From 05106829083345e996f3438e901fbdf2e34b0870 Mon Sep 17 00:00:00 2001 From: jessebot Date: Tue, 21 Nov 2023 12:34:37 +0100 Subject: [PATCH] adding ability to use an existing Secret for s3 --- k8s/charts/seaweedfs/Chart.yaml | 2 +- k8s/charts/seaweedfs/README.md | 73 ++++++++++++++++++- .../templates/filer-statefulset.yaml | 8 ++ .../seaweedfs/templates/s3-deployment.yaml | 8 ++ .../templates/seaweedfs-s3-secret.yaml | 4 +- k8s/charts/seaweedfs/values.yaml | 8 +- 6 files changed, 95 insertions(+), 8 deletions(-) diff --git a/k8s/charts/seaweedfs/Chart.yaml b/k8s/charts/seaweedfs/Chart.yaml index b3616e362..b760fd5a9 100644 --- a/k8s/charts/seaweedfs/Chart.yaml +++ b/k8s/charts/seaweedfs/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v1 description: SeaweedFS name: seaweedfs appVersion: "3.59" -version: 3.59.1 +version: 3.59.3 diff --git a/k8s/charts/seaweedfs/README.md b/k8s/charts/seaweedfs/README.md index ead85121e..a70274df9 100644 --- a/k8s/charts/seaweedfs/README.md +++ b/k8s/charts/seaweedfs/README.md @@ -4,15 +4,21 @@ ### Add the helm repo -`helm repo add seaweedfs https://seaweedfs.github.io/seaweedfs/helm` +```bash +helm repo add seaweedfs https://seaweedfs.github.io/seaweedfs/helm +``` ### Install the helm chart -`helm install seaweedfs seaweedfs/seaweedfs` +```bash +helm install seaweedfs seaweedfs/seaweedfs +``` ### (Recommended) Provide `values.yaml` -`helm install --values=values.yaml seaweedfs seaweedfs/seaweedfs` +```bash +helm install --values=values.yaml seaweedfs seaweedfs/seaweedfs +``` ## Info: * master/filer/volume are stateful sets with anti-affinity on the hostname, @@ -78,4 +84,63 @@ for your deployment. You can update the replicas count for each node type in values.yaml, need to add more nodes with the corresponding labels if applicable. -Most of the configuration are available through values.yaml any pull requests to expand functionality or usability are greatly appreciated. Any pull request must pass [chart-testing](https://github.com/helm/chart-testing). \ No newline at end of file +Most of the configuration are available through values.yaml any pull requests to expand functionality or usability are greatly appreciated. Any pull request must pass [chart-testing](https://github.com/helm/chart-testing). + +## S3 configuration + +To enable an s3 endpoint for your filer with a default install add the following to your values.yaml: + +```yaml +filer: + s3: + enabled: true +``` + +### Enabling Authenticaion to S3 + +To enable authentication for S3, you have two options: + +- let the helm chart create an admin user as well as a read only user +- provide your own s3 config.json file via an existing Kubernetes Secret + +#### Use the default credentials for S3 + +Example parameters for your values.yaml: + +```yaml +filer: + s3: + enabled: true + enableAuth: true +``` + +#### Provide your own credentials for S3 + +Example parameters for your values.yaml: + +```yaml +filer: + s3: + enabled: true + enableAuth: true + existingConfigSecret: my-s3-secret +``` + +Example existing secret with your s3 config to create an admin user and readonly user, both with credentials: + +```yaml +--- +# Source: seaweedfs/templates/seaweedfs-s3-secret.yaml +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: my-s3-secret + namespace: seaweedfs + labels: + app.kubernetes.io/name: seaweedfs + app.kubernetes.io/component: s3 +stringData: + # this key must be an inline json config file + seaweedfs_s3_config: '{"identities":[{"name":"anvAdmin","credentials":[{"accessKey":"snu8yoP6QAlY0ne4","secretKey":"PNzBcmeLNEdR0oviwm04NQAicOrDH1Km"}],"actions":["Admin","Read","Write"]},{"name":"anvReadOnly","credentials":[{"accessKey":"SCigFee6c5lbi04A","secretKey":"kgFhbT38R8WUYVtiFQ1OiSVOrYr3NKku"}],"actions":["Read"]}]}' +``` diff --git a/k8s/charts/seaweedfs/templates/filer-statefulset.yaml b/k8s/charts/seaweedfs/templates/filer-statefulset.yaml