From b1c57271ab29ff15e9a7f3f238307d567da01186 Mon Sep 17 00:00:00 2001
From: liuyanglinux <yang_liu0418@163.com>
Date: Sun, 26 Jan 2025 17:34:04 +0800
Subject: [PATCH] update opengauss usercenter to v2

---
 .../opengauss-usercenter/kustomization.yaml   |  3 +-
 deploy/opengauss-usercenter/sa.yaml           |  5 ++
 .../website-deployment.yaml                   | 84 ++++++++++++++++---
 .../opengauss-usercenter/website-ingress.yaml |  2 +
 .../opengauss-usercenter/website-service.yaml |  2 +-
 5 files changed, 83 insertions(+), 13 deletions(-)
 create mode 100644 deploy/opengauss-usercenter/sa.yaml

diff --git a/deploy/opengauss-usercenter/kustomization.yaml b/deploy/opengauss-usercenter/kustomization.yaml
index 41dfe524..fedbc14d 100644
--- a/deploy/opengauss-usercenter/kustomization.yaml
+++ b/deploy/opengauss-usercenter/kustomization.yaml
@@ -1,7 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 images:
 - name: swr.cn-north-4.myhuaweicloud.com/opensourceway/opengauss/opengauss-usercenter
-  newTag: 48738382bd220ebcaae5c45e57bd0c4006e979ff
+  newTag: deb83a678981e3c73f3c4bad892da0cc3df0f8e9
 kind: Kustomization
 namespace: opengauss-usercenter
 resources:
@@ -10,3 +10,4 @@ resources:
 - website-service.yaml
 - website-deployment.yaml
 - secret.yaml
+- sa.yaml
diff --git a/deploy/opengauss-usercenter/sa.yaml b/deploy/opengauss-usercenter/sa.yaml
new file mode 100644
index 00000000..0a1dd1be
--- /dev/null
+++ b/deploy/opengauss-usercenter/sa.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: opengauss-usercenter
+  namespace: opengauss-usercenter
\ No newline at end of file
diff --git a/deploy/opengauss-usercenter/website-deployment.yaml b/deploy/opengauss-usercenter/website-deployment.yaml
index 739421f8..2330e2e5 100644
--- a/deploy/opengauss-usercenter/website-deployment.yaml
+++ b/deploy/opengauss-usercenter/website-deployment.yaml
@@ -1,40 +1,88 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: website-deployment
+  name: website-v2-deployment
   namespace: opengauss-usercenter
 spec:
   replicas: 2
   selector:
     matchLabels:
-      app: website
+      app: website-v2
   strategy:
     rollingUpdate:
-      maxUnavailable: 1
+      maxUnavailable: 0
+      maxSurge: 1
     type: RollingUpdate
   template:
     metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/agent-service-account-token-volume-name: "token-vol"
+        vault.hashicorp.com/role: 'opengauss-usercenter'
+        vault.hashicorp.com/agent-run-as-user: "1000"
+        vault.hashicorp.com/agent-run-as-group: "1000"
+        vault.hashicorp.com/agent-inject-perms-server.crt: "0400"
+        vault.hashicorp.com/agent-inject-perms-server.key: "0400"
+        vault.hashicorp.com/agent-inject-perms-abc.txt: "0400"
+        vault.hashicorp.com/agent-inject-perms-dhparam.pem: "0400"
+        vault.hashicorp.com/secret-volume-path: "/etc/nginx/cert/"
+        vault.hashicorp.com/agent-inject-secret-server.crt: "internal/data/opengauss/osinfra-cn-website"
+        vault.hashicorp.com/agent-inject-template-server.crt: |
+          {{- with secret "internal/data/opengauss/osinfra-cn-website" -}}
+          {{ .Data.data.ServerCrt }}
+          {{- end }}
+        vault.hashicorp.com/agent-inject-secret-server.key: "internal/data/opengauss/osinfra-cn-website"
+        vault.hashicorp.com/agent-inject-template-server.key: |
+          {{- with secret "internal/data/opengauss/osinfra-cn-website" -}}
+          {{ .Data.data.ServerKey }}
+          {{- end }}
+        vault.hashicorp.com/agent-inject-secret-abc.txt: "internal/data/opengauss/osinfra-cn-website"
+        vault.hashicorp.com/agent-inject-template-abc.txt: |
