adding ability to use an existing Secret for s3

This commit is contained in:
jessebot 2023-11-21 12:34:37 +01:00 committed by Chris Lu
parent 322e783525
commit 0510682908
6 changed files with 95 additions and 8 deletions

View file

@ -2,4 +2,4 @@ apiVersion: v1
description: SeaweedFS
name: seaweedfs
appVersion: "3.59"
version: 3.59.1
version: 3.59.3

View file

@ -4,15 +4,21 @@
### Add the helm repo
`helm repo add seaweedfs https://seaweedfs.github.io/seaweedfs/helm`
```bash
helm repo add seaweedfs https://seaweedfs.github.io/seaweedfs/helm
```
### Install the helm chart
`helm install seaweedfs seaweedfs/seaweedfs`
```bash
helm install seaweedfs seaweedfs/seaweedfs
```
### (Recommended) Provide `values.yaml`
`helm install --values=values.yaml seaweedfs seaweedfs/seaweedfs`
```bash
helm install --values=values.yaml seaweedfs seaweedfs/seaweedfs
```
## Info:
* master/filer/volume are stateful sets with anti-affinity on the hostname,
@ -79,3 +85,62 @@ You can update the replicas count for each node type in values.yaml,
need to add more nodes with the corresponding labels if applicable.
Most of the configuration are available through values.yaml any pull requests to expand functionality or usability are greatly appreciated. Any pull request must pass [chart-testing](https://github.com/helm/chart-testing).
## S3 configuration
To enable an s3 endpoint for your filer with a default install add the following to your values.yaml:
```yaml
filer:
s3:
enabled: true
```
### Enabling Authenticaion to S3
To enable authentication for S3, you have two options:
- let the helm chart create an admin user as well as a read only user
- provide your own s3 config.json file via an existing Kubernetes Secret
#### Use the default credentials for S3
Example parameters for your values.yaml:
```yaml
filer:
s3:
enabled: true
enableAuth: true
```
#### Provide your own credentials for S3
Example parameters for your values.yaml:
```yaml
filer:
s3:
enabled: true
enableAuth: true
existingConfigSecret: my-s3-secret
```
Example existing secret with your s3 config to create an admin user and readonly user, both with credentials:
```yaml
---
# Source: seaweedfs/templates/seaweedfs-s3-secret.yaml
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: my-s3-secret
namespace: seaweedfs
labels:
app.kubernetes.io/name: seaweedfs
app.kubernetes.io/component: s3
stringData:
# this key must be an inline json config file
seaweedfs_s3_config: '{"identities":[{"name":"anvAdmin","credentials":[{"accessKey":"snu8yoP6QAlY0ne4","secretKey":"PNzBcmeLNEdR0oviwm04NQAicOrDH1Km"}],"actions":["Admin","Read","Write"]},{"name":"anvReadOnly","credentials":[{"accessKey":"SCigFee6c5lbi04A","secretKey":"kgFhbT38R8WUYVtiFQ1OiSVOrYr3NKku"}],"actions":["Read"]}]}'
```

View file

@ -195,9 +195,11 @@ spec:
- name: seaweedfs-filer-log-volume
mountPath: "/logs/"
{{- end }}
{{- if .Values.filer.s3.enableAuth }}
- mountPath: /etc/sw
name: config-users
readOnly: true
{{- end }}
{{- if (or .Values.filer.enablePVC (or (eq .Values.filer.data.type "hostPath") (eq .Values.filer.data.type "persistentVolumeClaim"))) }}
- name: data-filer
mountPath: /data
@ -285,10 +287,16 @@ spec:
- name: db-schema-config-volume
configMap:
name: seaweedfs-db-init-config
{{- if .Values.filer.s3.enableAuth }}
- name: config-users
secret:
defaultMode: 420
{{- if .Values.filer.s3.existingConfigSecret }}
secretName: {{ .Values.s3.existingConfigSecret }}
{{- else }}
secretName: seaweedfs-s3-secret
{{- end }}
{{- end }}
{{- if .Values.global.enableSecurity }}
- name: security-config
configMap:

View file

@ -121,9 +121,11 @@ spec:
- name: logs
mountPath: "/logs/"
{{- end }}
{{- if .Values.s3.enableAuth }}
- mountPath: /etc/sw
name: config-users
readOnly: true
{{- end }}
{{- if .Values.global.enableSecurity }}
- name: security-config
readOnly: true
@ -182,10 +184,16 @@ spec:
{{ tpl .Values.s3.resources . | nindent 12 | trim }}
{{- end }}
volumes:
{{- if .Values.s3.enableAuth }}
- name: config-users
secret:
defaultMode: 420
{{- if .Values.filer.s3.existingConfigSecret }}
secretName: {{ .Values.s3.existingConfigSecret }}
{{- else }}
secretName: seaweedfs-s3-secret
{{- end }}
{{- end }}
{{- if eq .Values.s3.logs.type "hostPath" }}
- name: logs
hostPath:

View file

@ -1,4 +1,4 @@
{{- if not (or .Values.filer.s3.skipAuthSecretCreation .Values.s3.skipAuthSecretCreation) }}
{{- if not (or .Values.filer.s3.skipAuthSecretCreation .Values.s3.skipAuthSecretCreation .Values.s3.existingConfigSecret ) }}
{{- $access_key_admin := randAlphaNum 16 -}}
{{- $secret_key_admin := randAlphaNum 32 -}}
{{- $access_key_read := randAlphaNum 16 -}}

View file

@ -411,7 +411,7 @@ filer:
# annotations:
# "key": "value"
#
# You may also spacify an existing claim:
# You may also specify an existing claim:
# data:
# type: "existingClaim"
# claimName: "my-pvc"
@ -571,6 +571,9 @@ filer:
# enable user & permission to s3 (need to inject to all services)
enableAuth: false
skipAuthSecretCreation: false
# set to the name of an existing kubernetes Secret with the s3 json config file
# should have a secret key called seaweedfs_s3_config with an inline json configure
existingConfigSecret: ""
auditLogConfig: {}
s3:
@ -591,6 +594,9 @@ s3:
# enable user & permission to s3 (need to inject to all services)
enableAuth: false
skipAuthSecretCreation: false
# set to the name of an existing kubernetes Secret with the s3 json config file
# should have a secret key called seaweedfs_s3_config with an inline json config
existingConfigSecret: ""
auditLogConfig: {}
# Suffix of the host name, {bucket}.{domainName}