Merge pull request #594 from TencentBlueKing/release_2.3.4

Release 2.3.4

.github/workflows/unittest.yml

@@ -15,7 +15,7 @@ jobs:
         poetry-version: [1.1.7]
         os: [ubuntu-18.04]
     runs-on: ${{ matrix.os }}
-    
+
     env:
       DB_DATABASE: bk_user_api_test
       DB_USER: root

.gitignore

@@ -104,6 +104,7 @@ venv/
 ENV/
 env.bak/
 venv.bak/
+.envrc
 
 # Spyder project settings
 .spyderproject
@@ -233,4 +234,7 @@ deploy/helm/login/templates/c_*.*
 deploy/helm/bk-user-stack/templates/c_*.*
 
 # local hooks
-pre_commit_hooks
+pre_commit_hooks
+
+# local settings
+cliff.toml

.pre-commit-config.yaml

@@ -16,19 +16,19 @@ repos:
         language: python
         types: [python]
         pass_filenames: false
-        entry: isort --settings-path=pyproject.toml .
+        entry: isort --settings-path=pyproject.toml src
       - id: black
         name: black
         language: python
         types: [python]
         pass_filenames: false
-        entry: black --config=pyproject.toml .
+        entry: black --config=pyproject.toml src
       - id: flake8
         name: flak8
         language: python
         types: [python]
         pass_filenames: false
-        entry: pflake8 --config=pyproject.toml
+        entry: pflake8 --config=pyproject.toml src
       - id: mypy
         name: mypy
         language: python

Makefile

@@ -1,7 +1,7 @@
 version ?= "development"
 login_version ?= "development"
 values ?=
-image_repo ?= "mirrors.tencent.com/blueking"
+image_repo ?= "mirrors.tencent.com/build/blueking"
 chart_repo ?=
 namespace ?= "bk-user"
 test_release_name ?= "bk-user-test"
@@ -60,4 +60,4 @@ helm-package: helm-refresh
 helm-publish: deploy/helm/dist/*.tgz
 	for f in $^; do \
 		curl -kL -X POST -F chart=@$${f} -u ${credentials} ${chart_repo}; \
-	done
+	done

deploy/helm/bk-user/Chart.lock

@@ -1,10 +1,10 @@
 dependencies:
 - name: mariadb
   repository: https://charts.bitnami.com/bitnami
-  version: 9.8.1
+  version: 10.5.1
 - name: redis
   repository: https://charts.bitnami.com/bitnami
-  version: 14.8.11
+  version: 15.7.6
 - name: api
   repository: ""
   version: 1.0.0
@@ -14,5 +14,5 @@ dependencies:
 - name: saas
   repository: ""
   version: 1.0.0
-digest: sha256:7751d2e4cfea1e615575714c797492542822bc7517502c016ddf69a72b080f77
-generated: "2022-01-14T14:40:50.915521+08:00"
+digest: sha256:3432f41edf9e8789ee35229a3bb1fee3e0b04d8b619f38eea7e5e78a2a475c73
+generated: "2022-06-06T17:20:26.023674928+08:00"

deploy/helm/bk-user/Chart.yaml

@@ -2,18 +2,18 @@ apiVersion: v2
 name: bk-user
 description: A Helm chart for bk-user
 type: application
-version: 1.1.9
-appVersion: "v2.3.3"
+version: 1.2.19
+appVersion: "v2.3.4-beta.28"
 
 dependencies:
 
 - name: mariadb
-  version: "9.x.x"
+  version: "10.x.x"
   repository: "https://charts.bitnami.com/bitnami"
   condition: mariadb.enabled
 
 - name: redis
-  version: "14.x.x"
+  version: "15.x.x"
   repository: "https://charts.bitnami.com/bitnami"
   condition: redis.enabled
 

deploy/helm/bk-user/README.md

@@ -26,7 +26,7 @@ helm repo update
 
 ### 准备 `values.yaml`
 
-#### 1. 获取蓝鲸平台访问地址 
+#### 1. 获取蓝鲸平台访问地址
 首先，你需要获取到蓝鲸平台的访问地址，例如 `https://paas.example.com`，确保 `https://paas.example.com/login` 可以访问蓝鲸登录，然后将该值的内容填入全局环境变量中。
 
