chore(charts): use condition

duanhongyi · duanhongyi · commit 10e6854c92f1 · 2025-05-07T18:01:39.000+08:00
diff --git a/charts/controller/templates/_helpers.tpl b/charts/controller/templates/_helpers.tpl
@@ -11,9 +11,9 @@ env:
 - name: "K8S_API_VERIFY_TLS"
   value: "{{ .Values.k8sApiVerifyTls }}"
 - name: "DRYCC_REGISTRY_LOCATION"
-  value: "{{ .Values.global.registryLocation }}"
+  value: {{ ternary "on-cluster" "off-cluster" .Values.registry.enabled }}
 - name: "DRYCC_REGISTRY_SECRET_PREFIX"
-  value: "{{ .Values.global.registrySecretPrefix }}"
+  value: "{{ .Values.registrySecretPrefix }}"
 - name: "IMAGE_PULL_POLICY"
   value: "{{ .Values.appImagePullPolicy }}"
 - name: "DRYCC_FILER_IMAGE"
@@ -63,7 +63,7 @@ env:
     secretKeyRef:
       name: controller-creds
       key: valkey-url
-{{- else if eq .Values.global.valkeyLocation "on-cluster"  }}
+{{- else if .Values.valkey.enabled }}
 - name: VALKEY_PASSWORD
   valueFrom:
     secretKeyRef:
@@ -85,7 +85,7 @@ env:
     secretKeyRef:
       name: controller-creds
       key: database-url
-{{- else if eq .Values.global.databaseLocation "on-cluster"  }}
+{{- else if .Values.database.enabled }}
 - name: DRYCC_PG_USER
   valueFrom:
     secretKeyRef:
@@ -119,7 +119,7 @@ env:
     secretKeyRef:
       name: controller-creds
       key: prometheus-url
-{{- else if eq .Values.global.prometheusLocation "on-cluster" }}
+{{- else if .Values.prometheus.enabled }}
 - name: "DRYCC_PROMETHEUS_USERNAME"
   valueFrom:
     secretKeyRef:
@@ -133,7 +133,7 @@ env:
 - name: "DRYCC_PROMETHEUS_URL"
   value: "http://$(DRYCC_PROMETHEUS_USERNAME):$(DRYCC_PROMETHEUS_PASSWORD)@drycc-prometheus.{{$.Release.Namespace}}.svc.{{$.Values.global.clusterDomain}}:9090"
 {{- end }}
-{{- if eq .Values.global.passportLocation "on-cluster"}}
+{{- if .Values.passport.enabled }}
 - name: "DRYCC_PASSPORT_URL"
 {{- if .Values.global.certManagerEnabled }}
   value: https://drycc-passport.{{ .Values.global.platformDomain }}
diff --git a/charts/controller/templates/controller-clusterrole.yaml b/charts/controller/templates/controller-clusterrole.yaml
@@ -54,18 +54,9 @@ rules:
 - apiGroups: ["extensions", "autoscaling"]
   resources: ["horizontalpodautoscalers"]
   verbs: ["get", "list", "create", "update", "delete"]
-- apiGroups: ["extensions"]
-  resources: ["ingresses"]
-  verbs: ["get", "list", "watch", "create", "update", "delete"]
 - apiGroups: ["cert-manager.io"]
   resources: ["certificates", "certificaterequest", "issuers"]
   verbs: ["get", "list", "watch", "create", "update", "delete"]
-- apiGroups: ["networking.k8s.io"]
-  resources: ["ingresses"]
-  verbs: ["get", "list", "create", "delete", "deletecollection", "patch", "update"]
-- apiGroups: ["networking.k8s.io"]
-  resources: ["ingressclasses"]
-  verbs: ["get"]
 - apiGroups: ["apps"]
   resources: ["replicasets"]
   verbs: ["get", "list", "watch", "delete"]
diff --git a/charts/controller/templates/controller-secret-creds.yaml b/charts/controller/templates/controller-secret-creds.yaml
@@ -26,5 +26,10 @@ data:
   {{- if (.Values.passportSecret) }}
   passport-secret: {{ .Values.passportSecret | b64enc }}
   {{- end }}
+  {{- if (.Values.registryHost) }}
+  registry-host: {{ .Values.registryHost | b64enc }}
+  registry-username: {{ .Values.registryUsername | b64enc }}
+  registry-password: {{ .Values.registryPassword | b64enc }}
+  {{- end }}
   django-secret-key: {{ (include "common.secrets.lookup" (dict "secret" "controller-creds" "key" "django-secret-key" "defaultValue" (randAscii 64) "context" $)) }}
   deploy-hook-secret-key: {{ (include "common.secrets.lookup" (dict "secret" "controller-creds" "key" "deploy-hook-secret-key" "defaultValue" (randAscii 64) "context" $)) }}
diff --git a/charts/controller/values.yaml b/charts/controller/values.yaml
@@ -35,7 +35,7 @@ appImagePullPolicy: "Always"
 filerImage: "registry.drycc.cc/drycc/filer:canary"
 filerImagePullPolicy: "Always"
 # Set storageClassName. It is used for application.
-appStorageClass: "{{ .Values.storage.csi.storageClassName }}"
+appStorageClass: "longhorn"
 # Set runtimeClassName. It is used for application.
 appRuntimeClass: ""
 # Set appDNSPolicy. It is used for application.
@@ -63,10 +63,14 @@ databaseReplicaUrl: ""
 passportUrl: ""
 passportKey: ""
 passportSecret: ""
+# prometheusUrl is will no longer use the built-in prometheus component
+prometheusUrl: ""
 # Workflow-manager Configuration Options
 workflowManagerUrl: ""
 workflowManagerAccessKey: ""
 workflowManagerSecretKey: ""
+# Prefix for the imagepull secret created when using private registry
+registrySecretPrefix: "private-registry"
 
