Merge pull request #167 from TencentBlueKing/development

update to 2.3.1

.gitignore

@@ -227,3 +227,6 @@ deploy/helm/dist/
 deploy/helm/api/templates/c_*.*
 deploy/helm/saas/templates/c_*.*
 deploy/helm/bk-user-stack/templates/c_*.*
+
+# local hooks
+pre_commit_hooks

.pre-commit-config.yaml

@@ -1,6 +1,16 @@
 repos:
   - repo: local
     hooks:
+      - id: Name check
+        name: Check sensitive info
+        verbose: true
+        language: script
+        entry: pre_commit_hooks/rtx.sh
+      - id: IP check
+        name: Check sensitive info
+        verbose: true
+        language: script
+        entry: pre_commit_hooks/ip.sh
       - id: isort
         name: isort
         language: python

deploy/helm/api/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: v2.3.0
+appVersion: v2.3.1
 description: A Helm chart for bk user api
 name: bkuserapi
 type: application

deploy/helm/api/values.yaml

@@ -150,7 +150,7 @@ processes:
     replicas: 1
     resources:
       limits:
-        cpu: 200m
+        cpu: 1024m
         memory: 512Mi
       requests:
         cpu: 100m
@@ -192,5 +192,49 @@ volumeMounts: []
 # 支持定义 configmaps
 configMaps: []
 
+# 当 Chart 独立部署时，默认关闭内建存储
 mariadb:
-  enabled: false
+  enabled: false
+
+## ServiceMonitor configuration
+##
+serviceMonitor:
+  ## @param serviceMonitor.enabled Creates a ServiceMonitor to monitor kube-state-metrics
+  ##
+  enabled: false
+  ## @param serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
+  ##
+  jobLabel: ""
+  ## @param serviceMonitor.interval Scrape interval (use by default, falling back to Prometheus' default)
+  ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
+  ## e.g:
+  ## interval: 10s
+  ##
+  interval: ""
+  ## @param serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
+  ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
+  ## e.g:
+  ## scrapeTimeout: 10s
+  ##
+  scrapeTimeout: ""
+  ## @param serviceMonitor.selector ServiceMonitor selector labels
+  ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration
+  ## e.g:
+  ## selector:
+  ##   prometheus: my-prometheus
+  ##
+  selector: {}
+  ## @param serviceMonitor.honorLabels Honor metrics labels
+  ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
+  ## e.g:
+  ## honorLabels: false
+  ##
+  honorLabels: false
+  ## @param serviceMonitor.relabelings ServiceMonitor relabelings
+  ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
+  ##
+  relabelings: []
+  ## @param serviceMonitor.metricRelabelings ServiceMonitor metricRelabelings
+  ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
+  ##
+  metricRelabelings: []

deploy/helm/bk-user-stack/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: bk-user-stack
 description: A Helm chart for bk-user
 type: application
-version: 0.5.4
-appVersion: v2.3.0
+version: 0.5.6
+appVersion: v2.3.1
 
 dependencies:
 - name: bkuserapi
@@ -24,4 +24,4 @@ dependencies:
 - name: redis
   version: "14.x.x"
   repository: "https://charts.bitnami.com/bitnami"
-  condition: redis.enabled
+  condition: redis.enabled

deploy/helm/bk-user-stack/README.md

@@ -128,6 +128,10 @@ redis:
 #### 5. 权限中心
 默认地，我们未开启权限中心，如果在权限中心已经就绪之后，想体验用户管理功能，那么你可以手动向权限中心注册模型:
 ```yaml
+global:
+  env:
+    ENABLE_IAM: true
+
 bkuserapi:
   env:
     # 填充权限中心相关变量
@@ -136,11 +140,6 @@ bkuserapi:
   preRunHooks:
     bkiam-migrate:
       enabled: true
-
-bkusersaas:
-  env:
-    # 主动开启用户管理 SaaS 权限校验 
-    DISABLE_IAM: false
 ```
 