 配置示例：
@@ -40,6 +40,8 @@ api:
   bkIamUrl: "http://bkiam.example.com"
   bkPaasUrl: "http://paas.example.com"
   bkComponentApiUrl: "http://bkapi.example.com"
+  bkApiUrlTmpl: "http://bkapi.example.com/api/{api_name}"
+  bkApigatewayPublicKey: ""
 
 saas:
   enabled: true
@@ -86,19 +88,19 @@ login:
 ```yaml
 api:
   image:
-    registry: mirrors.tencent.com
+    registry: hub.bktencent.com
     repository: blueking/bk-user-api
     tag: "v2.3.1"
 
 saas:
   image:
-    registry: mirrors.tencent.com
+    registry: hub.bktencent.com
     repository: blueking/bk-user-saas
     tag: "v2.3.1"
 
 login:
   image:
-    registry: mirrors.tencent.com
+    registry: hub.bktencent.com
     repository: blueking/bk-login
     tag: "v2.3.1"
 ```
@@ -165,7 +167,7 @@ login:
 
 mariadb:
   enabled: false
-  
+
 redis:
   enabled: false
 ```
@@ -202,13 +204,73 @@ global:
 默认未开启，如需开启请将 `global.serviceMonitor.enabled` 设置为 true。
 
 ##### `values.yaml` 配置示例：
+
 ```yaml
 global:
   serviceMonitor:
     enabled: true
 ```
 
-### 9. 安装
+### 9. 配置sentry
+
+```yaml
+global:
+  ## sentry dsn
+  sentryDsn: "http://12927b5f211046b575ee51fd8b1ac34f@{SENTRY_DOMAIN}/{PROJECT_ID}"
+```
+
+### 10. 开启api auth
+
+默认值是true, 可以关闭, 关闭之后用户管理 API 将不受任何保护
+
+开启之后, 只能通过 ESB 访问用户管理接口
+
+注意, 配置文件中下面两个值必须一致, 并且如果开启, login必须配置组件访问地址`bkLoginApiAuthEnabled`
+
+```yaml
+global:
+  ## 是否开启 API AUTH, 默认开启
+  enableApiAuth: true
+
+login:
+  # Login API Auth Enabled 登录是否开启了 API 认证
+  bkLoginApiAuthEnabled : true
+  # 蓝鲸 ESB/APIGATEWAY url，注意集群内外都是统一域名。集群内可以配置域名解析到内网ip
+  bkComponentApiUrl: "http://bkapi.example.com"
+```
+
+### 11. 环境变量注入
+
+
+```yaml
+api:
+  env:
+    - name: "THE_VAR_NAME"
+      value: ""
+
+saas:
+  env:
+    - name: "THE_VAR_NAME"
+      value: ""
+
+login:
+  env:
+    - name: "THE_VAR_NAME"
+      value: ""
+```
+
+例如, 开启api的ldap3调试(注意此时需要同时设置环境变量`LOG_LEVEL=DEBUG`)
+
+```yaml
+api:
+  env:
+    - name: "LOG_LEVEL"
+      value: "DEBUG"
+    - name: "ENABLE_LDAP3_DEBUG"
+      value: true
+```
+
+### 12. 安装
 
 如果你已经准备好了 `values.yaml`，就可以直接进行安装操作了
 
@@ -226,15 +288,15 @@ helm install bk-user bk-user -n bk-user -f values.yaml
 ```bash
 # 获取所有 controller
 kubectl get deploy,job,sts -l app.kubernetes.io/instance=bk-user
-# 获取所有 Pod 
+# 获取所有 Pod
 kubectl get pod -l app.kubernetes.io/instance=bk-user
 # 获取访问入口
 kubectl get svc,ingress -l app.kubernetes.io/instance=bk-user
 ```
 
 通常在安装后，我们会看到这些 Pod
 
-| Pod 前缀                  | 所属模块      | 作用          | 
+| Pod 前缀                  | 所属模块      | 作用          |
 |-------------------------|-----------|-------------|
 | bk-login-web            | 蓝鲸登录      | 主进程         |
 | bk-login-migrate-db     | 蓝鲸登录      | 初始化数据库作业    |

deploy/helm/bk-user/charts/api/Chart.yaml

@@ -3,4 +3,4 @@ name: api
 description: Api module for bk-user
 type: application
 version: 1.0.0
-appVersion: "v2.3.3"
+appVersion: "v2.3.4-beta.28"

deploy/helm/bk-user/charts/api/templates/bklogconfig.yaml

@@ -11,5 +11,5 @@ spec:
   logConfigType: "std_log_config"
   namespace: {{ .Release.Namespace | quote }}
   labelSelector:
-    matchLabels: {{- include "bk-user.labels" . | nindent 6 }}
+    matchLabels: {{- include "bk-user.selectorLabels" . | nindent 6 }}
 {{- end }}

deploy/helm/bk-user/charts/api/templates/external-storage-configmap.yaml

@@ -6,7 +6,7 @@ metadata:
 data:
   # ---------------
   # 数据库
-  # --------------- 
+  # ---------------
   DB_NAME: "{{ .Values.externalDatabase.default.name | default .Values.preferDBName }}"
   DB_USER: "{{ .Values.externalDatabase.default.user }}"
