mirror of
https://github.com/seaweedfs/seaweedfs.git
synced 2024-01-19 02:48:24 +00:00
adding ability to use an existing Secret for s3
This commit is contained in:
parent
322e783525
commit
0510682908
|
@ -2,4 +2,4 @@ apiVersion: v1
|
||||||
description: SeaweedFS
|
description: SeaweedFS
|
||||||
name: seaweedfs
|
name: seaweedfs
|
||||||
appVersion: "3.59"
|
appVersion: "3.59"
|
||||||
version: 3.59.1
|
version: 3.59.3
|
||||||
|
|
|
@ -4,15 +4,21 @@
|
||||||
|
|
||||||
### Add the helm repo
|
### Add the helm repo
|
||||||
|
|
||||||
`helm repo add seaweedfs https://seaweedfs.github.io/seaweedfs/helm`
|
```bash
|
||||||
|
helm repo add seaweedfs https://seaweedfs.github.io/seaweedfs/helm
|
||||||
|
```
|
||||||
|
|
||||||
### Install the helm chart
|
### Install the helm chart
|
||||||
|
|
||||||
`helm install seaweedfs seaweedfs/seaweedfs`
|
```bash
|
||||||
|
helm install seaweedfs seaweedfs/seaweedfs
|
||||||
|
```
|
||||||
|
|
||||||
### (Recommended) Provide `values.yaml`
|
### (Recommended) Provide `values.yaml`
|
||||||
|
|
||||||
`helm install --values=values.yaml seaweedfs seaweedfs/seaweedfs`
|
```bash
|
||||||
|
helm install --values=values.yaml seaweedfs seaweedfs/seaweedfs
|
||||||
|
```
|
||||||
|
|
||||||
## Info:
|
## Info:
|
||||||
* master/filer/volume are stateful sets with anti-affinity on the hostname,
|
* master/filer/volume are stateful sets with anti-affinity on the hostname,
|
||||||
|
@ -79,3 +85,62 @@ You can update the replicas count for each node type in values.yaml,
|
||||||
need to add more nodes with the corresponding labels if applicable.
|
need to add more nodes with the corresponding labels if applicable.
|
||||||
|
|
||||||
Most of the configuration are available through values.yaml any pull requests to expand functionality or usability are greatly appreciated. Any pull request must pass [chart-testing](https://github.com/helm/chart-testing).
|
Most of the configuration are available through values.yaml any pull requests to expand functionality or usability are greatly appreciated. Any pull request must pass [chart-testing](https://github.com/helm/chart-testing).
|
||||||
|
|
||||||
|
## S3 configuration
|
||||||
|
|
||||||
|
To enable an s3 endpoint for your filer with a default install add the following to your values.yaml:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
filer:
|
||||||
|
s3:
|
||||||
|
enabled: true
|
||||||
|
```
|
||||||
|
|
||||||
|
### Enabling Authenticaion to S3
|
||||||
|
|
||||||
|
To enable authentication for S3, you have two options:
|
||||||
|
|
||||||
|
- let the helm chart create an admin user as well as a read only user
|
||||||
|
- provide your own s3 config.json file via an existing Kubernetes Secret
|
||||||
|
|
||||||
|
#### Use the default credentials for S3
|
||||||
|
|
||||||
|
Example parameters for your values.yaml:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
filer:
|
||||||
|
s3:
|
||||||
|
enabled: true
|
||||||
|
enableAuth: true
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Provide your own credentials for S3
|
||||||
|
|
||||||
|
Example parameters for your values.yaml:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
filer:
|
||||||
|
s3:
|
||||||
|
enabled: true
|
||||||
|
enableAuth: true
|
||||||
|
existingConfigSecret: my-s3-secret
|
||||||
|
```
|
||||||
|
|
||||||
|
Example existing secret with your s3 config to create an admin user and readonly user, both with credentials:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
---
|
||||||
|
# Source: seaweedfs/templates/seaweedfs-s3-secret.yaml
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
type: Opaque
|
||||||
|
metadata:
|
||||||
|
name: my-s3-secret
|
||||||
|
namespace: seaweedfs
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: seaweedfs
|
||||||
|
app.kubernetes.io/component: s3
|
||||||
|
stringData:
|
||||||
|
# this key must be an inline json config file
|
||||||
|
seaweedfs_s3_config: '{"identities":[{"name":"anvAdmin","credentials":[{"accessKey":"snu8yoP6QAlY0ne4","secretKey":"PNzBcmeLNEdR0oviwm04NQAicOrDH1Km"}],"actions":["Admin","Read","Write"]},{"name":"anvReadOnly","credentials":[{"accessKey":"SCigFee6c5lbi04A","secretKey":"kgFhbT38R8WUYVtiFQ1OiSVOrYr3NKku"}],"actions":["Read"]}]}'
|
||||||
|
```
|
||||||
|
|
|
@ -195,9 +195,11 @@ spec:
|
||||||
- name: seaweedfs-filer-log-volume
|
- name: seaweedfs-filer-log-volume
|
||||||
mountPath: "/logs/"
|
mountPath: "/logs/"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- if .Values.filer.s3.enableAuth }}
|
||||||
- mountPath: /etc/sw
|
- mountPath: /etc/sw
|
||||||
name: config-users
|
name: config-users
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
{{- if (or .Values.filer.enablePVC (or (eq .Values.filer.data.type "hostPath") (eq .Values.filer.data.type "persistentVolumeClaim"))) }}
