/templates/frontend.yaml b/v1/deploy/charts/devbox-v1/templates/frontend.yaml new file mode 100644 index 0000000..6d4bf33 --- /dev/null +++ b/v1/deploy/charts/devbox-v1/templates/frontend.yaml @@ -0,0 +1,151 @@ +{{- if .Values.frontend.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: devbox-frontend-config + namespace: {{ .Values.frontend.namespace | quote }} +data: + config.yaml: |- + addr: {{ .Values.frontend.config.addr }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: devbox-frontend + namespace: {{ .Values.frontend.namespace | quote }} +spec: + replicas: {{ .Values.frontend.replicas }} + selector: + matchLabels: + app: devbox-frontend + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 25% + maxSurge: 25% + template: + metadata: + labels: + app: devbox-frontend + spec: + initContainers: + - name: devbox-frontend-init + image: {{ include "devbox-v1.frontendImage" . | quote }} + imagePullPolicy: {{ .Values.frontend.image.pullPolicy }} + env: + - name: DATABASE_URL + value: {{ .Values.platform.databaseUrl | quote }} + command: + - sh + - -c + args: + - |- + cd /app + MIGRATION="20260125094114_add_template_repository_kind" + HAS_MIGRATION=$(psql "$DATABASE_URL" -tAc "SELECT 1 FROM _prisma_migrations WHERE migration_name='${MIGRATION}' AND rolled_back_at IS NULL LIMIT 1;") + if [ "$HAS_MIGRATION" = "1" ]; then + prisma migrate deploy + exit 0 + fi + HAS_ENUM=$(psql "$DATABASE_URL" -tAc "SELECT 1 FROM pg_enum e JOIN pg_type t ON t.oid = e.enumtypid WHERE t.typname IN ('TemplateRepositoryKind','template_repository_kind') AND e.enumlabel = 'SERVICE' LIMIT 1;") + if [ "$HAS_ENUM" = "1" ]; then + prisma migrate resolve --applied "$MIGRATION" + fi + prisma migrate deploy + containers: + - name: devbox-frontend + env: + - name: NODE_TLS_REJECT_UNAUTHORIZED + value: {{ .Values.platform.tlsRejectUnauthorized | quote }} + - name: DOCUMENT_URL_ZH + value: {{ .Values.frontend.env.documentUrlZh | quote }} + - name: DOCUMENT_URL_EN + value: {{ .Values.frontend.env.documentUrlEn | quote }} + - name: PRIVACY_URL_ZH + value: {{ .Values.frontend.env.privacyUrlZh | quote }} + - name: PRIVACY_URL_EN + value: {{ .Values.frontend.env.privacyUrlEn | quote }} + - name: SEALOS_DOMAIN + value: {{ .Values.cloudDomain | quote }} + - name: INGRESS_SECRET + value: {{ .Values.certSecretName | quote }} + - name: REGISTRY_ADDR + value: {{ .Values.registry.addr | quote }} + - name: DEVBOX_AFFINITY_ENABLE + value: {{ .Values.frontend.env.devboxAffinityEnable | quote }} + - name: MONITOR_URL + value: {{ .Values.frontend.env.monitorUrl | quote }} + - name: SQUASH_ENABLE + value: {{ .Values.frontend.env.squashEnable | quote }} + - name: ACCOUNT_URL + value: {{ .Values.frontend.env.accountUrl | quote }} + - name: ROOT_RUNTIME_NAMESPACE + value: {{ .Values.controller.namespace | quote }} + - name: INGRESS_DOMAIN + value: {{ .Values.cloudDomain | quote }} + - name: CURRENCY_SYMBOL + value: {{ .Values.frontend.env.currencySymbol | quote }} + - name: GPU_ENABLE + value: {{ .Values.frontend.env.gpuEnable | quote }} + - name: PRIVACY_URL + value: {{ .Values.frontend.env.privacyUrlZh | quote }} + - name: RETAG_SVC_URL + value: {{ printf "http://devbox-service.%s.svc.cluster.local:8092" .Values.controller.namespace | quote }} + - name: JWT_SECRET + value: {{ .Values.platform.jwtSecret | quote }} + - name: REGION_UID + value: {{ .Values.platform.regionUid | quote }} + - name: DATABASE_URL + value: {{ .Values.platform.databaseUrl | quote }} + - name: ENABLE_IMPORT_FEATURE + value: {{ .Values.frontend.env.enableImportFeature | quote }} + - name: ENABLE_WEBIDE_FEATURE + value: {{ .Values.frontend.env.enableWebideFeature | quote }} + securityContext: + runAsNonRoot: true + runAsUser: 1001 + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + resources: + {{- toYaml .Values.frontend.resources | nindent 10 }} + image: {{ include "devbox-v1.frontendImage" . | quote }} + imagePullPolicy: {{ .Values.frontend.image.pullPolicy }} + volumeMounts: + - name: devbox-frontend-volume + mountPath: /config.yaml + subPath: config.yaml + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - devbox-frontend + topologyKey: kubernetes.io/hostname + volumes: + - name: devbox-frontend-volume + configMap: + name: devbox-frontend-config +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: devbox-frontend + name: devbox-frontend + namespace: {{ .Values.frontend.namespace | quote }} +spec: + ports: + - name: http + port: 3000 + protocol: TCP + targetPort: 3000 + selector: + app: devbox-frontend +{{- end }} diff --git a/v1/deploy/charts/devbox-v1/templates/ingress.yaml b/v1/deploy/charts/devbox-v1/templates/ingress.yaml new file mode 100644 index 0000000..6572fdf --- /dev/null +++ b/v1/deploy/charts/devbox-v1/templates/ingress.yaml @@ -0,0 +1,53 @@ +{{- if and .Values.frontend.enabled .Values.ingress.enabled }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + kubernetes.io/ingress.class: {{ .Values.ingress.className | quote }} + nginx.ingress.kubernetes.io/configuration-snippet: | + more_clear_headers "X-Frame-Options:"; + more_set_headers "Content-Security-Policy: default-src * blob: data: *.{{ .Values.cloudDomain }}{{ if .Values.cloudPort }}:{{ .Values.cloudPort }}{{ end }} {{ .Values.cloudDomain }}{{ if .Values.cloudPort }}:{{ .Values.cloudPort }}{{ end }}; img-src * data: blob: resource: *.{{ .Values.cloudDomain }}{{ if .Values.cloudPort }}:{{ .Values.cloudPort }}{{ end }} {{ .Values.cloudDomain }}{{ if .Values.cloudPort }}:{{ .Values.cloudPort }}{{ end }}; connect-src * wss: blob: resource:; style-src 'self' 'unsafe-inline' blob: *.{{ .Values.cloudDomain }}{{ if .Values.cloudPort }}:{{ .Values.cloudPort }}{{ end }} {{ .Values.cloudDomain }}{{ if .Values.cloudPort }}:{{ .Values.cloudPort }}{{ end }} resource:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: *.{{ .Values.cloudDomain }}{{ if .Values.cloudPort }}:{{ .Values.cloudPort }}{{ end }} {{ .Values.cloudDomain }}{{ if .Values.cloudPort }}:{{ .Values.cloudPort }}{{ end }} resource: *.baidu.com *.bdstatic.com; frame-src 'self' {{ .Values.cloudDomain }}{{ if .Values.cloudPort }}:{{ .Values.cloudPort }}{{ end }} mailto: tel: weixin: mtt: *.baidu.com; frame-ancestors 'self' https://{{ .Values.cloudDomain }}{{ if .Values.cloudPort }}:{{ .Values.cloudPort }}{{ end }} https://*.{{ .Values.cloudDomain }}{{ if .Values.cloudPort }}:{{ .Values.cloudPort }}{{ end }}"; + more_set_headers "X-Xss-Protection: 1; mode=block"; + higress.io/response-header-control-remove: X-Frame-Options + higress.io/response-header-control-update: | + Content-Security-Policy "default-src * blob: data: *.