fix(helm): trim whitespace before s3 TLS args to prevent command breakage (#8614)

* fix(helm): trim whitespace before s3 TLS args to prevent command breakage (#8613) When global.enableSecurity is enabled, the `{{ include }}` call for s3 TLS args lacked the leading dash (`{{-`), producing an extra blank line in the rendered shell command. This broke shell continuation and caused the filer (and s3/all-in-one) to crash because arguments after the blank line were silently dropped. * ci(helm): assert no blank lines in security+S3 command blocks Renders the chart with global.enableSecurity=true and S3 enabled for normal mode (filer + s3 deployments) and all-in-one mode, then parses every /bin/sh -ec command block and fails if any contains blank lines. This catches the whitespace regression from #8613 where a missing {{- dash on the seaweedfs.s3.tlsArgs include produced a blank line that broke shell continuation. * ci(helm): enable S3 in all-in-one security render test The s3.tlsArgs include is gated by allInOne.s3.enabled, so without this flag the all-in-one command block wasn't actually exercising the TLS args path.
1 day ago · 0443b66a75
4 changed files with 41 additions and 3 deletions
--- a/.github/workflows/helm_ci.yml
+++ b/.github/workflows/helm_ci.yml
@ -179,6 +179,44 @@ jobs:
          echo "✓ All-in-one mode: service names match DNS references with long release name"

          echo ""
+          echo "=== Testing security+S3: no blank lines in shell command blocks ==="
+          # Render the three manifests that include seaweedfs.s3.tlsArgs:
+          #   filer-statefulset, s3-deployment, all-in-one-deployment
+          helm template test $CHART_DIR \
+            --set global.enableSecurity=true \
+            --set filer.s3.enabled=true \
+            --set s3.enabled=true > /tmp/security-s3.yaml
+          helm template test $CHART_DIR \
+            --set global.enableSecurity=true \
+            --set allInOne.enabled=true \
+            --set allInOne.s3.enabled=true > /tmp/security-aio.yaml
+
+          pip install pyyaml -q
+          python3 - /tmp/security-s3.yaml /tmp/security-aio.yaml <<'PYEOF'
+          import yaml, sys
+          errors = []
+          for path in sys.argv[1:]:
+              with open(path) as f:
+                  docs = list(yaml.safe_load_all(f))
+              for doc in docs:
+                  if not doc or doc.get("kind") not in ("Deployment", "StatefulSet"):
+                      continue
+                  name = doc["metadata"]["name"]
+                  for c in doc["spec"]["template"]["spec"].get("containers", []):
+                      cmd = c.get("command", [])
+                      if len(cmd) >= 3 and cmd[0] == "/bin/sh" and cmd[1] == "-ec":
+                          script = cmd[2]
+                          for i, line in enumerate(script.splitlines(), 1):
+                              if line.strip() == "":
+                                  errors.append(f"{path}: {name}/{c['name']} has blank line at script line {i}")
+          if errors:
+              for e in errors:
+                  print(f"FAIL: {e}", file=sys.stderr)
+              print("Rendered with: global.enableSecurity=true, filer.s3.enabled=true, s3.enabled=true, allInOne.enabled=true", file=sys.stderr)
+              sys.exit(1)
+          print("✓ No blank lines in security+S3 command blocks")
+          PYEOF
+
          echo "✅ All template rendering tests passed!"

      - name: Create kind cluster
--- a/k8s/charts/seaweedfs/templates/all-in-one/all-in-one-deployment.yaml
+++ b/k8s/charts/seaweedfs/templates/all-in-one/all-in-one-deployment.yaml
@ -243,7 +243,7 @@ spec:
              {{- if $httpsPort }}
              -s3.port.https={{ $httpsPort }} \
              {{- end }}
-              {{ include "seaweedfs.s3.tlsArgs" (dict "root" . "prefix" "s3.") | nindent 14 }}
+              {{- include "seaweedfs.s3.tlsArgs" (dict "root" . "prefix" "s3.") | nindent 14 }}
              {{- end }}
              {{- if or .Values.allInOne.s3.enableAuth .Values.s3.enableAuth .Values.filer.s3.enableAuth }}
              -s3.config=/etc/sw/s3/seaweedfs_s3_config \
--- a/k8s/charts/seaweedfs/templates/filer/filer-statefulset.yaml
+++ b/k8s/charts/seaweedfs/templates/filer/filer-statefulset.yaml
@ -200,7 +200,7 @@ spec:
              {{- if .Values.filer.s3.httpsPort }}
              -s3.port.https={{ .Values.filer.s3.httpsPort }} \
              {{- end }}
-              {{ include "seaweedfs.s3.tlsArgs" (dict "root" . "prefix" "s3.") | nindent 14 }}
+              {{- include "seaweedfs.s3.tlsArgs" (dict "root" . "prefix" "s3.") | nindent 14 }}
              {{- end }}
              {{- if .Values.filer.s3.enableAuth }}
              -s3.config=/etc/sw/seaweedfs_s3_config \
--- a/k8s/charts/seaweedfs/templates/s3/s3-deployment.yaml
+++ b/k8s/charts/seaweedfs/templates/s3/s3-deployment.yaml
@ -127,7 +127,7 @@ spec:
              {{- if .Values.s3.httpsPort }}
              -port.https={{ .Values.s3.httpsPort }} \
              {{- end }}
-              {{ include "seaweedfs.s3.tlsArgs" (dict "root" . "prefix" "") | nindent 14 }}
+              {{- include "seaweedfs.s3.tlsArgs" (dict "root" . "prefix" "") | nindent 14 }}
              {{- end }}
              {{- if .Values.s3.domainName }}
              -domainName={{ .Values.s3.domainName }} \