|
{{- if (or .Values.filer.enablePVC (or (eq .Values.filer.data.type "hostPath") (eq .Values.filer.data.type "persistentVolumeClaim"))) }}
|
||||||
- name: data-filer
|
- name: data-filer
|
||||||
mountPath: /data
|
mountPath: /data
|
||||||
|
@ -285,10 +287,16 @@ spec:
|
||||||
- name: db-schema-config-volume
|
- name: db-schema-config-volume
|
||||||
configMap:
|
configMap:
|
||||||
name: seaweedfs-db-init-config
|
name: seaweedfs-db-init-config
|
||||||
|
{{- if .Values.filer.s3.enableAuth }}
|
||||||
- name: config-users
|
- name: config-users
|
||||||
secret:
|
secret:
|
||||||
defaultMode: 420
|
defaultMode: 420
|
||||||
|
{{- if .Values.filer.s3.existingConfigSecret }}
|
||||||
|
secretName: {{ .Values.s3.existingConfigSecret }}
|
||||||
|
{{- else }}
|
||||||
secretName: seaweedfs-s3-secret
|
secretName: seaweedfs-s3-secret
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
{{- if .Values.global.enableSecurity }}
|
{{- if .Values.global.enableSecurity }}
|
||||||
- name: security-config
|
- name: security-config
|
||||||
configMap:
|
configMap:
|
||||||
|
|
|
@ -121,9 +121,11 @@ spec:
|
||||||
- name: logs
|
- name: logs
|
||||||
mountPath: "/logs/"
|
mountPath: "/logs/"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- if .Values.s3.enableAuth }}
|
||||||
- mountPath: /etc/sw
|
- mountPath: /etc/sw
|
||||||
name: config-users
|
name: config-users
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
{{- if .Values.global.enableSecurity }}
|
{{- if .Values.global.enableSecurity }}
|
||||||
- name: security-config
|
- name: security-config
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
@ -182,10 +184,16 @@ spec:
|
||||||
{{ tpl .Values.s3.resources . | nindent 12 | trim }}
|
{{ tpl .Values.s3.resources . | nindent 12 | trim }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
volumes:
|
volumes:
|
||||||
|
{{- if .Values.s3.enableAuth }}
|
||||||
- name: config-users
|
- name: config-users
|
||||||
secret:
|
secret:
|
||||||
defaultMode: 420
|
defaultMode: 420
|
||||||
|
{{- if .Values.filer.s3.existingConfigSecret }}
|
||||||
|
secretName: {{ .Values.s3.existingConfigSecret }}
|
||||||
|
{{- else }}
|
||||||
secretName: seaweedfs-s3-secret
|
secretName: seaweedfs-s3-secret
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
{{- if eq .Values.s3.logs.type "hostPath" }}
|
{{- if eq .Values.s3.logs.type "hostPath" }}
|
||||||
- name: logs
|
- name: logs
|
||||||
hostPath:
|
hostPath:
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{{- if not (or .Values.filer.s3.skipAuthSecretCreation .Values.s3.skipAuthSecretCreation) }}
|
{{- if not (or .Values.filer.s3.skipAuthSecretCreation .Values.s3.skipAuthSecretCreation .Values.s3.existingConfigSecret ) }}
|
||||||
{{- $access_key_admin := randAlphaNum 16 -}}
|
{{- $access_key_admin := randAlphaNum 16 -}}
|
||||||
{{- $secret_key_admin := randAlphaNum 32 -}}
|
{{- $secret_key_admin := randAlphaNum 32 -}}
|
||||||
{{- $access_key_read := randAlphaNum 16 -}}
|
{{- $access_key_read := randAlphaNum 16 -}}
|
||||||
|
|
|
@ -411,7 +411,7 @@ filer:
|
||||||
# annotations:
|
# annotations:
|
||||||
# "key": "value"
|
# "key": "value"
|
||||||
#
|
#
|
||||||
# You may also spacify an existing claim:
|
# You may also specify an existing claim:
|
||||||
# data:
|
# data:
|
||||||
# type: "existingClaim"
|
# type: "existingClaim"
|
||||||
# claimName: "my-pvc"
|
# claimName: "my-pvc"
|
||||||
|
@ -571,6 +571,9 @@ filer:
|
||||||
# enable user & permission to s3 (need to inject to all services)
|
# enable user & permission to s3 (need to inject to all services)
|
||||||
enableAuth: false
|
enableAuth: false
|
||||||
skipAuthSecretCreation: false
|
skipAuthSecretCreation: false
|
||||||
|
# set to the name of an existing kubernetes Secret with the s3 json config file
|
||||||
|
# should have a secret key called seaweedfs_s3_config with an inline json configure
|
||||||
|
existingConfigSecret: ""
|
||||||
auditLogConfig: {}
|
auditLogConfig: {}
|
||||||
|
|
||||||
s3:
|
s3:
|
||||||
|
@ -591,6 +594,9 @@ s3:
|
||||||
# enable user & permission to s3 (need to inject to all services)
|
# enable user & permission to s3 (need to inject to all services)
|
||||||
enableAuth: false
|
enableAuth: false
|
||||||
skipAuthSecretCreation: false
|
skipAuthSecretCreation: false
|
||||||
|
# set to the name of an existing kubernetes Secret with the s3 json config file
|
||||||
|
# should have a secret key called seaweedfs_s3_config with an inline json config
|
||||||
|
existingConfigSecret: ""
|
||||||
auditLogConfig: {}
|
auditLogConfig: {}
|
||||||
|
|
||||||
# Suffix of the host name, {bucket}.{domainName}
|
# Suffix of the host name, {bucket}.{domainName}
|
||||||
|
|
Loading…
Reference in a new issue