 #### 6. 账号密码
@@ -153,6 +152,24 @@ bkuserapi:
     INITIAL_ADMIN_PASSWORD: "your-super-strong-password"
 ```
 
+#### 7. 如何扩容
+我们支持对任意进程进行扩容，就像这样:
+```yaml
+bkuserapi:
+  processes:
+    web:
+      replicas: 3
+    celery:
+      replicas: 2
+    beat:
+      replicas: 1 (切记，beat 进程只能存在一个副本，否则后台任务会重复执行)
+
+bkusersaas:
+  processes:
+    web:
+      replicas: 2
+```
+
 ### 安装
 
 如果你已经准备好了 `values.yaml`，就可以直接进行安装操作了

deploy/helm/bk-user-stack/values.yaml

@@ -6,6 +6,11 @@ global:
     registry: "ccr.ccs.tencentyun.com/bk.io"
     pullPolicy: Always
 
+  # 日志采集，默认关闭，当日志采集就绪时，手动开启
+  bkLogConfig:
+    enabled: false
+    dataId: ""
+
   env:
     # 请在 PaaS 产品就绪后，查询 secret 并填入，否则影响用户管理调用 ESB 的相关功能（邮件通知等）
     BK_APP_SECRET: "your-own-secret"
@@ -14,6 +19,8 @@ global:
     BK_PAAS_URL: "http://paas.example.com"
     # ESB Api 访问地址
     BK_COMPONENT_API_URL: "http://bkapi.example.com"
+    # 由于用户管理先于权限中心拉起，所以默认禁用，后期所有产品就绪后，可手动开启
+    ENABLE_IAM: false
 
 bkuserapi:
   enabeld: true
@@ -28,13 +35,21 @@ bkuserapi:
     - configMapRef:
         name: bk-user-api-redis-env
 
+  # 默认我们关闭了监控采集，当监控就绪时，请手动开启
+  # serviceMonitor:
+  #   enabled: true
+
 bkusersaas:
   enabled: true
   envFrom:
     # 挂载内建 DB 变量
     - configMapRef:
         name: bk-user-saas-mariadb-env
 
+  # 默认我们关闭了监控采集，当监控就绪时，请手动开启
+  # serviceMonitor:
+  #   enabled: true
+
 # -------------
 # 内建存储配置
 # 默认通过 .Release.Name 拼接访问，请不要配置 nameOverride 或 fullnameOverride

deploy/helm/chartty/c_base.tpl

@@ -67,3 +67,17 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 {{- end }}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Renders a value that contains template.
+Usage:
+{{ include "chartty.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }}
+*/}}
+{{- define "chartty.tplvalues.render" -}}
+    {{- if typeIs "string" .value }}
+        {{- tpl .value .context }}
+    {{- else }}
+        {{- tpl (.value | toYaml) .context }}
+    {{- end }}
+{{- end -}}

deploy/helm/chartty/c_bklogconfig.yaml

@@ -0,0 +1,16 @@
+{{- $global := . }}
+{{- $namePrefix := include "chartty.name" . -}}
+{{- if .Values.global.bkLogConfig.enabled }}
+apiVersion: bk.tencent.com/v1alpha1
+kind: BkLogConfig
+metadata:
+  name: {{ $namePrefix }}-stdout-log
+spec:
+  dataId: {{ .Values.global.bkLogConfig.dataId }}
+  logConfigType: std_log_config
+  namespace: {{ .Release.Namespace | quote }}
+  container_name_match:
+    - {{ $namePrefix }}
+  labelSelector:
+    matchLabels: {{- include "chartty.labels" $global | nindent 6 }}
+{{- end }}

deploy/helm/chartty/c_servicemonitor.yaml

@@ -0,0 +1,38 @@
+{{- $global := . }}
+{{- if .Values.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "chartty.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- include "chartty.labels" $global | nindent 4 }}
+spec:
+  {{- if .Values.serviceMonitor.jobLabel }}
+  jobLabel: {{ .Values.serviceMonitor.jobLabel }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "chartty.selectorLabels" $global | nindent 6 }}
+  endpoints:
+    - port: http
+      path: "/metrics"
+      {{- if .Values.serviceMonitor.interval }}
+      interval: {{ .Values.serviceMonitor.interval }}
+      {{- end }}
+      {{- if .Values.serviceMonitor.scrapeTimeout }}
+      scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
+      {{- end }}
+      {{- if hasKey .Values.serviceMonitor "honorLabels" }}
+      honorLabels: {{ .Values.serviceMonitor.honorLabels }}
+      {{- end }}
+      {{- if .Values.serviceMonitor.relabelings }}
