From 0443b66a751612229bb0daf35c2a05daa41211a6 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Thu, 12 Mar 2026 15:35:22 -0700 Subject: [PATCH] fix(helm): trim whitespace before s3 TLS args to prevent command breakage (#8614) * fix(helm): trim whitespace before s3 TLS args to prevent command breakage (#8613) When global.enableSecurity is enabled, the `{{ include }}` call for s3 TLS args lacked the leading dash (`{{-`), producing an extra blank line in the rendered shell command. This broke shell continuation and caused the filer (and s3/all-in-one) to crash because arguments after the blank line were silently dropped. * ci(helm): assert no blank lines in security+S3 command blocks Renders the chart with global.enableSecurity=true and S3 enabled for normal mode (filer + s3 deployments) and all-in-one mode, then parses every /bin/sh -ec command block and fails if any contains blank lines. This catches the whitespace regression from #8613 where a missing {{- dash on the seaweedfs.s3.tlsArgs include produced a blank line that broke shell continuation. * ci(helm): enable S3 in all-in-one security render test The s3.tlsArgs include is gated by allInOne.s3.enabled, so without this flag the all-in-one command block wasn't actually exercising the TLS args path. --- .github/workflows/helm_ci.yml | 38 +++++++++++++++++++ .../all-in-one/all-in-one-deployment.yaml | 2 +- .../templates/filer/filer-statefulset.yaml | 2 +- .../seaweedfs/templates/s3/s3-deployment.yaml | 2 +- 4 files changed, 41 insertions(+), 3 deletions(-) diff --git a/.github/workflows/helm_ci.yml b/.github/workflows/helm_ci.yml index 0b12bc1a1..6eddf7825 100644 --- a/.github/workflows/helm_ci.yml +++ b/.github/workflows/helm_ci.yml @@ -179,6 +179,44 @@ jobs: echo "✓ All-in-one mode: service names match DNS references with long release name" echo "" + echo "=== Testing security+S3: no blank lines in shell command blocks ===" + # Render the three manifests that include seaweedfs.s3.tlsArgs: + # filer-statefulset, s3-deployment, all-in-one-deployment + helm template test $CHART_DIR \ + --set global.enableSecurity=true \ + --set filer.s3.enabled=true \ + --set s3.enabled=true > /tmp/security-s3.yaml + helm template test $CHART_DIR \ + --set global.enableSecurity=true \ + --set allInOne.enabled=true \ + --set allInOne.s3.enabled=true > /tmp/security-aio.yaml + + pip install pyyaml -q + python3 - /tmp/security-s3.yaml /tmp/security-aio.yaml <<'PYEOF' + import yaml, sys + errors = [] + for path in sys.argv[1:]: + with open(path) as f: + docs = list(yaml.safe_load_all(f)) + for doc in docs: + if not doc or doc.get("kind") not in ("Deployment", "StatefulSet"): + continue + name = doc["metadata"]["name"] + for c in doc["spec"]["template"]["spec"].get("containers", []): + cmd = c.get("command", []) + if len(cmd) >= 3 and cmd[0] == "/bin/sh" and cmd[1] == "-ec": + script = cmd[2] + for i, line in enumerate(script.splitlines(), 1): + if line.strip() == "": + errors.append(f"{path}: {name}/{c['name']} has blank line at script line {i}") + if errors: + for e in errors: + print(f"FAIL: {e}", file=sys.stderr) + print("Rendered with: global.enableSecurity=true, filer.s3.enabled=true, s3.enabled=true, allInOne.enabled=true", file=sys.stderr) + sys.exit(1) + print("✓ No blank lines in security+S3 command blocks") + PYEOF + echo "✅ All template rendering tests passed!" - name: Create kind cluster diff --git a/k8s/charts/seaweedfs/templates/all-in-one/all-in-one-deployment.yaml b/k8s/charts/seaweedfs/templates/all-in-one/all-in-one-deployment.yaml index b6857c403..187df65bd 100644 --- a/k8s/charts/seaweedfs/templates/all-in-one/all-in-one-deployment.yaml +++ b/k8s/charts/seaweedfs/templates/all-in-one/all-in-one-deployment.yaml @@ -243,7 +243,7 @@ spec: {{- if $httpsPort }} -s3.port.https={{ $httpsPort }} \ {{- end }} - {{ include "seaweedfs.s3.tlsArgs" (dict "root" . "prefix" "s3.") | nindent 14 }} + {{- include "seaweedfs.s3.tlsArgs" (dict "root" . "prefix" "s3.") | nindent 14 }} {{- end }} {{- if or .Values.allInOne.s3.enableAuth .Values.s3.enableAuth .Values.filer.s3.enableAuth }} -s3.config=/etc/sw/s3/seaweedfs_s3_config \ diff --git a/k8s/charts/seaweedfs/templates/filer/filer-statefulset.yaml b/k8s/charts/seaweedfs/templates/filer/filer-statefulset.yaml index 2aca004b1..9b36f5cd4 100644 --- a/k8s/charts/seaweedfs/templates/filer/filer-statefulset.yaml +++ b/k8s/charts/seaweedfs/templates/filer/filer-statefulset.yaml @@ -200,7 +200,7 @@ spec: {{- if .Values.filer.s3.httpsPort }} -s3.port.https={{ .Values.filer.s3.httpsPort }} \ {{- end }} - {{ include "seaweedfs.s3.tlsArgs" (dict "root" . "prefix" "s3.") | nindent 14 }} + {{- include "seaweedfs.s3.tlsArgs" (dict "root" . "prefix" "s3.") | nindent 14 }} {{- end }} {{- if .Values.filer.s3.enableAuth }} -s3.config=/etc/sw/seaweedfs_s3_config \ diff --git a/k8s/charts/seaweedfs/templates/s3/s3-deployment.yaml b/k8s/charts/seaweedfs/templates/s3/s3-deployment.yaml index 537419543..8164c6abe 100644 --- a/k8s/charts/seaweedfs/templates/s3/s3-deployment.yaml +++ b/k8s/charts/seaweedfs/templates/s3/s3-deployment.yaml @@ -127,7 +127,7 @@ spec: {{- if .Values.s3.httpsPort }} -port.https={{ .Values.s3.httpsPort }} \ {{- end }} - {{ include "seaweedfs.s3.tlsArgs" (dict "root" . "prefix" "") | nindent 14 }} + {{- include "seaweedfs.s3.tlsArgs" (dict "root" . "prefix" "") | nindent 14 }} {{- end }} {{- if .Values.s3.domainName }} -domainName={{ .Values.s3.domainName }} \