adding ability to use an existing Secret for s3

This commit is contained in:
jessebot 2023-11-21 12:34:37 +01:00 committed by Chris Lu
parent 322e783525
commit 0510682908
6 changed files with 95 additions and 8 deletions

View file

@ -2,4 +2,4 @@ apiVersion: v1
description: SeaweedFS description: SeaweedFS
name: seaweedfs name: seaweedfs
appVersion: "3.59" appVersion: "3.59"
version: 3.59.1 version: 3.59.3

View file

@ -4,15 +4,21 @@
### Add the helm repo ### Add the helm repo
`helm repo add seaweedfs https://seaweedfs.github.io/seaweedfs/helm` ```bash
helm repo add seaweedfs https://seaweedfs.github.io/seaweedfs/helm
```
### Install the helm chart ### Install the helm chart
`helm install seaweedfs seaweedfs/seaweedfs` ```bash
helm install seaweedfs seaweedfs/seaweedfs
```
### (Recommended) Provide `values.yaml` ### (Recommended) Provide `values.yaml`
`helm install --values=values.yaml seaweedfs seaweedfs/seaweedfs` ```bash
helm install --values=values.yaml seaweedfs seaweedfs/seaweedfs
```
## Info: ## Info:
* master/filer/volume are stateful sets with anti-affinity on the hostname, * master/filer/volume are stateful sets with anti-affinity on the hostname,
@ -79,3 +85,62 @@ You can update the replicas count for each node type in values.yaml,
need to add more nodes with the corresponding labels if applicable. need to add more nodes with the corresponding labels if applicable.
Most of the configuration are available through values.yaml any pull requests to expand functionality or usability are greatly appreciated. Any pull request must pass [chart-testing](https://github.com/helm/chart-testing). Most of the configuration are available through values.yaml any pull requests to expand functionality or usability are greatly appreciated. Any pull request must pass [chart-testing](https://github.com/helm/chart-testing).
## S3 configuration
To enable an s3 endpoint for your filer with a default install add the following to your values.yaml:
```yaml
filer:
s3:
enabled: true
```
### Enabling Authenticaion to S3
To enable authentication for S3, you have two options:
- let the helm chart create an admin user as well as a read only user
- provide your own s3 config.json file via an existing Kubernetes Secret
#### Use the default credentials for S3
Example parameters for your values.yaml:
```yaml
filer:
s3:
enabled: true
enableAuth: true
```
#### Provide your own credentials for S3
Example parameters for your values.yaml:
```yaml
filer:
s3:
enabled: true
enableAuth: true
existingConfigSecret: my-s3-secret
```
Example existing secret with your s3 config to create an admin user and readonly user, both with credentials:
```yaml
---
# Source: seaweedfs/templates/seaweedfs-s3-secret.yaml
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: my-s3-secret
namespace: seaweedfs
labels:
app.kubernetes.io/name: seaweedfs
app.kubernetes.io/component: s3
stringData:
# this key must be an inline json config file
seaweedfs_s3_config: '{"identities":[{"name":"anvAdmin","credentials":[{"accessKey":"snu8yoP6QAlY0ne4","secretKey":"PNzBcmeLNEdR0oviwm04NQAicOrDH1Km"}],"actions":["Admin","Read","Write"]},{"name":"anvReadOnly","credentials":[{"accessKey":"SCigFee6c5lbi04A","secretKey":"kgFhbT38R8WUYVtiFQ1OiSVOrYr3NKku"}],"actions":["Read"]}]}'
```

View file

@ -195,9 +195,11 @@ spec:
- name: seaweedfs-filer-log-volume - name: seaweedfs-filer-log-volume
mountPath: "/logs/" mountPath: "/logs/"
{{- end }} {{- end }}
{{- if .Values.filer.s3.enableAuth }}
- mountPath: /etc/sw - mountPath: /etc/sw
name: config-users name: config-users
readOnly: true readOnly: true
{{- end }}
{{- if (or .Values.filer.enablePVC (or (eq .Values.filer.data.type "hostPath") (eq .Values.filer.data.type "persistentVolumeClaim"))) }} {{- if (or .Values.filer.enablePVC (or (eq .Values.filer.data.type "hostPath") (eq .Values.filer.data.type "persistentVolumeClaim"))) }}