{{ .Values.cloudDomain }}{{ if .Values.cloudPort }}:{{ .Values.cloudPort }}{{ end }} {{ .Values.cloudDomain }}{{ if .Values.cloudPort }}:{{ .Values.cloudPort }}{{ end }}; img-src * data: blob: resource: *.{{ .Values.cloudDomain }}{{ if .Values.cloudPort }}:{{ .Values.cloudPort }}{{ end }} {{ .Values.cloudDomain }}{{ if .Values.cloudPort }}:{{ .Values.cloudPort }}{{ end }}; connect-src * wss: blob: resource:; style-src 'self' 'unsafe-inline' blob: *.{{ .Values.cloudDomain }}{{ if .Values.cloudPort }}:{{ .Values.cloudPort }}{{ end }} {{ .Values.cloudDomain }}{{ if .Values.cloudPort }}:{{ .Values.cloudPort }}{{ end }} resource:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: *.{{ .Values.cloudDomain }}{{ if .Values.cloudPort }}:{{ .Values.cloudPort }}{{ end }} {{ .Values.cloudDomain }}{{ if .Values.cloudPort }}:{{ .Values.cloudPort }}{{ end }} resource: *.baidu.com *.bdstatic.com; frame-src 'self' {{ .Values.cloudDomain }}{{ if .Values.cloudPort }}:{{ .Values.cloudPort }}{{ end }} mailto: tel: weixin: mtt: *.baidu.com; frame-ancestors 'self' https://{{ .Values.cloudDomain }}{{ if .Values.cloudPort }}:{{ .Values.cloudPort }}{{ end }} https://*.{{ .Values.cloudDomain }}{{ if .Values.cloudPort }}:{{ .Values.cloudPort }}{{ end }}" + X-Xss-Protection "1; mode=block" + name: devbox-frontend + namespace: {{ .Values.frontend.namespace | quote }} +spec: + rules: + - host: {{ include "devbox-v1.frontendHost" . | quote }} + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: devbox-frontend + port: + number: 3000 + tls: + - hosts: + - {{ include "devbox-v1.frontendHost" . | quote }} + secretName: {{ .Values.certSecretName | quote }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + kubernetes.io/ingress.class: {{ .Values.ingress.className | quote }} + name: devbox-challenge + namespace: {{ .Values.frontend.namespace | quote }} +spec: + rules: + - host: "" + http: + paths: + - backend: + service: + name: devbox-frontend + port: + number: 3000 + path: /api/.well-known/devbox-domain-challenge + pathType: Prefix +{{- end }} diff --git a/v1/deploy/charts/devbox-v1/templates/namespaces.yaml b/v1/deploy/charts/devbox-v1/templates/namespaces.yaml new file mode 100644 index 0000000..e3dce11 --- /dev/null +++ b/v1/deploy/charts/devbox-v1/templates/namespaces.yaml @@ -0,0 +1,20 @@ +{{- if .Values.controller.enabled }} +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: devbox + control-plane: controller-manager + name: {{ .Values.controller.namespace | quote }} +{{- end }} +{{- if .Values.frontend.enabled }} +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + app: devbox-frontend + app.kubernetes.io/managed-by: Helm + name: {{ .Values.frontend.namespace | quote }} +{{- end }} diff --git a/v1/deploy/charts/devbox-v1/values.yaml b/v1/deploy/charts/devbox-v1/values.yaml new file mode 100644 index 0000000..1176b31 --- /dev/null +++ b/v1/deploy/charts/devbox-v1/values.yaml @@ -0,0 +1,84 @@ +cloudDomain: "127.0.0.1.nip.io" +cloudPort: "" +certSecretName: "wildcard-cert" + +registry: + addr: "sealos.hub:5000" + user: "admin" + password: "passw0rd" + +platform: + databaseUrl: "" + jwtSecret: "" + regionUid: "" + tlsRejectUnauthorized: "1" + +controller: + enabled: true + namespace: devbox-system + replicas: 1 + image: + repository: ghcr.io/sealos-apps/devbox-v1-controller + tag: latest + pullPolicy: Always + requestCpuRate: "20" + requestMemoryRate: "10" + matchers: + enablePodEphemeralStorageMatcher: false + enablePodAnnotationsMatcher: true + enablePodEnvMatcher: true + enablePodResourceMatcher: true + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + defaultUserRoleBinding: + enabled: true + +frontend: + enabled: true + namespace: devbox-frontend + replicas: 1 + image: + repository: ghcr.io/sealos-apps/devbox-v1-frontend + tag: latest + pullPolicy: Always + resources: + limits: + cpu: 2000m + memory: 2048Mi + requests: + cpu: 100m + memory: 128Mi + env: + documentUrlZh: https://sealos.run/docs/overview/intro + documentUrlEn: https://sealos.io/docs/overview/intro + privacyUrlZh: https://sealos.run/docs/msa/privacy-policy + privacyUrlEn: https://sealos.io/docs/msa/privacy-policy + monitorUrl: http://launchpad-monitor.sealos.svc.cluster.local:8428 + accountUrl: http://account-service.account-system.svc.cluster.local:2333 + currencySymbol: usd + gpuEnable: "false" + squashEnable: "false" + devboxAffinityEnable: "true" + enableImportFeature: "false" + enableWebideFeature: "false" + config: + addr: ":3000" + +ingress: + enabled: true + className: nginx + hostPrefix: devbox + +app: + enabled: true + namespace: app-system + name: devbox + displayType: normal + type: iframe + +extraManifests: [] diff --git a/v1/deploy/install.sh b/v1/deploy/install.sh new file mode 100755 index 0000000..72b0cae --- /dev/null +++ b/v1/deploy/install.sh @@ -0,0 +1,158 @@ +#!/usr/bin/env bash +set -euo pipefail + +timestamp() { + date +"%Y-%m-%d %T" +} + +info() { + local flag + flag="$(timestamp)" + echo -e "\033[36m INFO [$flag] >> $* \033[0m" +} + +warn() { + local flag + flag="$(timestamp)" + echo -e "\033[33m WARN [$flag] >> $* \033[0m" +} + +RELEASE_NAME="${RELEASE_NAME:-devbox-v1}" +NAMESPACE="${NAMESPACE:-devbox-system}" +HELM_OPTS="${HELM_OPTS:-}" +DEFAULT_VALUES_FILE="./charts/devbox-v1/devbox-v1-values.yaml" +USER_VALUES_DIR="/root/.sealos/cloud/values/apps/devbox-v1" +USER_VALUES_FILE="${USER_VALUES_DIR}/devbox-v1-values.yaml" +GLOBAL_VALUES_FILE="/root/.sealos/cloud/values/global.yaml" + +get_configmap_data() { + local namespace=$1 + local name=$2 + local key=$3 + + kubectl get configmap "${name}" -n "${namespace}" -o "jsonpath={.data.${key}}" 2>/dev/null || true +} + +get_desktop_config_value() { + local key=$1 + local raw="" + + raw="$(kubectl get configmap desktop-frontend-config -n sealos -o "jsonpath={.data.config\\.yaml}" 2>/dev/null || true)" + [ -n "${raw}" ] || return 0 + + printf '%s\n' "${raw}" | awk -v key="${key}" '$1 == key ":" { gsub(/"/, "", $2); print $2; exit }' +} + +random_secret() { + if command -v openssl >/dev/null 2>&1; then + openssl rand -hex 32 + return + fi + + tr -dc 'a-z0-9' /dev/null 2>&1; then + region_uid="$(uuidgen)" + else + region_uid="$(random_secret)" + fi + warn "regionUID was not detected; generated ${region_uid}" +fi + +jwt_secret="$(value_or_default "${jwtSecret:-${JWT_SECRET:-}}" "$(get_configmap_data sealos-system sealos-config jwtInternal)")" +jwt_secret="$(value_or_default "${jwt_secret}" "$(get_desktop_config_value internal)")" +if [ -z "${jwt_secret}" ]; then + jwt_secret="$(random_secret)" + warn "jwtSecret was not detected; generated a new value" +fi + +ensure_user_values_file + +if [ -d "./charts/devbox-v1/crds" ] && compgen -G "./charts/devbox-v1/crds/*.yaml" >/dev/null; then + info "Applying Devbox v1 CRDs" + kubectl apply -f ./charts/devbox-v1/crds +else + warn "No CRDs found in ./charts/devbox-v1/crds; skipping CRD apply" +fi + +helm_set_args=( + --set-string "cloudDomain=${cloud_domain}" + --set-string "cloudPort=${cloud_port}" + --set-string "certSecretName=${cert_secret_name}" + --set-string "registry.addr=${registry_addr}" + --set-string "registry.user=${registry_user}" + --set-string "registry.password=${registry_password}" + --set-string "platform.databaseUrl=${database_url}" + --set-string "platform.jwtSecret=${jwt_secret}" + --set-string "platform.regionUid=${region_uid}" + --set-string "platform.tlsRejectUnauthorized=${tls_reject_unauthorized}" +) + +if [ -f "${GLOBAL_VALUES_FILE}" ]; then + helm_set_args+=(-f "${GLOBAL_VALUES_FILE}") +fi + +helm_opts_arr=() +if [ -n "${HELM_OPTS}" ]; then + # shellcheck disable=SC2206 + helm_opts_arr=(${HELM_OPTS}) +fi + +info "Installing chart charts/devbox-v1 into namespace ${NAMESPACE}" +helm upgrade -i "${RELEASE_NAME}" -n "${NAMESPACE}" --create-namespace charts/devbox-v1 \ + -f "${DEFAULT_VALUES_FILE}" \ + -f "${USER_VALUES_FILE}" \ + "${helm_set_args[@]}" \ + "${helm_opts_arr[@]}" diff --git a/v1/deploy/scripts/sync-crds.sh b/v1/deploy/scripts/sync-crds.sh new file mode 100755 index 0000000..8bed262 --- /dev/null +++ b/v1/deploy/scripts/sync-crds.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash +set -euo pipefail + +script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +deploy_dir="$(cd "${script_dir}/.." && pwd)" +repo_root="$(cd "${deploy_dir}/../.." && pwd)" +source_dir="${repo_root}/v1/controller/config/crd/bases" +target_dir="${deploy_dir}/charts/devbox-v1/crds" + +mkdir -p "${target_dir}" +rm -f "${target_dir}"/*.yaml +cp "${source_dir}"/*.yaml "${target_dir}/" + +echo "Synced Devbox v1 CRDs into ${target_dir}" From 401035b156063f21b6360c088cd2dbba468f12e1 Mon Sep 17 00:00:00 2001 From: cuisongliu Date: Tue, 19 May 2026 23:31:32 +0800 Subject: [PATCH 2/7] fix: update Sealos download URL to version 5.1.2-rc5 --- .github/scripts/install-sealos.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/scripts/install-sealos.sh b/.github/scripts/install-sealos.sh index 8d2d48c..479a055 100755 --- a/.github/scripts/install-sealos.sh +++ b/.github/scripts/install-sealos.sh @@ -24,7 +24,7 @@ case "${arch}" in esac cd "${tmp_dir}" -until curl -sSfLo sealos.tar.gz "https://github.com/labring/sealos/releases/download/v5.1.0-beta3/sealos_5.1.0-beta3_linux_${sealos_arch}.tar.gz"; do +until curl -sSfLo sealos.tar.gz "https://github.com/labring/sealos/releases/download/v5.1.2-rc5/sealos_5.1.2-rc5_linux_${sealos_arch}.tar.gz"; do sleep 3 done From ead69dcd2184d0261468c9f198ed01c718791bea Mon Sep 17 00:00:00 2001 From: cuisongliu Date: Wed, 20 May 2026 10:30:57 +0800 Subject: [PATCH 3/7] feat(ci): add GitHub Actions workflow for building PR images and cluster image --- .github/workflows/pr-images.yml | 199 ++++++++++++++++++++++++++++++++ 1 file changed, 199 insertions(+) create mode 100644 .github/workflows/pr-images.yml diff --git a/.github/workflows/pr-images.yml b/.github/workflows/pr-images.yml new file mode 100644 index 0000000..697cc5b --- /dev/null +++ b/.github/workflows/pr-images.yml @@ -0,0 +1,199 @@ +name: PR Images + +on: + pull_request: + branches: + - main + types: + - opened + - synchronize + - reopened + +permissions: + contents: read + +concurrency: + group: pr-images-${{ github.event.pull_request.number }} + cancel-in-progress: true + +env: + LOCAL_REGISTRY: 127.0.0.1:5000/devbox-pr + LOCAL_SEALOS_IMAGE: devbox-v1-cluster-pr + +jobs: + v1-runtime-images: + name: Build / v1-runtime / ${{ matrix.name }} / ${{ matrix.arch }} + runs-on: ${{ matrix.runner }} + strategy: + fail-fast: false + matrix: + include: + - name: controller + image_name: devbox-v1-controller + dockerfile: v1/controller/Dockerfile + context: v1/controller + arch: amd64 + runner: ubuntu-24.04 + - name: controller + image_name: devbox-v1-controller + dockerfile: v1/controller/Dockerfile + context: v1/controller + arch: arm64 + runner: ubuntu-24.04-arm + - name: frontend + image_name: devbox-v1-frontend + dockerfile: v1/frontend/Dockerfile + context: v1/frontend + arch: amd64 + runner: ubuntu-24.04 + - name: frontend + image_name: devbox-v1-frontend + dockerfile: v1/frontend/Dockerfile + context: v1/frontend + arch: arm64 + runner: ubuntu-24.04-arm + - name: cri-shim-patch + image_name: devbox-v1-cri-shim-patch + dockerfile: v1/cri-shim/patch/Dockerfile + context: v1/cri-shim + arch: amd64 + runner: ubuntu-24.04 + - name: cri-shim-patch + image_name: devbox-v1-cri-shim-patch + dockerfile: v1/cri-shim/patch/Dockerfile + context: v1/cri-shim + arch: arm64 + runner: ubuntu-24.04-arm + steps: + - name: Checkout + uses: actions/checkout@v5 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Generate image tag + id: meta + run: | + set -euo pipefail + SHORT_SHA="$(echo "${{ github.event.pull_request.head.sha }}" | cut -c1-7)" + PR_TAG="pr-${{ github.event.pull_request.number }}-${SHORT_SHA}" + echo "pr_tag=${PR_TAG}" >> "${GITHUB_OUTPUT}" + + - name: Build image + uses: docker/build-push-action@v6 + with: + context: ${{ matrix.context }} + file: ${{ matrix.dockerfile }} + platforms: linux/${{ matrix.arch }} + push: false + tags: ${{ matrix.image_name }}:${{ steps.meta.outputs.pr_tag }}-${{ matrix.arch }} + labels: | + org.opencontainers.image.source=https://github.com/${{ github.repository }} + org.opencontainers.image.revision=${{ github.event.pull_request.head.sha }} + org.opencontainers.image.version=${{ steps.meta.outputs.pr_tag }} + org.opencontainers.image.architecture=${{ matrix.arch }} + runnumber=${{ github.run_id }} + cache-from: type=gha,scope=pr-${{ matrix.image_name }}-${{ matrix.arch }} + cache-to: type=gha,mode=max,scope=pr-${{ matrix.image_name }}-${{ matrix.arch }} + + v1-cluster-image: + name: Build / v1-cluster / ${{ matrix.arch }} + runs-on: ${{ matrix.runner }} + needs: + - v1-runtime-images + strategy: + fail-fast: false + matrix: + include: + - arch: amd64 + runner: ubuntu-24.04 + - arch: arm64 + runner: ubuntu-24.04-arm + steps: + - name: Checkout + uses: actions/checkout@v5 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Generate image tag + id: meta + run: | + set -euo pipefail + SHORT_SHA="$(echo "${{ github.event.pull_request.head.sha }}" | cut -c1-7)" + PR_TAG="pr-${{ github.event.pull_request.number }}-${SHORT_SHA}" + echo "short_sha=${SHORT_SHA}" >> "${GITHUB_OUTPUT}" + echo "pr_tag=${PR_TAG}" >> "${GITHUB_OUTPUT}" + + - name: Build controller image + uses: docker/build-push-action@v6 + with: + context: v1/controller + file: v1/controller/Dockerfile + platforms: linux/${{ matrix.arch }} + push: false + load: true + tags: devbox-v1-controller:${{ steps.meta.outputs.pr_tag }}-${{ matrix.arch }} + cache-from: type=gha,scope=pr-devbox-v1-controller-${{ matrix.arch }} + cache-to: type=gha,mode=max,scope=pr-devbox-v1-controller-${{ matrix.arch }} + + - name: Build frontend image + uses: docker/build-push-action@v6 + with: + context: v1/frontend + file: v1/frontend/Dockerfile + platforms: linux/${{ matrix.arch }} + push: false + load: true + tags: devbox-v1-frontend:${{ steps.meta.outputs.pr_tag }}-${{ matrix.arch }} + cache-from: type=gha,scope=pr-devbox-v1-frontend-${{ matrix.arch }} + cache-to: type=gha,mode=max,scope=pr-devbox-v1-frontend-${{ matrix.arch }} + + - name: Start temporary local registry + run: | + set -euo pipefail + docker rm -f devbox-pr-registry >/dev/null 2>&1 || true + docker run -d -p 5000:5000 --name devbox-pr-registry registry:2 + + - name: Push runtime images to temporary local registry + run: | + set -euo pipefail + PR_TAG="${{ steps.meta.outputs.pr_tag }}" + docker tag "devbox-v1-controller:${PR_TAG}-${{ matrix.arch }}" "${LOCAL_REGISTRY}/devbox-v1-controller:${PR_TAG}" + docker tag "devbox-v1-frontend:${PR_TAG}-${{ matrix.arch }}" "${LOCAL_REGISTRY}/devbox-v1-frontend:${PR_TAG}" + docker push "${LOCAL_REGISTRY}/devbox-v1-controller:${PR_TAG}" + docker push "${LOCAL_REGISTRY}/devbox-v1-frontend:${PR_TAG}" + + - name: Install sealos + run: sudo bash ./.github/scripts/install-sealos.sh + + - name: Validate chart and cache images for sealos + working-directory: v1/deploy + run: | + set -euo pipefail + PR_TAG="${{ steps.meta.outputs.pr_tag }}" + ./scripts/sync-crds.sh + for values_file in charts/devbox-v1/values.yaml charts/devbox-v1/devbox-v1-values.yaml; do + sed -i "/^controller:/,/^frontend:/ s#^\([[:space:]]*repository:[[:space:]]*\).*#\1${LOCAL_REGISTRY}/devbox-v1-controller#" "${values_file}" + sed -i "/^controller:/,/^frontend:/ s#^\([[:space:]]*tag:[[:space:]]*\).*#\1${PR_TAG}#" "${values_file}" + sed -i "/^frontend:/,/^ingress:/ s#^\([[:space:]]*repository:[[:space:]]*\).*#\1${LOCAL_REGISTRY}/devbox-v1-frontend#" "${values_file}" + sed -i "/^frontend:/,/^ingress:/ s#^\([[:space:]]*tag:[[:space:]]*\).*#\1${PR_TAG}#" "${values_file}" + done + helm lint charts/devbox-v1 + helm template devbox-v1 charts/devbox-v1 --include-crds >/tmp/devbox-v1-rendered.yaml + sudo sealos registry save --registry-dir=registry_${{ matrix.arch }} --arch ${{ matrix.arch }} . + + - name: Build cluster image + uses: docker/build-push-action@v6 + with: + context: v1/deploy + file: v1/deploy/Kubefile + platforms: linux/${{ matrix.arch }} + push: false + load: true + tags: ${{ env.LOCAL_SEALOS_IMAGE }}:${{ steps.meta.outputs.pr_tag }}-${{ matrix.arch }} + cache-from: type=gha,scope=pr-devbox-v1-cluster-${{ matrix.arch }} + cache-to: type=gha,mode=max,scope=pr-devbox-v1-cluster-${{ matrix.arch }} + - name: Cleanup temporary local registry + if: always() + run: docker rm -f devbox-pr-registry >/dev/null 2>&1 || true From b050540b25a6056cf5c780ca4ff5ec9a95fb03db Mon Sep 17 00:00:00 2001 From: cuisongliu Date: Wed, 20 May 2026 10:37:26 +0800 Subject: [PATCH 4/7] fix: update Dockerfile to copy devbox-v1 from the correct patch directory --- v1/cri-shim/patch/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v1/cri-shim/patch/Dockerfile b/v1/cri-shim/patch/Dockerfile index 5df88c3..7976cb7 100644 --- a/v1/cri-shim/patch/Dockerfile +++ b/v1/cri-shim/patch/Dockerfile @@ -18,6 +18,6 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \ FROM scratch LABEL sealos.io.type="patch" -COPY devbox-v1 devbox-v1 +COPY patch/devbox-v1 devbox-v1 COPY --from=builder /out/cri-shim_linux-amd64 devbox-v1/bin/cri-shim_linux-amd64 COPY --from=builder /out/cri-shim_linux-arm64 devbox-v1/bin/cri-shim_linux-arm64 From 8c0100d9fe976e68448f29b5f5e22b93162d2731 Mon Sep 17 00:00:00 2001 From: cuisongliu Date: Wed, 20 May 2026 12:57:36 +0800 Subject: [PATCH 5/7] feat(ci): enhance OSS integration for v1 cluster and cri-shim patch image packages --- .github/README-ci.md | 26 +++++++- .github/workflows/images.yml | 107 ++++++++++++++++++++++++++++++++ .github/workflows/release.yml | 112 ++++++++++++++++++++++++++++++---- README.md | 19 +++++- 4 files changed, 250 insertions(+), 14 deletions(-) diff --git a/.github/README-ci.md b/.github/README-ci.md index 3431fdc..e46b617 100644 --- a/.github/README-ci.md +++ b/.github/README-ci.md @@ -10,21 +10,38 @@ This repository publishes CI artifacts and container images from `github.com/sea Builds and pushes the following images to GHCR: - `ghcr.io/sealos-apps/devbox-v1-controller` - `ghcr.io/sealos-apps/devbox-v1-frontend` + - `ghcr.io/sealos-apps/devbox-v1-cluster` + - `ghcr.io/sealos-apps/devbox-v1-cri-shim-patch` - `ghcr.io/sealos-apps/devbox-v2-controller` - `ghcr.io/sealos-apps/devbox-v2-frontend` - `ghcr.io/sealos-apps/devbox-v2-server` - `ghcr.io/sealos-apps/devbox-v2-httpgate` - `ghcr.io/sealos-apps/devbox-v2-sshgate` + On `main`, it also uploads offline image packages for `devbox-v1-cluster` and `devbox-v1-cri-shim-patch` to OSS. - `Release` Triggers on `v*` tags, creates a GitHub Release, and uploads generated controller manifests plus `v1-cri-shim`, `v2-server`, `v2-httpgate`, and `v2-sshgate` release artifacts. + The release flow keeps large offline image packages out of GitHub Release assets and uploads them to OSS instead. ## Trigger Rules - Pull requests: run `CI` - Push to `main`: run `CI` and `Images` -- Push tag `v*`: run `Images` and `Release` +- Push tag `v*`: run `Release`, including release image builds - Manual dispatch: run `Images` +## OSS Offline Image Packages + +The workflows upload compressed `docker save` packages to OSS for offline distribution: + +- Main branch: + - `ci/main//devbox-v1-cluster-main--.tar` + - `ci/main//devbox-v1-cri-shim-patch-main--.tar` +- Release tags: + - `release//devbox-v1-cluster--.tar` + - `release//devbox-v1-cri-shim-patch--.tar` + +Each package is uploaded with a matching `.md5` file. + ## Required GitHub Permissions The workflows are designed to use the built-in `GITHUB_TOKEN`. @@ -34,3 +51,10 @@ The workflows are designed to use the built-in `GITHUB_TOKEN`. - `contents: write` for GitHub Release creation No extra registry secret is required when publishing to `ghcr.io` from the same repository owner, as long as GitHub Actions package write access is enabled. + +OSS uploads require these repository settings: + +- `secrets.OSS_ENDPOINT` +- `secrets.OSS_ACCESS_KEY_ID` +- `secrets.OSS_ACCESS_KEY_SECRET` +- `vars.OSS_BUCKET` diff --git a/.github/workflows/images.yml b/.github/workflows/images.yml index 8df905a..7dbaf2a 100644 --- a/.github/workflows/images.yml +++ b/.github/workflows/images.yml @@ -167,6 +167,50 @@ jobs: cache-from: type=gha,scope=v1-cluster-${{ matrix.arch }} cache-to: type=gha,mode=max,scope=v1-cluster-${{ matrix.arch }} + - name: Save cluster image package + if: github.ref_name == 'main' + run: | + set -euo pipefail + SHORT_SHA="$(echo "${GITHUB_SHA}" | cut -c1-7)" + SOURCE_IMAGE="${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:sha-${SHORT_SHA}-${{ matrix.arch }}" + PACKAGE_IMAGE="${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:main-${SHORT_SHA}-${{ matrix.arch }}" + docker pull "${SOURCE_IMAGE}" + docker tag "${SOURCE_IMAGE}" "${PACKAGE_IMAGE}" + mkdir -p release-assets + docker save "${PACKAGE_IMAGE}" | gzip > "release-assets/devbox-v1-cluster-main-${SHORT_SHA}-${{ matrix.arch }}.tar.gz" + + - name: Install OSS tools + if: github.ref_name == 'main' + run: | + set -euo pipefail + sudo -v + curl -fsSL https://gosspublic.alicdn.com/ossutil/install.sh | sudo bash + + - name: Upload cluster image package to OSS + if: github.ref_name == 'main' + env: + OSS_ENDPOINT: ${{ secrets.OSS_ENDPOINT }} + OSS_ACCESS_KEY_ID: ${{ secrets.OSS_ACCESS_KEY_ID }} + OSS_ACCESS_KEY_SECRET: ${{ secrets.OSS_ACCESS_KEY_SECRET }} + OSS_BUCKET: ${{ vars.OSS_BUCKET }} + run: | + set -euo pipefail + : "${OSS_ENDPOINT:?OSS_ENDPOINT is required}" + : "${OSS_ACCESS_KEY_ID:?OSS_ACCESS_KEY_ID is required}" + : "${OSS_ACCESS_KEY_SECRET:?OSS_ACCESS_KEY_SECRET is required}" + : "${OSS_BUCKET:?OSS_BUCKET is required}" + SHORT_SHA="$(echo "${GITHUB_SHA}" | cut -c1-7)" + TAR_NAME="release-assets/devbox-v1-cluster-main-${SHORT_SHA}-${{ matrix.arch }}.tar.gz" + md5sum "${TAR_NAME}" > "${TAR_NAME}.md5" + OSS_PREFIX="ci/main/${SHORT_SHA}" + OSS_TAR_NAME="devbox-v1-cluster-main-${SHORT_SHA}-${{ matrix.arch }}.tar" + ossutil64 cp -f -e "${OSS_ENDPOINT}" -i "${OSS_ACCESS_KEY_ID}" -k "${OSS_ACCESS_KEY_SECRET}" \ + "${TAR_NAME}" \ + "oss://${OSS_BUCKET}/${OSS_PREFIX}/${OSS_TAR_NAME}" + ossutil64 cp -f -e "${OSS_ENDPOINT}" -i "${OSS_ACCESS_KEY_ID}" -k "${OSS_ACCESS_KEY_SECRET}" \ + "${TAR_NAME}.md5" \ + "oss://${OSS_BUCKET}/${OSS_PREFIX}/${OSS_TAR_NAME}.md5" + v1-cluster-manifest: name: Publish / v1-cluster-image manifest runs-on: ubuntu-latest @@ -203,3 +247,66 @@ jobs: "${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:latest-amd64" \ "${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:latest-arm64" fi + + v1-cri-shim-patch-oss: + name: OSS / v1-cri-shim-patch / ${{ matrix.arch }} + if: github.ref_name == 'main' + runs-on: ${{ matrix.runner }} + needs: + - build-and-push + strategy: + fail-fast: false + matrix: + include: + - arch: amd64 + runner: ubuntu-24.04 + - arch: arm64 + runner: ubuntu-24.04-arm + steps: + - name: Log in to GHCR + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Save patch image package + run: | + set -euo pipefail + SHORT_SHA="$(echo "${GITHUB_SHA}" | cut -c1-7)" + SOURCE_IMAGE="${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cri-shim-patch:sha-${SHORT_SHA}" + PACKAGE_IMAGE="${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cri-shim-patch:main-${SHORT_SHA}-${{ matrix.arch }}" + docker pull --platform "linux/${{ matrix.arch }}" "${SOURCE_IMAGE}" + docker tag "${SOURCE_IMAGE}" "${PACKAGE_IMAGE}" + mkdir -p release-assets + docker save "${PACKAGE_IMAGE}" | gzip > "release-assets/devbox-v1-cri-shim-patch-main-${SHORT_SHA}-${{ matrix.arch }}.tar.gz" + + - name: Install OSS tools + run: | + set -euo pipefail + sudo -v + curl -fsSL https://gosspublic.alicdn.com/ossutil/install.sh | sudo bash + + - name: Upload patch image package to OSS + env: + OSS_ENDPOINT: ${{ secrets.OSS_ENDPOINT }} + OSS_ACCESS_KEY_ID: ${{ secrets.OSS_ACCESS_KEY_ID }} + OSS_ACCESS_KEY_SECRET: ${{ secrets.OSS_ACCESS_KEY_SECRET }} + OSS_BUCKET: ${{ vars.OSS_BUCKET }} + run: | + set -euo pipefail + : "${OSS_ENDPOINT:?OSS_ENDPOINT is required}" + : "${OSS_ACCESS_KEY_ID:?OSS_ACCESS_KEY_ID is required}" + : "${OSS_ACCESS_KEY_SECRET:?OSS_ACCESS_KEY_SECRET is required}" + : "${OSS_BUCKET:?OSS_BUCKET is required}" + SHORT_SHA="$(echo "${GITHUB_SHA}" | cut -c1-7)" + TAR_NAME="release-assets/devbox-v1-cri-shim-patch-main-${SHORT_SHA}-${{ matrix.arch }}.tar.gz" + md5sum "${TAR_NAME}" > "${TAR_NAME}.md5" + OSS_PREFIX="ci/main/${SHORT_SHA}" + OSS_TAR_NAME="devbox-v1-cri-shim-patch-main-${SHORT_SHA}-${{ matrix.arch }}.tar" + ossutil64 cp -f -e "${OSS_ENDPOINT}" -i "${OSS_ACCESS_KEY_ID}" -k "${OSS_ACCESS_KEY_SECRET}" \ + "${TAR_NAME}" \ + "oss://${OSS_BUCKET}/${OSS_PREFIX}/${OSS_TAR_NAME}" + ossutil64 cp -f -e "${OSS_ENDPOINT}" -i "${OSS_ACCESS_KEY_ID}" -k "${OSS_ACCESS_KEY_SECRET}" \ + "${TAR_NAME}.md5" \ + "oss://${OSS_BUCKET}/${OSS_PREFIX}/${OSS_TAR_NAME}.md5" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6873d52..c368e0c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -168,16 +168,41 @@ jobs: - name: Save cluster image package run: | set -euo pipefail - docker pull "${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:${GITHUB_REF_NAME}-${{ matrix.arch }}" + SOURCE_IMAGE="${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:${GITHUB_REF_NAME}-${{ matrix.arch }}" + PACKAGE_IMAGE="${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:${GITHUB_REF_NAME}-${{ matrix.arch }}" + docker pull "${SOURCE_IMAGE}" + docker tag "${SOURCE_IMAGE}" "${PACKAGE_IMAGE}" mkdir -p release-assets - docker save "${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:${GITHUB_REF_NAME}-${{ matrix.arch }}" | gzip > "release-assets/devbox-v1-cluster-${GITHUB_REF_NAME}-${{ matrix.arch }}.tar.gz" + docker save "${PACKAGE_IMAGE}" | gzip > "release-assets/devbox-v1-cluster-${GITHUB_REF_NAME}-${{ matrix.arch }}.tar.gz" - - name: Upload cluster image package - uses: actions/upload-artifact@v4 - with: - name: v1-cluster-image-${{ github.ref_name }}-${{ matrix.arch }} - path: release-assets/devbox-v1-cluster-${{ github.ref_name }}-${{ matrix.arch }}.tar.gz - if-no-files-found: error + - name: Install OSS tools + run: | + set -euo pipefail + sudo -v + curl -fsSL https://gosspublic.alicdn.com/ossutil/install.sh | sudo bash + + - name: Upload cluster image package to OSS + env: + OSS_ENDPOINT: ${{ secrets.OSS_ENDPOINT }} + OSS_ACCESS_KEY_ID: ${{ secrets.OSS_ACCESS_KEY_ID }} + OSS_ACCESS_KEY_SECRET: ${{ secrets.OSS_ACCESS_KEY_SECRET }} + OSS_BUCKET: ${{ vars.OSS_BUCKET }} + run: | + set -euo pipefail + : "${OSS_ENDPOINT:?OSS_ENDPOINT is required}" + : "${OSS_ACCESS_KEY_ID:?OSS_ACCESS_KEY_ID is required}" + : "${OSS_ACCESS_KEY_SECRET:?OSS_ACCESS_KEY_SECRET is required}" + : "${OSS_BUCKET:?OSS_BUCKET is required}" + TAR_NAME="release-assets/devbox-v1-cluster-${GITHUB_REF_NAME}-${{ matrix.arch }}.tar.gz" + md5sum "${TAR_NAME}" > "${TAR_NAME}.md5" + OSS_PREFIX="release/${GITHUB_REF_NAME}" + OSS_TAR_NAME="devbox-v1-cluster-${GITHUB_REF_NAME}-${{ matrix.arch }}.tar" + ossutil64 cp -f -e "${OSS_ENDPOINT}" -i "${OSS_ACCESS_KEY_ID}" -k "${OSS_ACCESS_KEY_SECRET}" \ + "${TAR_NAME}" \ + "oss://${OSS_BUCKET}/${OSS_PREFIX}/${OSS_TAR_NAME}" + ossutil64 cp -f -e "${OSS_ENDPOINT}" -i "${OSS_ACCESS_KEY_ID}" -k "${OSS_ACCESS_KEY_SECRET}" \ + "${TAR_NAME}.md5" \ + "oss://${OSS_BUCKET}/${OSS_PREFIX}/${OSS_TAR_NAME}.md5" v1-cluster-manifest: name: Release Image / v1-cluster manifest @@ -208,6 +233,66 @@ jobs: "${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:latest-amd64" \ "${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cluster:latest-arm64" + v1-cri-shim-patch-oss: + name: OSS / v1-cri-shim-patch / ${{ matrix.arch }} + runs-on: ${{ matrix.runner }} + needs: + - images + strategy: + fail-fast: false + matrix: + include: + - arch: amd64 + runner: ubuntu-24.04 + - arch: arm64 + runner: ubuntu-24.04-arm + steps: + - name: Log in to GHCR + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Save patch image package + run: | + set -euo pipefail + SOURCE_IMAGE="${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cri-shim-patch:${GITHUB_REF_NAME}" + PACKAGE_IMAGE="${REGISTRY}/${IMAGE_NAMESPACE}/devbox-v1-cri-shim-patch:${GITHUB_REF_NAME}-${{ matrix.arch }}" + docker pull --platform "linux/${{ matrix.arch }}" "${SOURCE_IMAGE}" + docker tag "${SOURCE_IMAGE}" "${PACKAGE_IMAGE}" + mkdir -p release-assets + docker save "${PACKAGE_IMAGE}" | gzip > "release-assets/devbox-v1-cri-shim-patch-${GITHUB_REF_NAME}-${{ matrix.arch }}.tar.gz" + + - name: Install OSS tools + run: | + set -euo pipefail + sudo -v + curl -fsSL https://gosspublic.alicdn.com/ossutil/install.sh | sudo bash + + - name: Upload patch image package to OSS + env: + OSS_ENDPOINT: ${{ secrets.OSS_ENDPOINT }} + OSS_ACCESS_KEY_ID: ${{ secrets.OSS_ACCESS_KEY_ID }} + OSS_ACCESS_KEY_SECRET: ${{ secrets.OSS_ACCESS_KEY_SECRET }} + OSS_BUCKET: ${{ vars.OSS_BUCKET }} + run: | + set -euo pipefail + : "${OSS_ENDPOINT:?OSS_ENDPOINT is required}" + : "${OSS_ACCESS_KEY_ID:?OSS_ACCESS_KEY_ID is required}" + : "${OSS_ACCESS_KEY_SECRET:?OSS_ACCESS_KEY_SECRET is required}" + : "${OSS_BUCKET:?OSS_BUCKET is required}" + TAR_NAME="release-assets/devbox-v1-cri-shim-patch-${GITHUB_REF_NAME}-${{ matrix.arch }}.tar.gz" + md5sum "${TAR_NAME}" > "${TAR_NAME}.md5" + OSS_PREFIX="release/${GITHUB_REF_NAME}" + OSS_TAR_NAME="devbox-v1-cri-shim-patch-${GITHUB_REF_NAME}-${{ matrix.arch }}.tar" + ossutil64 cp -f -e "${OSS_ENDPOINT}" -i "${OSS_ACCESS_KEY_ID}" -k "${OSS_ACCESS_KEY_SECRET}" \ + "${TAR_NAME}" \ + "oss://${OSS_BUCKET}/${OSS_PREFIX}/${OSS_TAR_NAME}" + ossutil64 cp -f -e "${OSS_ENDPOINT}" -i "${OSS_ACCESS_KEY_ID}" -k "${OSS_ACCESS_KEY_SECRET}" \ + "${TAR_NAME}.md5" \ + "oss://${OSS_BUCKET}/${OSS_PREFIX}/${OSS_TAR_NAME}.md5" + controller-manifests: name: Controller Manifest / ${{ matrix.target }} runs-on: ubuntu-latest @@ -390,6 +475,7 @@ jobs: needs: - images - v1-cluster-manifest + - v1-cri-shim-patch-oss - controller-manifests - v1-cri-shim-binaries - v2-server-binaries @@ -408,8 +494,6 @@ jobs: generate_release_notes: true files: | artifacts/v1-controller-install/dist-v1-controller-install.yaml - artifacts/v1-cluster-image-${{ github.ref_name }}-amd64/devbox-v1-cluster-${{ github.ref_name }}-amd64.tar.gz - artifacts/v1-cluster-image-${{ github.ref_name }}-arm64/devbox-v1-cluster-${{ github.ref_name }}-arm64.tar.gz artifacts/v2-controller-install/dist-v2-controller-install.yaml artifacts/v1-cri-shim-binaries/* artifacts/v2-server-binaries-amd64/devbox-api-amd64 @@ -433,8 +517,14 @@ jobs: Binary artifacts attached to this release: - `v1-cri-shim` Linux binaries - - `v1-cluster` Sealos cluster image packages (`amd64`, `arm64`) - `v2-server` Linux binaries (`amd64`, `arm64`) - `v2-httpgate` Helm chart package - `v2-sshgate` Helm chart package - `v2-server` deployment manifest + + Offline image packages uploaded to OSS: + + - `release/${{ github.ref_name }}/devbox-v1-cluster-${{ github.ref_name }}-amd64.tar` + - `release/${{ github.ref_name }}/devbox-v1-cluster-${{ github.ref_name }}-arm64.tar` + - `release/${{ github.ref_name }}/devbox-v1-cri-shim-patch-${{ github.ref_name }}-amd64.tar` + - `release/${{ github.ref_name }}/devbox-v1-cri-shim-patch-${{ github.ref_name }}-arm64.tar` diff --git a/README.md b/README.md index 76be2b3..289637d 100644 --- a/README.md +++ b/README.md @@ -93,8 +93,13 @@ Default image names now follow the new repository naming: - `ghcr.io/sealos-apps/devbox-v1-controller:latest` - `ghcr.io/sealos-apps/devbox-v1-frontend:latest` +- `ghcr.io/sealos-apps/devbox-v1-cluster:latest` +- `ghcr.io/sealos-apps/devbox-v1-cri-shim-patch:latest` - `ghcr.io/sealos-apps/devbox-v2-controller:latest` - `ghcr.io/sealos-apps/devbox-v2-frontend:latest` +- `ghcr.io/sealos-apps/devbox-v2-server:latest` +- `ghcr.io/sealos-apps/devbox-v2-httpgate:latest` +- `ghcr.io/sealos-apps/devbox-v2-sshgate:latest` You can override these at build or deploy time with `IMG=...` for controllers and `IMG=...` for frontends. @@ -103,21 +108,31 @@ You can override these at build or deploy time with `IMG=...` for controllers an GitHub Actions workflows live under [`.github/workflows`](/Users/yy/archary/sealos-devbox/.github/workflows) and are split into three stages: - `CI`: validates `v1/v2` controllers and frontends on pull requests and pushes to `main` -- `Images`: builds and pushes the four GHCR images on `main`, tags, or manual dispatch -- `Release`: publishes a GitHub Release on `v*` tags and attaches generated controller manifests +- `Images`: builds and pushes GHCR images on `main` or manual dispatch, and uploads `main` branch v1 offline image packages to OSS +- `Release`: builds release images on `v*` tags, publishes a GitHub Release with manifests/binaries/charts, and uploads v1 offline image packages to OSS Tagging a release such as `v1.2.3` will publish: - `ghcr.io/sealos-apps/devbox-v1-controller:v1.2.3` - `ghcr.io/sealos-apps/devbox-v1-frontend:v1.2.3` +- `ghcr.io/sealos-apps/devbox-v1-cluster:v1.2.3` +- `ghcr.io/sealos-apps/devbox-v1-cri-shim-patch:v1.2.3` - `ghcr.io/sealos-apps/devbox-v2-controller:v1.2.3` - `ghcr.io/sealos-apps/devbox-v2-frontend:v1.2.3` +- `ghcr.io/sealos-apps/devbox-v2-server:v1.2.3` +- `ghcr.io/sealos-apps/devbox-v2-httpgate:v1.2.3` +- `ghcr.io/sealos-apps/devbox-v2-sshgate:v1.2.3` The release workflow also uploads controller manifest bundles generated from: - `v1/controller` - `v2/controller` +Large offline image packages are not attached to GitHub