+          {{- with secret "internal/data/opengauss/osinfra-cn-website" -}}
+          {{ .Data.data.certificatePassword }}
+          {{- end }}
+        vault.hashicorp.com/agent-inject-secret-dhparam.pem: "internal/data/opengauss/osinfra-cn-website"
+        vault.hashicorp.com/agent-inject-template-dhparam.pem: |
+          {{- with secret "internal/data/opengauss/osinfra-cn-website" -}}
+          {{ .Data.data.dhparamPem }}
+          {{- end }}
       labels:
-        app: website
+        app: website-v2
     spec:
+      automountServiceAccountToken: false
+      serviceAccountName: opengauss-usercenter
+      imagePullSecrets:
+      - name: huawei-swr-image-pull-secret
       containers:
-      - image: swr.cn-north-4.myhuaweicloud.com/opensourceway/opengauss/opengauss-usercenter:v1.0.1
+      - image: swr.cn-north-4.myhuaweicloud.com/opensourceway/opengauss/opengauss-usercenter:deb83a678981e3c73f3c4bad892da0cc3df0f8e9
         imagePullPolicy: IfNotPresent
+        env:
+        - name: DET_URL
+          value: https://id-opengauss.osinfra.cn
+        ports:
+        - containerPort: 8080
+          name: http
+          protocol: TCP
         livenessProbe:
           failureThreshold: 3
-          initialDelaySeconds: 20
+          initialDelaySeconds: 30
           periodSeconds: 10
           successThreshold: 1
-          tcpSocket:
+          httpGet:
+            scheme: HTTPS
+            path: /
             port: 8080
           timeoutSeconds: 5
         name: website
         readinessProbe:
           failureThreshold: 3
-          initialDelaySeconds: 10
+          initialDelaySeconds: 30
           periodSeconds: 10
           successThreshold: 1
-          tcpSocket:
+          httpGet:
+            scheme: HTTPS
+            path: /
             port: 8080
           timeoutSeconds: 5
         resources:
@@ -42,5 +90,19 @@ spec:
             cpu: 1000m
             memory: 1000Mi
           requests:
-            cpu: 500m
-            memory: 500Mi
+            cpu: 1000m
+            memory: 1000Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1000
+          capabilities:
+            drop:
+              - ALL
+      volumes:
+        - name: token-vol
+          projected:
+            sources:
+            - serviceAccountToken:
+                audience: api
+                expirationSeconds: 600
+                path: token
diff --git a/deploy/opengauss-usercenter/website-ingress.yaml b/deploy/opengauss-usercenter/website-ingress.yaml
index 49a8d571..86f197b9 100644
--- a/deploy/opengauss-usercenter/website-ingress.yaml
+++ b/deploy/opengauss-usercenter/website-ingress.yaml
@@ -3,6 +3,7 @@ kind: Ingress
 metadata:
   annotations:
     kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
     nginx.ingress.kubernetes.io/configuration-snippet: |
       add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; frame-ancestors 'self'";
       add_header X-XSS-Protection "1; mode=block";
@@ -32,6 +33,7 @@ kind: Ingress
 metadata:
   annotations:
     kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
     nginx.ingress.kubernetes.io/configuration-snippet: |
       add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; frame-ancestors 'self'";
       add_header X-XSS-Protection "1; mode=block";
diff --git a/deploy/opengauss-usercenter/website-service.yaml b/deploy/opengauss-usercenter/website-service.yaml
index 75f15932..d4ecb847 100644
--- a/deploy/opengauss-usercenter/website-service.yaml
+++ b/deploy/opengauss-usercenter/website-service.yaml
@@ -10,5 +10,5 @@ spec:
     protocol: TCP
     targetPort: 8080
   selector:
-    app: website
+    app: website-v2
   type: ClusterIP
-- 
Gitee