diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..15ffe06 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,27 @@ +name: Release Charts + +on: + push: + branches: + - main + tags: + - 'v*' + +jobs: + release: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + + - name: Run chart-releaser + uses: helm/chart-releaser-action@v1.1.0 + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" diff --git a/Chart.yaml b/Chart.yaml index 50d9ec1..16af8b3 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: "v2.12.1" +appVersion: "v2.12.2" description: A Helm chart for Deploying Jumpserver on Kubernetes name: jumpserver version: 0.1.0 diff --git a/configs/jms-core/config.yml b/configs/jms-core/config.yml index 0bee418..f73f532 100644 --- a/configs/jms-core/config.yml +++ b/configs/jms-core/config.yml @@ -19,7 +19,7 @@ LOG_LEVEL: {{ $.Values.core.config.log.level }} # Session expiration setting, Default 24 hour, Also set expired on on browser close # 浏览器Session过期时间,默认24小时, 也可以设置浏览器关闭则过期 # SESSION_COOKIE_AGE: 86400 -# SESSION_EXPIRE_AT_BROWSER_CLOSE: false +SESSION_EXPIRE_AT_BROWSER_CLOSE: true # Database setting, Support sqlite3, mysql, postgres .... # 数据库设置 diff --git a/configs/jms-nginx/nginx.conf b/configs/jms-nginx/nginx.conf index 8335aa1..2eb9528 100644 --- a/configs/jms-nginx/nginx.conf +++ b/configs/jms-nginx/nginx.conf @@ -1,101 +1,75 @@ {{- $koko := printf "http://%s-%s:%s" (include "jumpserver.fullname" $) "jms-koko" ($.Values.koko.service.web.port | toString) }} {{- $lion := printf "http://%s-%s:%s" (include "jumpserver.fullname" $) "jms-lion" ($.Values.lion.service.web.port | toString) }} -{{- $core := printf "http://%s-%s:%s" (include "jumpserver.fullname" $) "jms-core" ($.Values.core.service.web.port | toString) }} -user nginx; -worker_processes auto; -error_log /var/log/nginx/error.log; -pid /run/nginx.pid; +{{- $web := printf "http://%s-%s:%s" (include "jumpserver.fullname" $) "jms-core" ($.Values.core.service.web.port | toString) }} +{{- $ws := printf "http://%s-%s:%s" (include "jumpserver.fullname" $) "jms-core" ($.Values.core.service.ws.port | toString) }} +server { + listen {{ $.Values.nginx.service.web.port }}; + server_name _; + server_tokens off; -include /usr/share/nginx/modules/*.conf; + client_max_body_size 4096m; # 录像及文件上传大小限制 -events { - worker_connections 1024; -} - -http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for" "$upstream_addr"'; - - access_log /var/log/nginx/access.log main; - # access_log off; - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - # include /etc/nginx/conf.d/*.conf; - - server { - listen {{ $.Values.nginx.service.web.port }}; - server_name _; - - client_max_body_size 4096m; # 录像及文件上传大小限制 - - location /ui/ { - try_files $uri / /index.html; - alias /opt/lina/; - } - location /luna/ { - try_files $uri / /index.html; - alias /opt/luna/; - } - location /media/ { - add_header Content-Encoding gzip; - root /opt/jumpserver/data/; - } - location /static/ { - root /opt/jumpserver/data/; - } - location /koko/ { - proxy_pass {{$koko}}; - proxy_buffering off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } - location /lion/ { - proxy_pass {{$lion}}; - proxy_buffering off; - proxy_http_version 1.1; - proxy_request_buffering off; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $http_connection; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } - location /ws/ { - proxy_pass {{$core}}; - proxy_buffering off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } - location /api/ { - proxy_pass {{$core}}; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } - location /core/ { - proxy_pass {{$core}}; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } - location / { - rewrite ^/(.