From 964a8f5fdec6615a0f5b97cb966ccf5ef8eebe8e Mon Sep 17 00:00:00 2001 From: Richard Chen Zheng <58443436+rchenzheng@users.noreply.github.com> Date: Fri, 20 Feb 2026 03:37:54 -0500 Subject: [PATCH] Allow user to define access and secret key via values (#8389) * Allow user to define admin access and secret key via values * Add comments to values.yaml * Add support for read for consistency * Simplify templating * Add checksum to s3 config * Update comments * Revert "Add checksum to s3 config" This reverts commit d21a7038a86ae2adf547730b2cb6f455dcd4ce70. --- .../seaweedfs/templates/s3/s3-secret.yaml | 21 ++++++++++++++----- k8s/charts/seaweedfs/values.yaml | 18 ++++++++++++++++ 2 files changed, 34 insertions(+), 5 deletions(-) diff --git a/k8s/charts/seaweedfs/templates/s3/s3-secret.yaml b/k8s/charts/seaweedfs/templates/s3/s3-secret.yaml index 13aec8430..f41bce606 100644 --- a/k8s/charts/seaweedfs/templates/s3/s3-secret.yaml +++ b/k8s/charts/seaweedfs/templates/s3/s3-secret.yaml @@ -10,10 +10,21 @@ {{- if and .Values.s3.reuseLegacySecret $existingSecret }} {{- $reuse = true }} {{- end }} -{{- $access_key_admin := include "getOrGeneratePassword" (dict "namespace" .Release.Namespace "secretName" $secretName "key" "admin_access_key_id" "length" 20 "existingSecret" (ternary $existingSecret nil $reuse)) -}} -{{- $secret_key_admin := include "getOrGeneratePassword" (dict "namespace" .Release.Namespace "secretName" $secretName "key" "admin_secret_access_key" "length" 40 "existingSecret" (ternary $existingSecret nil $reuse)) -}} -{{- $access_key_read := include "getOrGeneratePassword" (dict "namespace" .Release.Namespace "secretName" $secretName "key" "read_access_key_id" "length" 20 "existingSecret" (ternary $existingSecret nil $reuse)) -}} -{{- $secret_key_read := include "getOrGeneratePassword" (dict "namespace" .Release.Namespace "secretName" $secretName "key" "read_secret_access_key" "length" 40 "existingSecret" (ternary $existingSecret nil $reuse)) -}} +{{- $creds := .Values.s3.credentials | default dict -}} +{{- $adminCreds := $creds.admin | default dict -}} +{{- $access_key_admin := $adminCreds.accessKey -}} +{{- $secret_key_admin := $adminCreds.secretKey -}} +{{- if not (and $access_key_admin $secret_key_admin) -}} + {{- $access_key_admin = include "getOrGeneratePassword" (dict "namespace" .Release.Namespace "secretName" $secretName "key" "admin_access_key_id" "length" 20 "existingSecret" (ternary $existingSecret nil $reuse)) -}} + {{- $secret_key_admin = include "getOrGeneratePassword" (dict "namespace" .Release.Namespace "secretName" $secretName "key" "admin_secret_access_key" "length" 40 "existingSecret" (ternary $existingSecret nil $reuse)) -}} +{{- end -}} +{{- $readCreds := $creds.read | default dict -}} +{{- $access_key_read := $readCreds.accessKey -}} +{{- $secret_key_read := $readCreds.secretKey -}} +{{- if not (and $access_key_read $secret_key_read) -}} + {{- $access_key_read = include "getOrGeneratePassword" (dict "namespace" .Release.Namespace "secretName" $secretName "key" "read_access_key_id" "length" 20 "existingSecret" (ternary $existingSecret nil $reuse)) -}} + {{- $secret_key_read = include "getOrGeneratePassword" (dict "namespace" .Release.Namespace "secretName" $secretName "key" "read_secret_access_key" "length" 40 "existingSecret" (ternary $existingSecret nil $reuse)) -}} +{{- end -}} apiVersion: v1 kind: Secret type: Opaque @@ -43,4 +54,4 @@ stringData: s3_auditLogConfig.json: | {{ toJson .Values.s3.auditLogConfig | nindent 4 }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/k8s/charts/seaweedfs/values.yaml b/k8s/charts/seaweedfs/values.yaml index 8ce556b13..2eecf23dd 100644 --- a/k8s/charts/seaweedfs/values.yaml +++ b/k8s/charts/seaweedfs/values.yaml @@ -890,6 +890,10 @@ filer: # set to the name of an existing kubernetes Secret with the s3 json config file # should have a secret key called seaweedfs_s3_config with an inline json configure existingConfigSecret: null + # To provide explicit credentials for the S3 gateway, set them under + # the top-level s3.credentials key (not filer.s3.credentials). + # The s3-secret.yaml template only reads from .Values.s3.credentials. + # See: s3.credentials.admin.accessKey, s3.credentials.read.accessKey auditLogConfig: {} # You may specify buckets to be created during the install or upgrade process. # Buckets may be exposed publicly by setting `anonymousRead` to `true` @@ -918,6 +922,16 @@ s3: # set to the name of an existing kubernetes Secret with the s3 json config file # should have a secret key called seaweedfs_s3_config with an inline json config existingConfigSecret: null + # Optionally provide explicit credentials for the S3 gateway. + # When set, these are used in the generated s3 secret instead of + # auto-generating random credentials. + # credentials: + # admin: + # accessKey: "" + # secretKey: "" + # read: + # accessKey: "" + # secretKey: "" auditLogConfig: {} # You may specify buckets to be created during the install or upgrade process. # Buckets may be exposed publicly by setting `anonymousRead` to `true` @@ -1421,6 +1435,10 @@ allInOne: # Set to the name of an existing kubernetes Secret with the s3 json config file # should have a secret key called seaweedfs_s3_config with an inline json config existingConfigSecret: null + # To provide explicit credentials for the S3 gateway, set them under + # the top-level s3.credentials key (not allInOne.s3.credentials). + # The s3-secret.yaml template only reads from .Values.s3.credentials. + # See: s3.credentials.admin.accessKey, s3.credentials.read.accessKey auditLogConfig: null # S3 audit log configuration (null inherits from s3.auditLogConfig) # You may specify buckets to be created during the install process. # Buckets may be exposed publicly by setting `anonymousRead` to `true`