github/kubevela
1
0
Fork 0
mirror of https://github.com/kubevela/kubevela.git synced 2026-02-14 18:10:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
36f217e2589b0fb4d2d8fa54611e03f8f5261e27
kubevela/charts/vela-core/README.md
Ayush Kumar 36f217e258 Feat: webhook reject unknown cr outputs (#6932) 
* feat: implement output resource existence validation in component, trait, and policy definitions

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

feat: add validation tests for ComponentDefinition and TraitDefinition outputs

- Implement tests for ComponentDefinition with non-existent CRDs in outputs, ensuring they are rejected.
- Add tests for valid outputs in ComponentDefinition, confirming acceptance.
- Include tests for mixed valid and non-K8s outputs in ComponentDefinition, verifying they pass validation.
- Test handling of empty outputs in ComponentDefinition, ensuring they are accepted.
- Introduce tests for invalid apiVersion formats in ComponentDefinition, confirming rejection.
- Add tests for TraitDefinition with mixed valid and invalid outputs, ensuring proper rejection.
- Create YAML manifests for valid and invalid ComponentDefinitions and TraitDefinitions to support e2e tests.
- Ensure comprehensive coverage of edge cases in output validation logic.

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

fix: handle errors in resource validation for component, trait, and policy definitions

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

fix: improve error handling in Go module tidy and resource validation

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

feat: add webhook debugging setup and validation tests for ComponentDefinition and TraitDefinition

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

feat: add VS Code launch configuration for debugging webhook validation

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

refactor: streamline error handling in Go module tidy and remove obsolete test manifests

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

feat: add mock context support for CUE template compilation

Signed-off-by: Reetika Malhotra <malhotra.reetika25@gmail.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

feat: enhance validation for WorkflowStepDefinition resources and improve output resource checks

Signed-off-by: viskumar <viskumar@guidewire.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

feat: implement resource validation for CUE templates and add unit tests

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

feat: enhance logging and validation for component, policy, and trait definitions

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

feat: improve error handling and logging in validation handlers for component, policy, trait, and workflow step definitions

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

Remove testUnknownResource folder from repository

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

feat: implement structured logging for validation handlers and remove deprecated request_logger

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

feat: enhance structured logging and error handling in admission validation handlers

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

feat: improve logging messages in validating handlers for better clarity

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

feat: refactor logging field definitions for consistency and improve error handling in resource validation

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

chore: add license header to invalid_resource_check.go and invalid_resource_check_test.go

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

feat: enhance validation tests for WorkflowStepDefinition and improve error messages

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

feat: add e2e-test-local target for k3d cluster setup and webhook validation

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

feat: add webhook configuration for workflow step definitions with validation rules

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

feat: update e2e-test-local configuration and improve Ingress API version compatibility

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

feat: add installation of FluxCD CRDs in pre-hook to prevent webhook validation errors

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

feat: add ValidateResourcesExist feature gate and enhance resource validation in webhook handlers

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

feat: enhance resource validation in e2e tests and improve addon definition checks

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

feat: enhance addon definition detection by using owner references for validation

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

feat: add ValidateResourcesExist feature gate and implement webhook validation for resource existence

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

feat: update Ingress API version to v1 and adjust service references in tests

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

chore: remove webhook test commands and related YAML files from makefiles and tests

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

chore: remove architecture section from webhook debugging guide

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

feat: update webhook setup script with k3d host gateway IP note and improve cluster creation logic

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

* Fix: Correct path in Ingress resource definition in template tests

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>

* Chore: add empty line to re-trigger failing workflow

Signed-off-by: Vaibhav Agrawal <vaibhav.agrawal0096@gmail.com>

* Chore: remove space to re-trigger workflow

Signed-off-by: Chaitanya Reddy Onteddu <co@guidewire.com>

---------

Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
Signed-off-by: Vaibhav Agrawal <vaibhav.agrawal0096@gmail.com>
Signed-off-by: Chaitanya Reddy Onteddu <co@guidewire.com>
Co-authored-by: Chaitanya Reddy Onteddu <chaitanyareddy0702@gmail.com>
Co-authored-by: Amit Singh <amisingh@guidewire.com>
2025-09-30 09:30:53 -07:00