*)$ /ui/$1 last; - } + location /ui/ { + try_files $uri / /index.html; + alias /opt/lina/; + } + location /luna/ { + try_files $uri / /index.html; + alias /opt/luna/; + } + location /media/ { + add_header Content-Encoding gzip; + root /opt/jumpserver/data/; + } + location /static/ { + root /opt/jumpserver/data/; + } + location /koko/ { + proxy_pass {{$koko}}; + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location /lion/ { + proxy_pass {{$lion}}; + proxy_buffering off; + proxy_http_version 1.1; + proxy_request_buffering off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location /ws/ { + proxy_pass {{$ws}}; + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location /api/ { + proxy_pass {{$web}}; + proxy_buffering off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location /core/ { + proxy_pass {{$web}}; + proxy_buffering off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location / { + rewrite ^/(.*)$ /ui/$1 last; } } diff --git a/templates/deployment-nginx.yaml b/templates/deployment-nginx.yaml index b5589a3..5473b5e 100644 --- a/templates/deployment-nginx.yaml +++ b/templates/deployment-nginx.yaml @@ -52,7 +52,7 @@ spec: resources: {{- toYaml .resources | nindent 12 }} volumeMounts: - - mountPath: "/etc/nginx/nginx.conf" + - mountPath: "/etc/nginx/conf.d/default.conf" name: "jms-nginx-config" subPath: "nginx.conf" - mountPath: "/opt/jumpserver/data" diff --git a/templates/pre-install-initdb.yaml b/templates/pre-install-initdb.yaml new file mode 100644 index 0000000..65ba83a --- /dev/null +++ b/templates/pre-install-initdb.yaml @@ -0,0 +1,63 @@ +{{- if .Values.core.enabled }} +{{- with .Values.core }} +{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-init-db" }} +{{- $containerName := "jms-init-db" }} +{{- $image := printf "%s:%s" .image.repository .image.tag }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ $fullName }} + labels: + app.jumpserver.org/name: {{ $containerName }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "jumpserver.name" $ }} + app.kubernetes.io/instance: {{ $.Release.Name }} + {{- toYaml .labels | nindent 8 }} + spec: + serviceAccountName: {{ template "jumpserver.serviceAccountName" $ }} + securityContext: + {{- toYaml .podSecurityContext | nindent 8 }} + containers: + - name: {{ $containerName }} + securityContext: + {{- toYaml .securityContext | nindent 12 }} + image: "{{$image}}" + imagePullPolicy: {{ .image.pullPolicy }} + command: + - /bin/bash + - "-c" + - cd /opt/jumpserver && ./jms upgrade_db + env: + - name: "SECRET_KEY" + value: "{{.config.secretKey}}" + - name: "BOOTSTRAP_TOKEN" + value: "{{.config.bootstrapToken}}" + - name: "DB_HOST" + value: "{{.config.db.host}}" + - name: "DB_PORT" + value: "{{.config.db.port}}" + - name: "DB_USER" + value: "{{.config.db.user}}" + - name: "DB_PASSWORD" + value: "{{.config.db.password}}" + - name: "DB_NAME" + value: "{{.config.db.name}}" + - name: "REDIS_HOST" + value: "{{.config.redis.host}}" + - name: "REDIS_PORT" + value: "{{.config.redis.port}}" + - name: "REDIS_PASSWORD" + value: "{{.config.redis.password}}" + {{- with .env }} + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + restartPolicy: Never +{{- end }} +{{- end }} diff --git a/values.yaml b/values.yaml index 06b3d7c..c09b16e 100644 --- a/values.yaml +++ b/values.yaml @@ -21,6 +21,10 @@ ingress: # kubernetes.io/tls-acme: "true" compute-full-forwarded-for: "true" use-forwarded-headers: "true" + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header Upgrade "websocket"; + proxy_set_header Connection "Upgrade"; hosts: - "test.jumpserver.org" @@ -62,7 +66,7 @@ core: image: repository: docker.io/jumpserver/core - tag: v2.12.1 + tag: v2.12.2 pullPolicy: IfNotPresent command: [] @@ -152,7 +156,7 @@ koko: image: repository: docker.io/jumpserver/koko - tag: v2.12.1 + tag: v2.12.2 pullPolicy: IfNotPresent command: [] @@ -240,7 +244,7 @@ lion: image: repository: docker.io/jumpserver/lion - tag: v2.12.1 + tag: v2.12.2 pullPolicy: IfNotPresent command: [] @@ -317,7 +321,7 @@ nginx: image: repository: docker.io/jumpserver/nginx - tag: v2.12.1 + tag: v2.12.2 pullPolicy: IfNotPresent command: []