+      relabelings: {{- include "chartty.tplvalues.render" ( dict "value" .Values.serviceMonitor.relabelings "context" $) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.serviceMonitor.metricRelabelings }}
+      metricRelabelings: {{- include "chartty.tplvalues.render" ( dict "value" .Values.serviceMonitor.metricRelabelings "context" $) | nindent 8 }}
+      {{- end }}
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace }}
+{{- end }}

deploy/helm/saas/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: v2.3.0
+appVersion: v2.3.1
 description: A Helm chart for bk user saas
 name: bkusersaas
 type: application

deploy/helm/saas/values.yaml

@@ -81,8 +81,6 @@ env:
   BK_LOGIN_API_URL: "http://bk-login-web"
   # 容器化版本默认采用子域名形式暴露服务
   SITE_URL: "/"
-  # 由于用户管理先于权限中心拉起，所以默认禁用，后期所有产品就绪后，可手动开启
-  DISABLE_IAM: true
 
 envFrom: []
 
@@ -113,7 +111,7 @@ processes:
     replicas: 1
     resources:
       limits:
-        cpu: 200m
+        cpu: 1024m
         memory: 1024Mi
       requests:
         cpu: 200m
@@ -167,5 +165,49 @@ configMaps: []
   #       data:
   #         debug: true
 
+# 当 Chart 独立部署时，默认关闭内建存储
 mariadb:
-  enabled: false
+  enabled: false
+
+## ServiceMonitor configuration
+##
+serviceMonitor:
+  ## @param serviceMonitor.enabled Creates a ServiceMonitor to monitor kube-state-metrics
+  ##
+  enabled: false
+  ## @param serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
+  ##
+  jobLabel: ""
+  ## @param serviceMonitor.interval Scrape interval (use by default, falling back to Prometheus' default)
+  ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
+  ## e.g:
+  ## interval: 10s
+  ##
+  interval: ""
+  ## @param serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
+  ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
+  ## e.g:
+  ## scrapeTimeout: 10s
+  ##
+  scrapeTimeout: ""
+  ## @param serviceMonitor.selector ServiceMonitor selector labels
+  ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration
+  ## e.g:
+  ## selector:
+  ##   prometheus: my-prometheus
+  ##
+  selector: {}
+  ## @param serviceMonitor.honorLabels Honor metrics labels
+  ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
+  ## e.g:
+  ## honorLabels: false
+  ##
+  honorLabels: false
+  ## @param serviceMonitor.relabelings ServiceMonitor relabelings
+  ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
+  ##
+  relabelings: []
+  ## @param serviceMonitor.metricRelabelings ServiceMonitor metricRelabelings
+  ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
+  ##
+  metricRelabelings: []

docs/develop_api_guide.md

@@ -48,35 +48,9 @@ bin/start_beat.sh
 
 ### LDAP & MAD 测试
 
-由于内置了 `Ldap & MAD` 的功能，所以需要额外配置资源
-
-可以使用 `Docker` 来启动 `Ldap` 服务进行测试:
-
-``` bash
-# openLdap
-docker run -p 389:389 -p 636:636 \ 
-        --name my-openldap-container \
-        --detach osixia/openldap:1.3.0
-
-# ldap admin
-docker run -p 6443:443 \
-        --env PHPLDAPADMIN_LDAP_HOSTS=docker.for.mac.host.internal \
-        --detach osixia/phpldapadmin:0.9.0
-```
-
-使用 `bkuser_core/tests/categories/vendors/ldap/assets/ldap.ldif` 直接导入必须的数据。
-
-最后，在 `dev.py` 中配置
-
+你需要确保在 `dev.py` 中已添加 LDAP mock 配置
 ``` python
-TEST_LDAP = {
-    "url": "localhost",
-    "base": "dc=example,dc=org",
-    "user": "cn=admin,dc=example,dc=org",
-    "password": "admin",
-    "user_class": "inetOrgPerson",
-    "organization_class": "organizationalUnit",
-}
+LDAP_CONNECTION_EXTRAS_PARAMS = {"client_strategy": ldap3.MOCK_SYNC}
 ```
 运行单元测试