   DB_PASSWORD: "{{ .Values.externalDatabase.default.password }}"
@@ -15,5 +15,4 @@ data:
   # ---------------
   # Redis Related
   # ---------------
-  CELERY_BROKER_URL: {{ .Values.celeryBrokerUrl | default (include "bk-user.externalRedisBrokerUrl" .) }}
-  CELERY_RESULT_BACKEND: {{ .Values.celeryResultBackend | default (include "bk-user.externalRedisBrokerUrl" .) }}
+  CELERY_BROKER_URL: {{ .Values.celeryBrokerUrl | default (include "bk-user.externalRedisBrokerUrl" .) }}

deploy/helm/bk-user/charts/api/templates/general-envs-configmap.yaml

@@ -28,5 +28,13 @@ data:
   BK_PAAS_URL: "{{ .Values.bkPaasUrl }}"
   # ESB Api 访问地址
   BK_COMPONENT_API_URL: "{{ .Values.bkComponentApiUrl }}"
+  ## 配置 bkApigatewayPublicKey 用于对接apigateway解析jwt, base64
+  BK_APIGW_PUBLIC_KEY: "{{ .Values.bkApigatewayPublicKey }}"
   # 由于用户管理先于权限中心拉起，所以默认禁用，后期所有产品就绪后，可手动开启
-  ENABLE_IAM: "{{ .Values.global.enableIAM }}"
+  ENABLE_IAM: "{{ .Values.global.enableIAM }}"
+  # 是否开启 API AUTH, 默认开启
+  ENABLE_API_AUTH: "{{ .Values.global.enableApiAuth }}"
+  # Sentry DSN配置, 非空则开启
+  SENTRY_DSN: "{{ .Values.global.sentryDsn }}"
+  # APIGateway url模板
+  BK_API_URL_TMPL: "{{ .Values.bkApiUrlTmpl }}"

deploy/helm/bk-user/charts/api/templates/migrate-apigateway.yaml

@@ -0,0 +1,48 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: bk-user-api-migrate-apigateway-{{ .Release.Revision }}
+  labels:
+    {{- include "bk-user.labels" . | nindent 4 }}
+spec:
+  backoffLimit: 10
+  template:
+    metadata:
+      labels:
+        {{- include "bk-user.labels" . | nindent 8 }}
+    spec:
+      {{- with .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: bk-user-api
+      restartPolicy: OnFailure
+      {{- with .Values.global.hostAliases }}
+      hostAliases:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      initContainers:
+        - name: check-migrate-db
+          image: "{{ .Values.global.imageRegistry | default .Values.migration.images.k8sWaitFor.registry }}/{{ .Values.migration.images.k8sWaitFor.repository }}:{{ .Values.migration.images.k8sWaitFor.tag }}"
+          imagePullPolicy: IfNotPresent
+          args:
+            - job
+            - "bk-user-api-migrate-db-{{ .Release.Revision }}"
+      containers:
+        - name: api-apigateway-migrate
+          image: "{{ .Values.global.imageRegistry | default .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - bash
+          args:
+            - /app/sync_apigateway.sh
+          {{- with .Values.env }}
+          env:
+            {{- toYaml . | nindent 12}}
+          {{- end }}
+          {{- with .Values.envFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12}}
+          {{- end }}
+          resources:
+            {{- toYaml .Values.resources.web | nindent 12 }}

deploy/helm/bk-user/charts/api/templates/migrate-iam.yaml

@@ -30,7 +30,7 @@ spec:
             - job
             - "bk-user-api-migrate-db-{{ .Release.Revision }}"
       containers:
-        - name: api-db-migrate
+        - name: api-iam-migrate
           image: "{{ .Values.global.imageRegistry | default .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           command:

deploy/helm/bk-user/charts/api/templates/web-deployment.yaml

@@ -66,11 +66,11 @@ spec:
               protocol: TCP
           livenessProbe:
             httpGet:
-              path: /ping
+              path: /ping/
               port: http
           readinessProbe:
             httpGet:
-              path: /ping
+              path: /ping/
               port: http
           resources:
             {{- toYaml .Values.resources.web | nindent 12 }}