222 lines
24 KiB
Markdown
Raw Blame History

<div style="text-align: center">
<p align="center">
<img src="https://raw.githubusercontent.com/kubevela/kubevela.io/main/docs/resources/KubeVela-03.png">
<br><br>
<i>Make shipping applications more enjoyable.</i>
</p>
</div>
![Build status](https://github.com/kubevela/kubevela/workflows/E2E/badge.svg)
[![Go Report Card](https://goreportcard.com/badge/github.com/kubevela/kubevela)](https://goreportcard.com/report/github.com/kubevela/kubevela)
![Docker Pulls](https://img.shields.io/docker/pulls/oamdev/vela-core)
[![codecov](https://codecov.io/gh/kubevela/kubevela/branch/master/graph/badge.svg)](https://codecov.io/gh/kubevela/kubevela)
[![LICENSE](https://img.shields.io/github/license/kubevela/kubevela.svg?style=flat-square)](/LICENSE)
[![Releases](https://img.shields.io/github/release/kubevela/kubevela/all.svg?style=flat-square)](https://github.com/kubevela/kubevela/releases)
[![TODOs](https://img.shields.io/endpoint?url=https://api.tickgit.com/badge?repo=github.com/kubevela/kubevela)](https://www.tickgit.com/browse?repo=github.com/oam-dev/kubevela)
[![Twitter](https://img.shields.io/twitter/url?style=social&url=https%3A%2F%2Ftwitter.com%2Foam_dev)](https://twitter.com/oam_dev)
[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/kubevela)](https://artifacthub.io/packages/search?repo=kubevela)
[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4602/badge)](https://bestpractices.coreinfrastructure.org/projects/4602)
# KubeVela helm chart
KubeVela is a modern application platform that makes it easier and faster to deliver and manage applications across hybrid,
multi-cloud environments. At the mean time, it is highly extensible and programmable, which can adapt to your needs as they grow.
## TL;DR
```bash
helm repo add kubevela https://kubevela.github.io/charts
helm repo update
helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wait
```
## Prerequisites
- Kubernetes >= v1.19 && < v1.22
## Parameters
### KubeVela core parameters
| Name | Description | Value |
| ----------------------------- | --------------------------------------------------------------------------------------------- | ----- |
| `systemDefinitionNamespace` | System definition namespace, if unspecified, will use built-in variable `.Release.Namespace`. | `nil` |
| `applicationRevisionLimit` | Application revision limit | `2` |
| `definitionRevisionLimit` | Definition revision limit | `2` |
| `concurrentReconciles` | concurrentReconciles is the concurrent reconcile number of the controller | `4` |
| `controllerArgs.reSyncPeriod` | The period for resync the applications | `5m` |
### KubeVela workflow parameters
| Name | Description | Value |
| ------------------------------------------------------- | ------------------------------------------------------- | ------- |
| `workflow.enableSuspendOnFailure` | Enable suspend on workflow failure | `false` |
| `workflow.enableExternalPackageForDefaultCompiler` | Enable external package for default cuex compiler | `true` |
| `workflow.enableExternalPackageWatchForDefaultCompiler` | Enable external package watch for default cuex compiler | `false` |
| `workflow.backoff.maxTime.waitState` | The max backoff time of workflow in a wait condition | `60` |
| `workflow.backoff.maxTime.failedState` | The max backoff time of workflow in a failed condition | `300` |
| `workflow.step.errorRetryTimes` | The max retry times of a failed workflow step | `10` |
### KubeVela controller parameters
| Name | Description | Value |
| --------------------------- | ------------------------------------ | ------------------ |
| `replicaCount` | KubeVela controller replica count | `1` |
| `imageRegistry` | Image registry | `""` |
| `image.repository` | Image repository | `oamdev/vela-core` |
| `image.tag` | Image tag | `latest` |
| `image.pullPolicy` | Image pull policy | `Always` |
| `resources.limits.cpu` | KubeVela controller's cpu limit | `500m` |
| `resources.limits.memory` | KubeVela controller's memory limit | `1Gi` |
| `resources.requests.cpu` | KubeVela controller's cpu request | `50m` |
| `resources.requests.memory` | KubeVela controller's memory request | `20Mi` |
| `webhookService.type` | KubeVela webhook service type | `ClusterIP` |
| `webhookService.port` | KubeVela webhook service port | `9443` |
| `healthCheck.port` | KubeVela health check port | `9440` |
### KubeVela controller optimization parameters
| Name | Description | Value |
| ------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `optimize.cachedGvks` | Optimize types of resources to be cached. | `""` |