index d620a1a99..c4d5ef9df 100644 --- a/k8s/charts/seaweedfs/templates/filer-statefulset.yaml +++ b/k8s/charts/seaweedfs/templates/filer-statefulset.yaml @@ -195,9 +195,11 @@ spec: - name: seaweedfs-filer-log-volume mountPath: "/logs/" {{- end }} + {{- if .Values.filer.s3.enableAuth }} - mountPath: /etc/sw name: config-users readOnly: true + {{- end }} {{- if (or .Values.filer.enablePVC (or (eq .Values.filer.data.type "hostPath") (eq .Values.filer.data.type "persistentVolumeClaim"))) }} - name: data-filer mountPath: /data @@ -285,10 +287,16 @@ spec: - name: db-schema-config-volume configMap: name: seaweedfs-db-init-config + {{- if .Values.filer.s3.enableAuth }} - name: config-users secret: defaultMode: 420 + {{- if .Values.filer.s3.existingConfigSecret }} + secretName: {{ .Values.s3.existingConfigSecret }} + {{- else }} secretName: seaweedfs-s3-secret + {{- end }} + {{- end }} {{- if .Values.global.enableSecurity }} - name: security-config configMap: diff --git a/k8s/charts/seaweedfs/templates/s3-deployment.yaml b/k8s/charts/seaweedfs/templates/s3-deployment.yaml index 2a343b573..18da6b606 100644 --- a/k8s/charts/seaweedfs/templates/s3-deployment.yaml +++ b/k8s/charts/seaweedfs/templates/s3-deployment.yaml @@ -121,9 +121,11 @@ spec: - name: logs mountPath: "/logs/" {{- end }} + {{- if .Values.s3.enableAuth }} - mountPath: /etc/sw name: config-users readOnly: true + {{- end }} {{- if .Values.global.enableSecurity }} - name: security-config readOnly: true @@ -182,10 +184,16 @@ spec: {{ tpl .Values.s3.resources . | nindent 12 | trim }} {{- end }} volumes: + {{- if .Values.s3.enableAuth }} - name: config-users secret: defaultMode: 420 + {{- if .Values.filer.s3.existingConfigSecret }} + secretName: {{ .Values.s3.existingConfigSecret }} + {{- else }} secretName: seaweedfs-s3-secret + {{- end }} + {{- end }} {{- if eq .Values.s3.logs.type "hostPath" }} - name: logs hostPath: diff --git a/k8s/charts/seaweedfs/templates/seaweedfs-s3-secret.yaml b/k8s/charts/seaweedfs/templates/seaweedfs-s3-secret.yaml index 0f3674380..58e649c98 100644 --- a/k8s/charts/seaweedfs/templates/seaweedfs-s3-secret.yaml +++ b/k8s/charts/seaweedfs/templates/seaweedfs-s3-secret.yaml @@ -1,4 +1,4 @@ -{{- if not (or .Values.filer.s3.skipAuthSecretCreation .Values.s3.skipAuthSecretCreation) }} +{{- if not (or .Values.filer.s3.skipAuthSecretCreation .Values.s3.skipAuthSecretCreation .Values.s3.existingConfigSecret ) }} {{- $access_key_admin := randAlphaNum 16 -}} {{- $secret_key_admin := randAlphaNum 32 -}} {{- $access_key_read := randAlphaNum 16 -}} @@ -32,4 +32,4 @@ stringData: s3_auditLogConfig.json: | {{ toJson .Values.s3.auditLogConfig | nindent 4 }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/k8s/charts/seaweedfs/values.yaml b/k8s/charts/seaweedfs/values.yaml index c2e85d996..7f09c1800 100644 --- a/k8s/charts/seaweedfs/values.yaml +++ b/k8s/charts/seaweedfs/values.yaml @@ -411,7 +411,7 @@ filer: # annotations: # "key": "value" # - # You may also spacify an existing claim: + # You may also specify an existing claim: # data: # type: "existingClaim" # claimName: "my-pvc" @@ -571,6 +571,9 @@ filer: # enable user & permission to s3 (need to inject to all services) enableAuth: false skipAuthSecretCreation: false + # set to the name of an existing kubernetes Secret with the s3 json config file + # should have a secret key called seaweedfs_s3_config with an inline json configure + existingConfigSecret: "" auditLogConfig: {} s3: @@ -591,6 +594,9 @@ s3: # enable user & permission to s3 (need to inject to all services) enableAuth: false skipAuthSecretCreation: false + # set to the name of an existing kubernetes Secret with the s3 json config file + # should have a secret key called seaweedfs_s3_config with an inline json config + existingConfigSecret: "" auditLogConfig: {} # Suffix of the host name, {bucket}.{domainName}