- name: data-filer - name: data-filer
mountPath: /data mountPath: /data
@ -285,10 +287,16 @@ spec:
- name: db-schema-config-volume - name: db-schema-config-volume
configMap: configMap:
name: seaweedfs-db-init-config name: seaweedfs-db-init-config
{{- if .Values.filer.s3.enableAuth }}
- name: config-users - name: config-users
secret: secret:
defaultMode: 420 defaultMode: 420
{{- if .Values.filer.s3.existingConfigSecret }}
secretName: {{ .Values.s3.existingConfigSecret }}
{{- else }}
secretName: seaweedfs-s3-secret secretName: seaweedfs-s3-secret
{{- end }}
{{- end }}
{{- if .Values.global.enableSecurity }} {{- if .Values.global.enableSecurity }}
- name: security-config - name: security-config
configMap: configMap:

View file

@ -121,9 +121,11 @@ spec:
- name: logs - name: logs
mountPath: "/logs/" mountPath: "/logs/"
{{- end }} {{- end }}
{{- if .Values.s3.enableAuth }}
- mountPath: /etc/sw - mountPath: /etc/sw
name: config-users name: config-users
readOnly: true readOnly: true
{{- end }}
{{- if .Values.global.enableSecurity }} {{- if .Values.global.enableSecurity }}
- name: security-config - name: security-config
readOnly: true readOnly: true
@ -182,10 +184,16 @@ spec:
{{ tpl .Values.s3.resources . | nindent 12 | trim }} {{ tpl .Values.s3.resources . | nindent 12 | trim }}
{{- end }} {{- end }}
volumes: volumes:
{{- if .Values.s3.enableAuth }}
- name: config-users - name: config-users
secret: secret:
defaultMode: 420 defaultMode: 420
{{- if .Values.filer.s3.existingConfigSecret }}
secretName: {{ .Values.s3.existingConfigSecret }}
{{- else }}
secretName: seaweedfs-s3-secret secretName: seaweedfs-s3-secret
{{- end }}
{{- end }}
{{- if eq .Values.s3.logs.type "hostPath" }} {{- if eq .Values.s3.logs.type "hostPath" }}
- name: logs - name: logs
hostPath: hostPath:

View file

@ -1,4 +1,4 @@
{{- if not (or .Values.filer.s3.skipAuthSecretCreation .Values.s3.skipAuthSecretCreation) }} {{- if not (or .Values.filer.s3.skipAuthSecretCreation .Values.s3.skipAuthSecretCreation .Values.s3.existingConfigSecret ) }}
{{- $access_key_admin := randAlphaNum 16 -}} {{- $access_key_admin := randAlphaNum 16 -}}
{{- $secret_key_admin := randAlphaNum 32 -}} {{- $secret_key_admin := randAlphaNum 32 -}}
{{- $access_key_read := randAlphaNum 16 -}} {{- $access_key_read := randAlphaNum 16 -}}

View file

@ -411,7 +411,7 @@ filer:
# annotations: # annotations:
# "key": "value" # "key": "value"
# #
# You may also spacify an existing claim: # You may also specify an existing claim:
# data: # data:
# type: "existingClaim" # type: "existingClaim"
# claimName: "my-pvc" # claimName: "my-pvc"
@ -571,6 +571,9 @@ filer:
# enable user & permission to s3 (need to inject to all services) # enable user & permission to s3 (need to inject to all services)
enableAuth: false enableAuth: false
skipAuthSecretCreation: false skipAuthSecretCreation: false
# set to the name of an existing kubernetes Secret with the s3 json config file
# should have a secret key called seaweedfs_s3_config with an inline json configure
existingConfigSecret: ""
auditLogConfig: {} auditLogConfig: {}
s3: s3:
@ -591,6 +594,9 @@ s3:
# enable user & permission to s3 (need to inject to all services) # enable user & permission to s3 (need to inject to all services)
enableAuth: false enableAuth: false
skipAuthSecretCreation: false skipAuthSecretCreation: false
# set to the name of an existing kubernetes Secret with the s3 json config file
# should have a secret key called seaweedfs_s3_config with an inline json config
existingConfigSecret: ""
auditLogConfig: {} auditLogConfig: {}
# Suffix of the host name, {bucket}.{domainName} # Suffix of the host name, {bucket}.{domainName}