| `optimize.markWithProb` | Optimize ResourceTracker GC by only run mark with probability. Side effect: outdated ResourceTracker might not be able to be removed immediately. | `0.1` |
| `optimize.disableComponentRevision` | Optimize componentRevision by disabling the creation and gc | `true` |
| `optimize.disableApplicationRevision` | Optimize ApplicationRevision by disabling the creation and gc. | `false` |
| `optimize.enableInMemoryWorkflowContext` | Optimize workflow by use in-memory context. | `false` |
| `optimize.disableResourceApplyDoubleCheck` | Optimize workflow by ignoring resource double check after apply. | `false` |
| `optimize.enableResourceTrackerDeleteOnlyTrigger` | Optimize resourcetracker by only trigger reconcile when resourcetracker is deleted. | `true` |
| `featureGates.gzipResourceTracker` | compress ResourceTracker using gzip (good) before being stored. This is reduces network throughput when dealing with huge ResourceTrackers. | `false` |
| `featureGates.zstdResourceTracker` | compress ResourceTracker using zstd (fast and good) before being stored. This is reduces network throughput when dealing with huge ResourceTrackers. Note that zstd will be prioritized if you enable other compression options. | `true` |
| `featureGates.applyOnce` | if enabled, the apply-once feature will be applied to all applications, no state-keep and no resource data storage in ResourceTracker | `false` |
| `featureGates.multiStageComponentApply` | if enabled, the multiStageComponentApply feature will be combined with the stage field in TraitDefinition to complete the multi-stage apply. | `true` |
| `featureGates.gzipApplicationRevision` | compress apprev using gzip (good) before being stored. This is reduces network throughput when dealing with huge apprevs. | `false` |
| `featureGates.zstdApplicationRevision` | compress apprev using zstd (fast and good) before being stored. This is reduces network throughput when dealing with huge apprevs. Note that zstd will be prioritized if you enable other compression options. | `true` |
| `featureGates.preDispatchDryRun` | enable dryrun before dispatching resources. Enable this flag can help prevent unsuccessful dispatch resources entering resourcetracker and improve the user experiences of gc but at the cost of increasing network requests. | `true` |
| `featureGates.validateComponentWhenSharding` | enable component validation in webhook when sharding mode enabled | `false` |
| `featureGates.disableWebhookAutoSchedule` | disable auto schedule for application mutating webhook when sharding enabled | `false` |
| `featureGates.disableBootstrapClusterInfo` | disable the cluster info bootstrap at the starting of the controller | `false` |
| `featureGates.informerCacheFilterUnnecessaryFields` | filter unnecessary fields for informer cache | `true` |
| `featureGates.sharedDefinitionStorageForApplicationRevision` | use definition cache to reduce duplicated definition storage for application revision, must be used with InformerCacheFilterUnnecessaryFields | `true` |
| `featureGates.disableWorkflowContextConfigMapCache` | disable the workflow context's configmap informer cache | `true` |
| `featureGates.enableCueValidation` | enable the strict cue validation for cue required parameter fields | `false` |
| `featureGates.enableApplicationStatusMetrics` | enable application status metrics and structured logging | `false` |
| `featureGates.validateResourcesExist` | enable webhook validation to check if resource types referenced in definition templates exist in the cluster | `false` |
### MultiCluster parameters
| Name | Description | Value |
| ------------------------------------------------------------- | ------------------------------------------------------------------------------------------- | -------------------------------- |
| `multicluster.enabled` | Whether to enable multi-cluster | `true` |
| `multicluster.metrics.enabled` | Whether to enable multi-cluster metrics collect | `false` |
| `multicluster.clusterGateway.direct` | controller will connect to ClusterGateway directly instead of going to Kubernetes APIServer | `true` |
| `multicluster.clusterGateway.replicaCount` | ClusterGateway replica count | `1` |
| `multicluster.clusterGateway.port` | ClusterGateway port | `9443` |
| `multicluster.clusterGateway.image.repository` | ClusterGateway image repository | `oamdev/cluster-gateway` |
| `multicluster.clusterGateway.image.tag` | ClusterGateway image tag | `v1.9.0-alpha.2` |
| `multicluster.clusterGateway.image.pullPolicy` | ClusterGateway image pull policy | `IfNotPresent` |
| `multicluster.clusterGateway.resources.requests.cpu` | ClusterGateway cpu request | `50m` |
