chore: fix license rbac, add heartbeat to cloud. (#4410)

* chore: fix license rbac.

Signed-off-by: yy <lingdie.yy@outlook.com>

* chore: add heartbeat to cloud.

Signed-off-by: yy <lingdie.yy@outlook.com>

---------

Signed-off-by: yy <lingdie.yy@outlook.com>

controllers/job/heartbeat/deploy/manifests/deploy.yaml

@@ -40,10 +40,9 @@ metadata:
   namespace: sealos
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: ClusterRole
 metadata:
-  name: heartbeat-cronjob-role
-  namespace: sealos
+  name: heartbeat-cronjob-cluster-role
 rules:
   - apiGroups: [ "" ]
     resources: [ "nodes" ]
@@ -54,14 +53,13 @@ rules:
     verbs: [ "get" ]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: ClusterRoleBinding
 metadata:
-  name: heartbeat-cronjob-role-binding
-  namespace: sealos
+  name: heartbeat-cronjob-cluster-role-binding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: heartbeat-cronjob-role
+  kind: ClusterRole
+  name: heartbeat-cronjob-cluster-role
 subjects:
   - kind: ServiceAccount
     name: heartbeat-cronjob

controllers/license/deploy/manifests/rbac.yaml

@@ -0,0 +1,22 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kube-system-namespace-read-cluster-role
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "namespaces" ]
+    resourceNames: [ "kube-system" ]
+    verbs: [ "get" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: license-controller-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-system-namespace-read-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: license-controller-manager
+    namespace: license-system

deploy/cloud/init.sh

@@ -42,6 +42,7 @@ retryPullImage ghcr.io/labring/sealos-cloud-cronjob-frontend:latest
 
 retryPullImage ghcr.io/labring/sealos-cloud-database-service:latest
 retryPullImage ghcr.io/labring/sealos-cloud-job-init-controller:latest
+retryPullImage ghcr.io/labring/sealos-cloud-job-heartbeat-controller:latest
 
 sealos save -o tars/user.tar ghcr.io/labring/sealos-cloud-user-controller:latest
 sealos save -o tars/terminal.tar ghcr.io/labring/sealos-cloud-terminal-controller:latest
@@ -61,3 +62,4 @@ sealos save -o tars/frontend-cronjob.tar ghcr.io/labring/sealos-cloud-cronjob-fr
 
 sealos save -o tars/database-service.tar ghcr.io/labring/sealos-cloud-database-service:latest
 sealos save -o tars/job-init.tar ghcr.io/labring/sealos-cloud-job-init-controller:latest
+sealos save -o tars/job-heartbeat.tar ghcr.io/labring/sealos-cloud-job-heartbeat-controller:latest

deploy/cloud/scripts/init.sh

@@ -119,6 +119,7 @@ function sealos_run_controller {
 
 function sealos_authorize {
   sealos run tars/job-init.tar
+  sealos run tars/job-heartbeat.tar
 
   # wait for admin user create
   echo "Waiting for admin user create"

frontend/providers/license/deploy/manifests/deploy.yaml.tmpl

@@ -6,6 +6,25 @@ metadata:
   name: license-frontend
 ---
 apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: license-frontend
+  namespace: license-frontend
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: license-frontend-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-system-namespace-read-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: license-frontend
+    namespace: license-frontend
+---
+apiVersion: v1
 kind: ConfigMap
 metadata:
   name: license-frontend-config
@@ -34,6 +53,7 @@ spec:
       labels:
         app: license-frontend
     spec:
+      serviceAccountName: license-frontend
       containers:
         - name: license-frontend
           env: