adding ability to use an existing Secret for s3

1 year ago · 0510682908
6 changed files with 95 additions and 8 deletions
--- a/k8s/charts/seaweedfs/Chart.yaml
+++ b/k8s/charts/seaweedfs/Chart.yaml
@ -2,4 +2,4 @@ apiVersion: v1
 description: SeaweedFS
 name: seaweedfs
 appVersion: "3.59"
-version: 3.59.1
+version: 3.59.3
--- a/k8s/charts/seaweedfs/README.md
+++ b/k8s/charts/seaweedfs/README.md
@ -4,15 +4,21 @@

 ### Add the helm repo

-`helm repo add seaweedfs https://seaweedfs.github.io/seaweedfs/helm`
+```bash
+helm repo add seaweedfs https://seaweedfs.github.io/seaweedfs/helm
+```

 ### Install the helm chart

-`helm install seaweedfs seaweedfs/seaweedfs`
+```bash
+helm install seaweedfs seaweedfs/seaweedfs
+```

 ### (Recommended) Provide `values.yaml`

-`helm install --values=values.yaml seaweedfs seaweedfs/seaweedfs`
+```bash
+helm install --values=values.yaml seaweedfs seaweedfs/seaweedfs
+```

 ## Info:
 * master/filer/volume are stateful sets with anti-affinity on the hostname,
@ -78,4 +84,63 @@ for your deployment.
 You can update the replicas count for each node type in values.yaml,
 need to add more nodes with the corresponding labels if applicable.