Releases. They are uploaded to OSS instead: + +- `release//devbox-v1-cluster--.tar` +- `release//devbox-v1-cri-shim-patch--.tar` + If you need to publish manually, you can still run the local make targets: ```bash From 84385bc5bc1b951ebfb6caadd1bfb30f8e0fefa8 Mon Sep 17 00:00:00 2001 From: cuisongliu Date: Wed, 20 May 2026 15:27:56 +0800 Subject: [PATCH 6/7] feat: refactor devbox-v1 configuration and enhance TLS handling in install script --- .../charts/devbox-v1/devbox-v1-values.yaml | 37 ------------------- v1/deploy/install.sh | 18 ++++++++- 2 files changed, 17 insertions(+), 38 deletions(-) diff --git a/v1/deploy/charts/devbox-v1/devbox-v1-values.yaml b/v1/deploy/charts/devbox-v1/devbox-v1-values.yaml index 1176b31..fa0cebf 100644 --- a/v1/deploy/charts/devbox-v1/devbox-v1-values.yaml +++ b/v1/deploy/charts/devbox-v1/devbox-v1-values.yaml @@ -1,26 +1,5 @@ -cloudDomain: "127.0.0.1.nip.io" -cloudPort: "" -certSecretName: "wildcard-cert" - -registry: - addr: "sealos.hub:5000" - user: "admin" - password: "passw0rd" - -platform: - databaseUrl: "" - jwtSecret: "" - regionUid: "" - tlsRejectUnauthorized: "1" - controller: - enabled: true - namespace: devbox-system replicas: 1 - image: - repository: ghcr.io/sealos-apps/devbox-v1-controller - tag: latest - pullPolicy: Always requestCpuRate: "20" requestMemoryRate: "10" matchers: @@ -39,13 +18,7 @@ controller: enabled: true frontend: - enabled: true - namespace: devbox-frontend replicas: 1 - image: - repository: ghcr.io/sealos-apps/devbox-v1-frontend - tag: latest - pullPolicy: Always resources: limits: cpu: 2000m @@ -66,19 +39,9 @@ frontend: devboxAffinityEnable: "true" enableImportFeature: "false" enableWebideFeature: "false" - config: - addr: ":3000" ingress: - enabled: true className: nginx hostPrefix: devbox -app: - enabled: true - namespace: app-system - name: devbox - displayType: normal - type: iframe - extraManifests: [] diff --git a/v1/deploy/install.sh b/v1/deploy/install.sh index 72b0cae..cccc92c 100755 --- a/v1/deploy/install.sh +++ b/v1/deploy/install.sh @@ -43,6 +43,22 @@ get_desktop_config_value() { printf '%s\n' "${raw}" | awk -v key="${key}" '$1 == key ":" { gsub(/"/, "", $2); print $2; exit }' } +get_tls_reject_unauthorized() { + local cert_mode + + cert_mode="$(kubectl get configmap cert-config -n sealos-system -o jsonpath='{.data.CERT_MODE}' 2>/dev/null || true)" + cert_mode="$(printf '%s' "${cert_mode}" | tr '[:upper:]' '[:lower:]' | tr -d '[:space:]')" + + case "${cert_mode}" in + https|acme) + printf '0' + ;; + *) + printf '1' + ;; + esac +} + random_secret() { if command -v openssl >/dev/null 2>&1; then openssl rand -hex 32 @@ -80,7 +96,7 @@ cloud_domain="$(value_or_default "${cloud_domain}" "127.0.0.1.nip.io")" cloud_port="$(value_or_default "${cloudPort:-${CLOUD_PORT:-}}" "$(get_configmap_data sealos-system sealos-config cloudPort)")" cert_secret_name="$(value_or_default "${certSecretName:-${CERT_SECRET_NAME:-}}" "wildcard-cert")" -tls_reject_unauthorized="$(value_or_default "${tlsRejectUnauthorized:-${TLS_REJECT_UNAUTHORIZED:-}}" "1")" +tls_reject_unauthorized="$(get_tls_reject_unauthorized)" registry_addr="$(value_or_default "${registryAddr:-${REGISTRY_ADDR:-}}" "$(get_configmap_data sealos-system devbox-config registryAddress)")" registry_addr="$(value_or_default "${registry_addr}" "sealos.hub:5000")" From 23371acb6873ae4638a9298f6fb87b1bfaf76cf8 Mon Sep 17 00:00:00 2001 From: cuisongliu Date: Wed, 20 May 2026 23:44:19 +0800 Subject: [PATCH 7/7] feat: refactor devbox-v1 configuration and enhance TLS handling in install script --- v1/deploy/README.md | 12 ++++++ .../charts/devbox-v1/devbox-v1-values.yaml | 5 +++ .../charts/devbox-v1/templates/frontend.yaml | 39 +++++++++++++---- .../devbox-v1/templates/namespaces.yaml | 17 +++----- v1/deploy/charts/devbox-v1/values.yaml | 5 ++- v1/deploy/install.sh | 43 +++++++++++++++++++ 6 files changed, 101 insertions(+), 20 deletions(-) diff --git a/v1/deploy/README.md b/v1/deploy/README.md index 5ea21b2..6ac0934 100644 --- a/v1/deploy/README.md +++ b/v1/deploy/README.md @@ -26,3 +26,15 @@ During install, `install.sh` ensures this file exists: When it does not exist yet, it is initialized from: - `charts/devbox-v1/devbox-v1-values.yaml` + +This user values file keeps frequently changed settings such as resource sizing, +controller matchers, frontend feature flags, `platform.databaseProvider`, +`frontend.env.registryInsecure`, and `frontend.env.enabledIDEs`. Cluster-derived +settings such as domain, registry credentials, database URL, JWT secret, region +UID, and TLS verification are injected by `install.sh`. + +## Install Behavior + +- Devbox runtime resources are deployed into `devbox-system`. +- The Sealos `App` resource stays in `app-system`. +- Before the first Helm install, `install.sh` removes known legacy YAML deployed Devbox v1 resources. If the Helm release already exists, this cleanup is skipped so normal Helm upgrades keep ownership intact. diff --git a/v1/deploy/charts/devbox-v1/devbox-v1-values.yaml b/v1/deploy/charts/devbox-v1/devbox-v1-values.yaml index fa0cebf..a61d046 100644 --- a/v1/deploy/charts/devbox-v1/devbox-v1-values.yaml +++ b/v1/deploy/charts/devbox-v1/devbox-v1-values.yaml @@ -1,3 +1,6 @@ +platform: + databaseProvider: "cockroachdb" + controller: replicas: 1 requestCpuRate: "20" @@ -37,8 +40,10 @@ frontend: gpuEnable: "false" squashEnable: "false" devboxAffinityEnable: "true" + registryInsecure: "true" enableImportFeature: "false" enableWebideFeature: "false" + enabledIDEs: "" ingress: className: nginx diff --git a/v1/deploy/charts/devbox-v1/templates/frontend.yaml b/v1/deploy/charts/devbox-v1/templates/frontend.yaml index 6d4bf33..1540d3b 100644 --- a/v1/deploy/charts/devbox-v1/templates/frontend.yaml +++ b/v1/deploy/charts/devbox-v1/templates/frontend.yaml @@ -35,23 +35,34 @@ spec: env: - name: DATABASE_URL value: {{ .Values.platform.databaseUrl | quote }} + - name: DATABASE_PROVIDER + value: {{ .Values.platform.databaseProvider | quote }} command: - sh - -c args: - |- cd /app + DB_PROVIDER="${DATABASE_PROVIDER:-cockroachdb}" + SCHEMA_PATH="./prisma/cockroach/schema.prisma" MIGRATION="20260125094114_add_template_repository_kind" - HAS_MIGRATION=$(psql "$DATABASE_URL" -tAc "SELECT 1 FROM _prisma_migrations WHERE migration_name='${MIGRATION}' AND rolled_back_at IS NULL LIMIT 1;") - if [ "$HAS_MIGRATION" = "1" ]; then - prisma migrate deploy - exit 0 + if [ "$DB_PROVIDER" = "postgresql" ] || [ "$DB_PROVIDER" = "postgres" ] || [ "$DB_PROVIDER" = "pg" ]; then + SCHEMA_PATH="./prisma/postgresql/schema.prisma" + HAS_UUID_FN=$(psql "$DATABASE_URL" -tAc "SELECT 1 FROM pg_proc WHERE proname='gen_random_uuid' LIMIT 