 # limit specs, plans config
 config:
@@ -133,41 +137,26 @@ mutate:
     extraMatchLabels:
       component: "drycc-controller-mutate"
 
-storage:
-  csi:
-    storageClassName: drycc-storage
+valkey:
+  enabled: true
+
+database:
+  enabled: true
+
+registry:
+  enabled: true
+
+passport:
+  enabled: true
+
+prometheus:
+  enabled: true
 
 global:
   # Admin email, used for each component to send email to administrator
   email: "drycc@drycc.cc"
-  # Set the storage backend
-  #
-  # Valid values are:
-  # - s3: Store persistent data in AWS S3 (configure in S3 section)
-  # - azure: Store persistent data in Azure's object storage
-  # - gcs: Store persistent data in Google Cloud Storage
-  # - minio: Store persistent data on in-cluster Minio server
-  storage: minio
-  # Set the location of Workflow's PostgreSQL database
-  #
-  # Valid values are:
-  # - on-cluster: Run PostgreSQL within the Kubernetes cluster (credentials are generated
-  #   automatically; backups are sent to object storage
-  #   configured above)
-  # - off-cluster: Run PostgreSQL outside the Kubernetes cluster (configure in database section)
-  databaseLocation: "on-cluster"
-  # Set the location of Workflow's Registry
-  #
-  # Valid values are:
-  # - on-cluster: Run registry within the Kubernetes cluster
-  # - off-cluster: Use registry outside the Kubernetes cluster (example: drycc registry,self-hosted)
-  registryLocation: "on-cluster"
-  # Prefix for the imagepull secret created when using private registry
-  registrySecretPrefix: "private-registry"
   # GatewayClass is cluster-scoped resource defined by the infrastructure provider.
   gatewayClass: ""
-  # Please check `kubernetes.io/ingress.class`
-  ingressClass: ""
   # A domain name consists of one or more parts.
   # Periods (.) are used to separate these parts.
   # Each part must be 1 to 63 characters in length and can contain lowercase letters, digits, and hyphens (-).
@@ -179,10 +168,3 @@ global:
   platformDomain: ""
   # Whether cert_manager is enabled to automatically generate controller certificates
   certManagerEnabled: true
-  passportLocation: "on-cluster"
-  # Set the location of Workflow's prometheus cluster
-  #
-  # Valid values are:
-  # - on-cluster: Run prometheus within the Kubernetes cluster
-  # - off-cluster: prometheus is running outside of the cluster and credentials and connection information will be provided.
-  prometheusLocation: "on-cluster"
diff --git a/rootfs/api/models/app.py b/rootfs/api/models/app.py
@@ -1149,12 +1149,12 @@ def _get_private_registry_config(self, ptype, image, registry=None):
             password = registry.get('password')
         elif settings.REGISTRY_LOCATION == 'off-cluster':
             secret = self.scheduler().secret.get(
-                settings.WORKFLOW_NAMESPACE, 'registry-secret').json()
-            username = secret['data']['username']
-            password = secret['data']['password']
-            hostname = secret['data']['hostname']
+                settings.WORKFLOW_NAMESPACE, 'controller-creds').json()
+            hostname = secret['data']['registry-host']
             if hostname == '':
                 hostname = docker_auth.INDEX_URL
+            username = secret['data']['registry-username']
+            password = secret['data']['registry-password']
             name = name + '-' + settings.REGISTRY_LOCATION
         else:
             return None, None, None
diff --git a/rootfs/api/tests/test_build.py b/rootfs/api/tests/test_build.py
@@ -510,13 +510,13 @@ def test_new_build_does_not_scale_up_automatically(self, mock_requests):
         self.assertEqual(response.status_code, 200, response.data)
         self.assertEqual(len(response.data['results']), 0)
 
-    def test_build_image_in_registry(self, mock_requests):
+    def test_build_image_in_registry_ok(self, mock_requests):
         """When the image is already in the drycc registry no pull/tag/push happens"""
         app_id = self.create_app()
 