-Most of the configuration are available through values.yaml any pull requests to expand functionality or usability are greatly appreciated. Any pull request must pass [chart-testing](https://github.com/helm/chart-testing).
+Most of the configuration are available through values.yaml any pull requests to expand functionality or usability are greatly appreciated. Any pull request must pass [chart-testing](https://github.com/helm/chart-testing).
+
+## S3 configuration
+
+To enable an s3 endpoint for your filer with a default install add the following to your values.yaml:
+
+```yaml
+filer:
+  s3:
+    enabled: true
+```
+
+### Enabling Authenticaion to S3
+
+To enable authentication for S3, you have two options:
+
+- let the helm chart create an admin user as well as a read only user
+- provide your own s3 config.json file via an existing Kubernetes Secret
+
+#### Use the default credentials for S3
+
+Example parameters for your values.yaml:
+
+```yaml
+filer:
+  s3:
+    enabled: true
+    enableAuth: true
+```
+
+#### Provide your own credentials for S3
+
+Example parameters for your values.yaml:
+
+```yaml
+filer:
+  s3:
+    enabled: true
+    enableAuth: true
+    existingConfigSecret: my-s3-secret
+```
+
+Example existing secret with your s3 config to create an admin user and readonly user, both with credentials:
+
+```yaml
+---
+# Source: seaweedfs/templates/seaweedfs-s3-secret.yaml
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: my-s3-secret
+  namespace: seaweedfs
+  labels:
+    app.kubernetes.io/name: seaweedfs
+    app.kubernetes.io/component: s3
+stringData:
+  # this key must be an inline json config file
+  seaweedfs_s3_config: '{"identities":[{"name":"anvAdmin","credentials":[{"accessKey":"snu8yoP6QAlY0ne4","secretKey":"PNzBcmeLNEdR0oviwm04NQAicOrDH1Km"}],"actions":["Admin","Read","Write"]},{"name":"anvReadOnly","credentials":[{"accessKey":"SCigFee6c5lbi04A","secretKey":"kgFhbT38R8WUYVtiFQ1OiSVOrYr3NKku"}],"actions":["Read"]}]}'
+```
--- a/k8s/charts/seaweedfs/templates/filer-statefulset.yaml
+++ b/k8s/charts/seaweedfs/templates/filer-statefulset.yaml
@ -195,9 +195,11 @@ spec:
            - name: seaweedfs-filer-log-volume
              mountPath: "/logs/"
            {{- end }}
+            {{- if .Values.filer.s3.enableAuth }}
            - mountPath: /etc/sw
              name: config-users
              readOnly: true
+            {{- end }}
            {{- if (or .Values.filer.enablePVC (or (eq .Values.filer.data.type "hostPath") (eq .Values.filer.data.type "persistentVolumeClaim"))) }}
            - name: data-filer
              mountPath: /data
@ -285,10 +287,16 @@ spec:
        - name: db-schema-config-volume
          configMap:
            name: seaweedfs-db-init-config
+        {{- if .Values.filer.s3.enableAuth }}
        - name: config-users
          secret:
            defaultMode: 420
+            {{- if .Values.filer.s3.existingConfigSecret }}
+            secretName: {{ .Values.s3.existingConfigSecret }}
+            {{- else }}
            secretName: seaweedfs-s3-secret
+            {{- end }}
+        {{- end }}
        {{- if .Values.global.enableSecurity }}
        - name: security-config
          configMap:
--- a/k8s/charts/seaweedfs/templates/s3-deployment.yaml
+++ b/k8s/charts/seaweedfs/templates/s3-deployment.yaml
@ -121,9 +121,11 @@ spec:
            - name: logs
              mountPath: "/logs/"
            {{- end }}
+            {{- if .Values.s3.enableAuth }}
            - mountPath: /etc/sw
              name: config-users
              readOnly: true
+            {{- end }}
            {{- if .Values.global.enableSecurity }}
            - name: security-config
              readOnly: true
@ -182,10 +184,16 @@ spec:
            {{ tpl .Values.s3.resources . | nindent 12 | trim }}
          {{- end }}
      volumes:
+        {{- if .Values.s3.enableAuth }}
        - name: config-users
          secret:
            defaultMode: 420
+            {{- if .Values.filer.s3.existingConfigSecret }}
+            secretName: {{ .Values.s3.existingConfigSecret }}
+            {{- else }}
            secretName: seaweedfs-s3-secret
+            {{- end }}
+        {{- end }}
        {{- if eq .Values.s3.logs.type "hostPath" }}
        - name: logs
          hostPath:
--- a/k8s/charts/seaweedfs/templates/seaweedfs-s3-secret.yaml
+++ b/k8s/charts/seaweedfs/templates/seaweedfs-s3-secret.yaml
@ -1,4 +1,4 @@
-{{- if not (or .Values.filer.s3.skipAuthSecretCreation .Values.s3.skipAuthSecretCreation) }}
+{{- if not (or .Values.filer.s3.skipAuthSecretCreation .Values.s3.skipAuthSecretCreation .Values.s3.existingConfigSecret ) }}
 {{- $access_key_admin := randAlphaNum 16 -}}
 {{- $secret_key_admin := randAlphaNum 32 -}}
 {{- $access_key_read := randAlphaNum 16 -}}
@ -32,4 +32,4 @@ stringData:
  s3_auditLogConfig.json: |
    {{ toJson .Values.s3.auditLogConfig | nindent 4 }}
  {{- end }}
-{{- end }}
+{{- end }}
--- a/k8s/charts/seaweedfs/values.yaml
+++ b/k8s/charts/seaweedfs/values.yaml
@ -411,7 +411,7 @@ filer:
  #    annotations:
  #      "key": "value"
  #
-  # You may also spacify an existing claim:
+  # You may also specify an existing claim:
  #  data:
  #    type: "existingClaim"
  #    claimName: "my-pvc"
@ -571,6 +571,9 @@ filer:
    # enable user & permission to s3 (need to inject to all services)
    enableAuth: false
    skipAuthSecretCreation: false
+    # set to the name of an existing kubernetes Secret with the s3 json config file
+    # should have a secret key called seaweedfs_s3_config with an inline json configure
+    existingConfigSecret: ""
    auditLogConfig: {}

 s3:
@ -591,6 +594,9 @@ s3:
  # enable user & permission to s3 (need to inject to all services)
  enableAuth: false
  skipAuthSecretCreation: false
+  # set to the name of an existing kubernetes Secret with the s3 json config file
+  # should have a secret key called seaweedfs_s3_config with an inline json config
+  existingConfigSecret: ""
  auditLogConfig: {}

  # Suffix of the host name, {bucket}.{domainName}