1;") + if [ "$HAS_UUID_FN" != "1" ]; then + psql "$DATABASE_URL" -v ON_ERROR_STOP=1 -c 'CREATE OR REPLACE FUNCTION public.gen_random_uuid() RETURNS uuid LANGUAGE SQL VOLATILE AS $func$ SELECT md5(random()::text || clock_timestamp()::text || txid_current()::text)::uuid; $func$;' + fi + HAS_MIGRATION=$(psql "$DATABASE_URL" -tAc "SELECT 1 FROM _prisma_migrations WHERE migration_name='${MIGRATION}' AND rolled_back_at IS NULL LIMIT 1;") + if [ "$HAS_MIGRATION" = "1" ]; then + prisma migrate deploy --schema "$SCHEMA_PATH" + exit 0 + fi + HAS_ENUM=$(psql "$DATABASE_URL" -tAc "SELECT 1 FROM pg_enum e JOIN pg_type t ON t.oid = e.enumtypid WHERE t.typname IN ('TemplateRepositoryKind','template_repository_kind') AND e.enumlabel = 'SERVICE' LIMIT 1;") + if [ "$HAS_ENUM" = "1" ]; then + prisma migrate resolve --schema "$SCHEMA_PATH" --applied "$MIGRATION" + fi fi - HAS_ENUM=$(psql "$DATABASE_URL" -tAc "SELECT 1 FROM pg_enum e JOIN pg_type t ON t.oid = e.enumtypid WHERE t.typname IN ('TemplateRepositoryKind','template_repository_kind') AND e.enumlabel = 'SERVICE' LIMIT 1;") - if [ "$HAS_ENUM" = "1" ]; then - prisma migrate resolve --applied "$MIGRATION" - fi - prisma migrate deploy + prisma migrate deploy --schema "$SCHEMA_PATH" containers: - name: devbox-frontend env: @@ -71,6 +82,12 @@ spec: value: {{ .Values.certSecretName | quote }} - name: REGISTRY_ADDR value: {{ .Values.registry.addr | quote }} + - name: REGISTRY_USER + value: {{ .Values.registry.user | quote }} + - name: REGISTRY_PASSWORD + value: {{ .Values.registry.password | quote }} + - name: REGISTRY_INSECURE + value: {{ .Values.frontend.env.registryInsecure | quote }} - name: DEVBOX_AFFINITY_ENABLE value: {{ .Values.frontend.env.devboxAffinityEnable | quote }} - name: MONITOR_URL @@ -97,10 +114,14 @@ spec: value: {{ .Values.platform.regionUid | quote }} - name: DATABASE_URL value: {{ .Values.platform.databaseUrl | quote }} + - name: DATABASE_PROVIDER + value: {{ .Values.platform.databaseProvider | quote }} - name: ENABLE_IMPORT_FEATURE value: {{ .Values.frontend.env.enableImportFeature | quote }} - name: ENABLE_WEBIDE_FEATURE value: {{ .Values.frontend.env.enableWebideFeature | quote }} + - name: ENABLED_IDES + value: {{ .Values.frontend.env.enabledIDEs | quote }} securityContext: runAsNonRoot: true runAsUser: 1001 diff --git a/v1/deploy/charts/devbox-v1/templates/namespaces.yaml b/v1/deploy/charts/devbox-v1/templates/namespaces.yaml index e3dce11..b3659b3 100644 --- a/v1/deploy/charts/devbox-v1/templates/namespaces.yaml +++ b/v1/deploy/charts/devbox-v1/templates/namespaces.yaml @@ -1,20 +1,17 @@ +{{- $namespaces := dict -}} {{- if .Values.controller.enabled }} -apiVersion: v1 -kind: Namespace -metadata: - labels: - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: devbox - control-plane: controller-manager - name: {{ .Values.controller.namespace | quote }} +{{- $_ := set $namespaces .Values.controller.namespace true -}} {{- end }} {{- if .Values.frontend.enabled }} +{{- $_ := set $namespaces .Values.frontend.namespace true -}} +{{- end }} +{{- range $namespace, $_ := $namespaces }} --- apiVersion: v1 kind: Namespace metadata: labels: - app: devbox-frontend app.kubernetes.io/managed-by: Helm - name: {{ .Values.frontend.namespace | quote }} + app.kubernetes.io/name: devbox + name: {{ $namespace | quote }} {{- end }} diff --git a/v1/deploy/charts/devbox-v1/values.yaml b/v1/deploy/charts/devbox-v1/values.yaml index 1176b31..7bcbd46 100644 --- a/v1/deploy/charts/devbox-v1/values.yaml +++ b/v1/deploy/charts/devbox-v1/values.yaml @@ -9,6 +9,7 @@ registry: platform: databaseUrl: "" + databaseProvider: "cockroachdb" jwtSecret: "" regionUid: "" tlsRejectUnauthorized: "1" @@ -40,7 +41,7 @@ controller: frontend: enabled: true - namespace: devbox-frontend + namespace: devbox-system replicas: 1 image: repository: ghcr.io/sealos-apps/devbox-v1-frontend @@ -64,8 +65,10 @@ frontend: gpuEnable: "false" squashEnable: "false" devboxAffinityEnable: "true" + registryInsecure: "true" enableImportFeature: "false" enableWebideFeature: "false" + enabledIDEs: "" config: addr: ":3000" diff --git a/v1/deploy/install.sh b/v1/deploy/install.sh index cccc92c..52b05a7 100755 --- a/v1/deploy/install.sh +++ b/v1/deploy/install.sh @@ -80,6 +80,48 @@ ensure_user_values_file() { info "Using user values from ${USER_VALUES_FILE}" } +cleanup_legacy_yaml_deploy() { + if helm status "${RELEASE_NAME}" -n "${NAMESPACE}" >/dev/null 2>&1; then + info "Helm release ${RELEASE_NAME} already exists in ${NAMESPACE}; skipping legacy YAML cleanup" + return 0 + fi + + info "Cleaning legacy YAML deployed Devbox v1 resources before Helm install" + kubectl delete deployment devbox-controller-manager -n devbox-system --ignore-not-found=true + kubectl delete service devbox-controller-manager-metrics-service -n devbox-system --ignore-not-found=true + kubectl delete serviceaccount devbox-controller-manager -n devbox-system --ignore-not-found=true + kubectl delete role devbox-leader-election-role -n devbox-system --ignore-not-found=true + kubectl delete rolebinding devbox-leader-election-rolebinding devbox-default-user-rolebinding -n devbox-system --ignore-not-found=true + + kubectl delete clusterrole \ + devbox-devbox-admin-role \ + devbox-devbox-editor-role \ + devbox-devbox-viewer-role \ + devbox-devboxrelease-admin-role \ + devbox-devboxrelease-editor-role \ + devbox-devboxrelease-viewer-role \ + devbox-manager-role \ + devbox-metrics-auth-role \ + devbox-metrics-reader \ + --ignore-not-found=true + kubectl delete clusterrolebinding \ + devbox-manager-rolebinding \ + devbox-metrics-auth-rolebinding \ + --ignore-not-found=true + + local frontend_namespace + for frontend_namespace in devbox-frontend devbox-system; do + kubectl delete configmap devbox-frontend-config -n "${frontend_namespace}" --ignore-not-found=true + kubectl delete deployment devbox-frontend -n "${frontend_namespace}" --ignore-not-found=true + kubectl delete service devbox-frontend -n "${frontend_namespace}" --ignore-not-found=true + kubectl delete ingress devbox-frontend devbox-challenge -n "${frontend_namespace}" --ignore-not-found=true + done + + if kubectl api-resources --api-group=app.sealos.io --no-headers 2>/dev/null | awk '$1 == "apps" { found=1 } END { exit found ? 0 : 1 }'; then + kubectl delete apps.app.sealos.io devbox -n app-system --ignore-not-found=true + fi +} + value_or_default() { local value=$1 local fallback=$2 @@ -135,6 +177,7 @@ if [ -z "${jwt_secret}" ]; then fi ensure_user_values_file +cleanup_legacy_yaml_deploy if [ -d "./charts/devbox-v1/crds" ] && compgen -G "./charts/devbox-v1/crds/*.yaml" >/dev/null; then info "Applying Devbox v1 CRDs"