From 629d9479a190b70a97675ec49f6753b2bb7e4de6 Mon Sep 17 00:00:00 2001
From: MorezMartin <morez.martin@gmail.com>
Date: Sun, 4 Jan 2026 21:05:31 +0100
Subject: [PATCH] Fix jwt error in Filer pod (k8s) (#7960)

* Avoid JWT error on liveprobeness

* fix jwt error

* address comments

* lint

---------

Co-authored-by: Chris Lu <chris.lu@gmail.com>
---
 .../templates/filer/filer-statefulset.yaml    | 13 +++++-
 k8s/charts/seaweedfs/values.yaml              | 44 +++++++++----------
 2 files changed, 33 insertions(+), 24 deletions(-)

diff --git a/k8s/charts/seaweedfs/templates/filer/filer-statefulset.yaml b/k8s/charts/seaweedfs/templates/filer/filer-statefulset.yaml
index e29239c32..29665caae 100644
--- a/k8s/charts/seaweedfs/templates/filer/filer-statefulset.yaml
+++ b/k8s/charts/seaweedfs/templates/filer/filer-statefulset.yaml
@@ -263,7 +263,7 @@ spec:
               mountPath: /usr/local/share/ca-certificates/filer/
             - name: client-cert
               readOnly: true
-              mountPath: /usr/local/share/ca-certificates/client/
+              mountPath: /usr/local/share/ca-certificates/client
             {{- end }}
             {{ tpl .Values.filer.extraVolumeMounts . | nindent 12 | trim }}
           ports:
@@ -281,12 +281,18 @@ spec:
               name: swfs-s3-tls
             {{- end }}
             {{- end }}
+          {{- $isJwtEnabled := or .Values.global.securityConfig.jwtSigning.filerWrite .Values.global.securityConfig.jwtSigning.filerRead }}
           {{- if .Values.filer.readinessProbe.enabled }}
           readinessProbe:
+          {{- if or $isJwtEnabled .Values.filer.readinessProbe.tcpSocket }}
+            tcpSocket:
+              port: {{ if $isJwtEnabled }}{{ .Values.filer.port }}{{ else }}{{ .Values.filer.readinessProbe.tcpSocket.port }}{{ end }}
+          {{- else }}
             httpGet:
               path: {{ .Values.filer.readinessProbe.httpGet.path }}
               port: {{ .Values.filer.port }}
               scheme: {{ .Values.filer.readinessProbe.httpGet.scheme }}
+          {{- end }}
             initialDelaySeconds: {{ .Values.filer.readinessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.filer.readinessProbe.periodSeconds }}
             successThreshold: {{ .Values.filer.readinessProbe.successThreshold }}
@@ -295,10 +301,15 @@ spec:
           {{- end }}
           {{- if .Values.filer.livenessProbe.enabled }}
           livenessProbe:
+          {{- if or $isJwtEnabled .Values.filer.livenessProbe.tcpSocket }}
+            tcpSocket:
+              port: {{ if $isJwtEnabled }}{{ .Values.filer.port }}{{ else }}{{ .Values.filer.livenessProbe.tcpSocket.port }}{{ end }}
+          {{- else }}
             httpGet:
               path: {{ .Values.filer.livenessProbe.httpGet.path }}
               port: {{ .Values.filer.port }}
               scheme: {{ .Values.filer.livenessProbe.httpGet.scheme }}
+          {{- end }}
             initialDelaySeconds: {{ .Values.filer.livenessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.filer.livenessProbe.periodSeconds }}
             successThreshold: {{ .Values.filer.livenessProbe.successThreshold }}
diff --git a/k8s/charts/seaweedfs/values.yaml b/k8s/charts/seaweedfs/values.yaml
index e40327200..7bad4e2d9 100644
--- a/k8s/charts/seaweedfs/values.yaml
+++ b/k8s/charts/seaweedfs/values.yaml
@@ -261,10 +261,10 @@ master:
     tls: []
 
   extraEnvironmentVars:
-    WEED_MASTER_VOLUME_GROWTH_COPY_1: '7'
-    WEED_MASTER_VOLUME_GROWTH_COPY_2: '6'
-    WEED_MASTER_VOLUME_GROWTH_COPY_3: '3'
-    WEED_MASTER_VOLUME_GROWTH_COPY_OTHER: '1'
+    WEED_MASTER_VOLUME_GROWTH_COPY_1: "7"
+    WEED_MASTER_VOLUME_GROWTH_COPY_2: "6"
+    WEED_MASTER_VOLUME_GROWTH_COPY_3: "3"
+    WEED_MASTER_VOLUME_GROWTH_COPY_OTHER: "1"
 
   # used to configure livenessProbe on master-server containers
   #
@@ -348,16 +348,16 @@ volume:
   #     maxVolumes: 0  # If set to zero on non-windows OS, the limit will be auto configured. (default "7")
 
   dataDirs:
-  - name: data1
-    type: "hostPath"
-    hostPathPrefix: /ssd
-    maxVolumes: 0
+    - name: data1
+      type: "hostPath"
+      hostPathPrefix: /ssd
+      maxVolumes: 0
 
-   # - name: data2
-   #   type: "persistentVolumeClaim"
-   #   storageClass: "yourClassNameOfChoice"
-   #   size: "800Gi"
-   #   maxVolumes: 0
+      # - name: data2
+      #   type: "persistentVolumeClaim"
+      #   storageClass: "yourClassNameOfChoice"
+      #   size: "800Gi"
+      #   maxVolumes: 0
 
   # This will automatically create a job for patching Kubernetes resources if the dataDirs type is 'persistentVolumeClaim' and the size has changed.
   resizeHook:
@@ -397,7 +397,6 @@ volume:
   # limit background compaction or copying speed in mega bytes per second
   compactionMBps: "50"
 
-
   # Volume server's rack name
   rack: null
 
@@ -846,14 +845,14 @@ filer:
 
   # secret env variables
   secretExtraEnvironmentVars: {}
-      # WEED_POSTGRES_USERNAME:
-      #   secretKeyRef:
-      #     name: postgres-credentials
-      #     key: username
-      # WEED_POSTGRES_PASSWORD:
-      #   secretKeyRef:
-      #     name: postgres-credentials
-      #     key: password
+    # WEED_POSTGRES_USERNAME:
+    #   secretKeyRef:
+    #     name: postgres-credentials
+    #     key: username
+    # WEED_POSTGRES_PASSWORD:
+    #   secretKeyRef:
+    #     name: postgres-credentials
+    #     key: password
 
   s3:
     enabled: false
@@ -1232,7 +1231,6 @@ worker:
   # Admin server to connect to
   adminServer: ""
 
-
   # Worker capabilities - comma-separated list
   # Available: vacuum, balance, erasure_coding
   # Default: "vacuum,balance,erasure_coding" (all capabilities)