From a9e1f006739d397087ba8e7c632de223be40707d Mon Sep 17 00:00:00 2001
From: Andrei Kvapil <kvapss@gmail.com>
Date: Fri, 11 Jul 2025 17:50:12 +0200
Subject: [PATCH] Fix drift for security config (#6967)

---
 .github/workflows/helm_ci.yml                          |  2 +-
 k8s/charts/seaweedfs/templates/security-configmap.yaml | 10 ++++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/helm_ci.yml b/.github/workflows/helm_ci.yml
index bc43c9b14..25a3de545 100644
--- a/.github/workflows/helm_ci.yml
+++ b/.github/workflows/helm_ci.yml
@@ -23,7 +23,7 @@ jobs:
       - name: Set up Helm
         uses: azure/setup-helm@v4
         with:
-          version: v3.10.0
+          version: v3.18.4
 
       - uses: actions/setup-python@v5
         with:
diff --git a/k8s/charts/seaweedfs/templates/security-configmap.yaml b/k8s/charts/seaweedfs/templates/security-configmap.yaml
index 884fe6bb4..6f229c595 100644
--- a/k8s/charts/seaweedfs/templates/security-configmap.yaml
+++ b/k8s/charts/seaweedfs/templates/security-configmap.yaml
@@ -10,6 +10,8 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/instance: {{ .Release.Name }}
 data:
+  {{- $existing := (lookup "v1" "ConfigMap" .Release.Namespace (printf "%s-security-config" (include "seaweedfs.name" .))) }}
+  {{- $securityConfig := fromToml (dig "data" "security.toml" "" $existing) }}
   security.toml: |-
     # this file is read by master, volume server, and filer
 
@@ -17,7 +19,7 @@ data:
     # the jwt signing key is read by master and volume server
     # a jwt expires in 10 seconds
     [jwt.signing]
-    key = "{{ randAlphaNum 10 | b64enc }}"
+    key = "{{ dig "jwt" "signing" "key" (randAlphaNum 10 | b64enc) $securityConfig }}"
     {{- end }}
 
     {{- if .Values.global.securityConfig.jwtSigning.volumeRead }}
@@ -25,7 +27,7 @@ data:
     # - the Master server generates the JWT, which can be used to read a certain file on a volume server
     # - the Volume server validates the JWT on reading
     [jwt.signing.read]
-    key = "{{ randAlphaNum 10 | b64enc }}"
+    key = "{{ dig "jwt" "signing" "read" "key" (randAlphaNum 10 | b64enc) $securityConfig }}"
     {{- end }}
 
     {{- if .Values.global.securityConfig.jwtSigning.filerWrite }}
@@ -34,7 +36,7 @@ data:
     # - the Filer server validates the JWT on writing
     # the jwt defaults to expire after 10 seconds.
     [jwt.filer_signing]
-    key = "{{ randAlphaNum 10 | b64enc }}"
+    key = "{{ dig "jwt" "filer_signing" "key" (randAlphaNum 10 | b64enc) $securityConfig }}"
     {{- end }}
 
     {{- if .Values.global.securityConfig.jwtSigning.filerRead }}
@@ -43,7 +45,7 @@ data:
     # - the Filer server validates the JWT on writing
     # the jwt defaults to expire after 10 seconds.
     [jwt.filer_signing.read]
-    key = "{{ randAlphaNum 10 | b64enc }}"
+    key = "{{ dig "jwt" "filer_signing" "read" "key" (randAlphaNum 10 | b64enc) $securityConfig }}"
     {{- end }}
 
     # all grpc tls authentications are mutual