         # post an image as a build using registry hostname
         url = f"/v2/apps/{app_id}/build"
-        image = '127.0.0.1:5000/autotest/example'
+        image = 'registry.drycc.cc:5000/autotest/example'
         body = {'image': image, 'stack': 'container'}
         response = self.client.post(url, body)
         self.assertEqual(response.status_code, 201, response.data)
@@ -527,7 +527,7 @@ def test_build_image_in_registry(self, mock_requests):
 
         # post an image as a build using registry hostname + port
         url = f"/v2/apps/{app_id}/build"
-        image = '127.0.0.1:5000/autotest/example'
+        image = 'registry.drycc.cc:5000/autotest/example'
         body = {'image': image, 'stack': 'container'}
         response = self.client.post(url, body)
         self.assertEqual(response.status_code, 201, response.data)
@@ -536,6 +536,18 @@ def test_build_image_in_registry(self, mock_requests):
         release = build.app.release_set.latest()
         self.assertEqual(release.get_deploy_image(PTYPE_WEB), image)
 
+    def test_build_image_in_registry_err(self, mock_requests):
+        """When the image is already in the drycc registry no pull/tag/push happens"""
+        app_id = self.create_app()
+
+        # post an image as a build using registry hostname
+        url = f"/v2/apps/{app_id}/build"
+        for host in ['127.0.0.1', 'localhost', 'localhost:5000', '127.0.0.1:5000']:
+            image = f'{host}/autotest/example'
+            body = {'image': image, 'stack': 'container'}
+            response = self.client.post(url, body)
+            self.assertEqual(response.status_code, 400, response.data)
+
     def test_build_image_in_registry_with_auth(self, mock_requests):
         """add authentication to the build"""
         app_id = self.create_app()
diff --git a/rootfs/api/tests/test_release.py b/rootfs/api/tests/test_release.py
@@ -138,7 +138,7 @@ def test_get_image(self, mock_requests):
         app_id = self.create_app()
         url = f"/v2/apps/{app_id}/build"
         body = {
-            'image': '127.0.0.1:5555/autotest/example:git-fadf1231',
+            'image': 'registry.drycc.cc:5555/autotest/example:git-fadf1231',
             'stack': 'heroku-18',
             'sha': 'a'*40,
             'dryccfile': {
@@ -206,15 +206,15 @@ def test_get_image(self, mock_requests):
                         "deploy": {
                             "command": ["bash", "-c"],
                             "args": ["bundle exec puma -C config/puma.rb"],
-                            "image": "127.0.0.1:7070/myapp/web:git-123fsa1",
+                            "image": "registry.drycc.cc:7070/myapp/web:git-123fsa1",
                         },
                     },
                 },
             },
         }
-        default_image = '127.0.0.1:5555/autotest/example:git-fadf1231'
-        worker_image = "127.0.0.1:5555/autotest/example:git-fadf1231-worker"
-        worker_4_image = "127.0.0.1:7070/myapp/web:git-123fsa1"
+        default_image = 'registry.drycc.cc:5555/autotest/example:git-fadf1231'
+        worker_image = "registry.drycc.cc:5555/autotest/example:git-fadf1231-worker"
+        worker_4_image = "registry.drycc.cc:7070/myapp/web:git-123fsa1"
 
         with mock.patch('scheduler.resources.pod.Pod.watch') as mock_kube:
             mock_kube.return_value = ['up', 'down']
diff --git a/rootfs/api/views.py b/rootfs/api/views.py
@@ -44,6 +44,7 @@
 
 User = get_user_model()
 logger = logging.getLogger(__name__)
+is_loopback = re.compile(r'^(localhost|127\.0\.0\.1)(:\d+)?/').match
 oauth_cache_manager = OauthCacheManager()
 NAMESPACE = getattr(settings, setting_name('URL_NAMESPACE'), None) or 'social'
 
@@ -352,6 +353,10 @@ class BuildViewSet(ReleasableViewSet):
     serializer_class = serializers.BuildSerializer
 
     def post_save(self, build):
+        for ptype in build.ptypes:
+            image = build.get_image(ptype)
+            if is_loopback(image):
+                raise DryccException("image must not use the loopback address")
         build.create_release(self.request.user)
         super(BuildViewSet, self).post_save(build)
 
diff --git a/rootfs/scheduler/mock.py b/rootfs/scheduler/mock.py
@@ -1093,14 +1093,14 @@ def __init__(self, url, k8s_api_verify_tls=True):
             self.secret.create('drycc', 'objectstorage-keyfile', secrets)
 
         try:
-            self.secret.get('drycc', 'registry-secret')
+            self.secret.get('drycc', 'controller-creds')
         except KubeHTTPException:
             secrets = {
-                'username': 'test',
-                'password': 'test',
-                'hostname': ''
+                'registry-host': '',
+                'registry-username': 'test',
+                'registry-password': 'test',
             }
-            self.secret.create('drycc', 'registry-secret', secrets)
+            self.secret.create('drycc', 'controller-creds', secrets)
 
         try:
             self.ns.get('duplicate')