| `multicluster.clusterGateway.resources.requests.memory` | ClusterGateway memory request | `20Mi` |
| `multicluster.clusterGateway.resources.limits.cpu` | ClusterGateway cpu limit | `500m` |
| `multicluster.clusterGateway.resources.limits.memory` | ClusterGateway memory limit | `200Mi` |
| `multicluster.clusterGateway.secureTLS.enabled` | Whether to enable secure TLS | `true` |
| `multicluster.clusterGateway.secureTLS.certPath` | Path to the certificate file | `/etc/k8s-cluster-gateway-certs` |
| `multicluster.clusterGateway.secureTLS.certManager.enabled` | Whether to enable cert-manager | `false` |
| `multicluster.clusterGateway.serviceMonitor.enabled` | Whether to enable service monitor | `false` |
| `multicluster.clusterGateway.serviceMonitor.additionalLabels` | Additional labels for service monitor | `{}` |
### Test parameters
| Name | Description | Value |
| --------------------- | ------------------- | -------------------- |
| `test.app.repository` | Test app repository | `oamdev/hello-world` |
| `test.app.tag` | Test app tag | `v1` |
| `test.k8s.repository` | Test k8s repository | `oamdev/alpine-k8s` |
| `test.k8s.tag` | Test k8s tag | `1.18.2` |
### Common parameters
| Name | Description | Value |
| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------- |
| `imagePullSecrets` | Image pull secrets | `[]` |
| `nameOverride` | Override name | `""` |
| `fullnameOverride` | Fullname override | `""` |
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | `nil` |
| `nodeSelector` | Node selector | `{}` |
| `tolerations` | Tolerations | `[]` |
| `affinity` | Affinity | `{}` |
| `rbac.create` | Specifies whether a RBAC role should be created | `true` |
| `logDebug` | Enable debug logs for development purpose | `false` |
| `logFilePath` | If non-empty, write log files in this path | `""` |
| `logFileMaxSize` | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. | `1024` |
| `kubeClient.qps` | The qps for reconcile clients | `400` |
| `kubeClient.burst` | The burst for reconcile clients | `600` |
| `authentication.enabled` | Enable authentication framework for applications | `false` |
| `authentication.withUser` | Application authentication will impersonate as the request User (must be true for security) | `true` |
| `authentication.defaultUser` | Application authentication will impersonate as the User if no user provided or withUser is false | `kubevela:vela-core` |
| `authentication.groupPattern` | Application authentication will impersonate as the request Group that matches the pattern | `kubevela:*` |
| `authorization.definitionValidationEnabled` | Enable definition permission validation for RBAC checks on definitions | `false` |
| `sharding.enabled` | When sharding enabled, the controller will run as master mode. Refer to https://github.com/kubevela/kubevela/blob/master/design/vela-core/sharding.md for details. | `false` |
| `sharding.schedulableShards` | The shards available for scheduling. If empty, dynamic discovery will be used. | `""` |
| `core.metrics.enabled` | Enable metrics for vela-core | `false` |
| `core.metrics.serviceMonitor.enabled` | Enable service monitor for metrics | `false` |
| `core.metrics.serviceMonitor.additionalLabels` | Additional labels for service monitor | `{}` |
## Uninstallation
### Vela CLI
To uninstall KubeVela, you can just run the following command by vela CLI:
```shell
vela uninstall --force
```
### Helm CLI
**Notice**: You must disable all the addons before uninstallation, this is a script for convenience.
```shell
#! /bin/sh
addon=$(vela addon list|grep enabled|awk {'print $1'})
fluxcd=false
for var in ${addon[*]}
do
if [ $var == "fluxcd" ]; then
fluxcd=true
continue
else
vela addon disable $var
fi
done
if [ $fluxcd ]; then
vela addon disable fluxcd
fi
```
Make sure all existing KubeVela resources deleted before uninstallation:
```shell
kubectl delete applicationrevisions.core.oam.dev --all
kubectl delete applications.core.oam.dev --all
kubectl delete componentdefinitions.core.oam.dev --all
kubectl delete definitionrevisions.core.oam.dev --all
kubectl delete policies.core.oam.dev --all
kubectl delete policydefinitions.core.oam.dev --all
kubectl delete resourcetrackers.core.oam.dev --all
kubectl delete traitdefinitions.core.oam.dev --all
kubectl delete workflows.core.oam.dev --all
kubectl delete workflowstepdefinitions.core.oam.dev --all
kubectl delete workloaddefinitions.core.oam.dev --all
```
To uninstall the KubeVela helm release:
```shell
$ helm uninstall -n vela-system kubevela
```
Finally, this command will remove all the Kubernetes resources associated with KubeVela and remove this chart release.
Reference in New Issue View Git Blame Copy Permalink