From f67c5aa07f42161c68c2a1519920c713c219727c Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Fri, 16 Jan 2026 11:42:21 -0800 Subject: [PATCH] fix: Remove fromToml dependency for Helm 3.12+ compatibility This commit fixes issue #7775 by removing the fromToml function which is only available in Helm 3.14+. The changes ensure compatibility with Helm 3.12 and later versions. Changes: - Removed fromToml function from security-configmap.yaml - Simplified JWT key generation to use randAlphaNum directly - Updated Chart.yaml to specify minimum kubeVersion (1.25.0-0) - Added Prerequisites section to README.md documenting version requirements - Enhanced helm_ci.yml with additional security configuration tests Fixes #7775 --- .github/workflows/helm_ci.yml | 23 +++++++++++++++++++ k8s/charts/seaweedfs/Chart.yaml | 1 + k8s/charts/seaweedfs/README.md | 12 ++++++++-- .../templates/shared/security-configmap.yaml | 9 ++++---- 4 files changed, 38 insertions(+), 7 deletions(-) diff --git a/.github/workflows/helm_ci.yml b/.github/workflows/helm_ci.yml index 268052a5a..81005ea29 100644 --- a/.github/workflows/helm_ci.yml +++ b/.github/workflows/helm_ci.yml @@ -66,8 +66,31 @@ jobs: echo "=== Testing with security enabled ===" helm template test $CHART_DIR --set global.enableSecurity=true > /tmp/security.yaml grep -q "security-config" /tmp/security.yaml + # Validate JWT signing keys are generated + grep -q "jwt.signing" /tmp/security.yaml + grep -q 'key = "' /tmp/security.yaml echo "✓ Security configuration renders correctly" + echo "=== Testing with all security features enabled ===" + helm template test $CHART_DIR \ + --set global.enableSecurity=true \ + --set global.securityConfig.jwtSigning.volumeWrite=true \ + --set global.securityConfig.jwtSigning.volumeRead=true \ + --set global.securityConfig.jwtSigning.filerWrite=true \ + --set global.securityConfig.jwtSigning.filerRead=true > /tmp/security-full.yaml + # Validate all JWT keys are present + grep -q "jwt.signing" /tmp/security-full.yaml + grep -q "jwt.signing.read" /tmp/security-full.yaml + grep -q "jwt.filer_signing" /tmp/security-full.yaml + grep -q "jwt.filer_signing.read" /tmp/security-full.yaml + # Count that we have 4 JWT keys generated + KEY_COUNT=$(grep -c 'key = "' /tmp/security-full.yaml) + if [ "$KEY_COUNT" -ne 4 ]; then + echo "❌ Expected 4 JWT keys, found $KEY_COUNT" + exit 1 + fi + echo "✓ All security features render correctly with 4 JWT keys" + echo "=== Testing with monitoring enabled ===" helm template test $CHART_DIR \ --set global.monitoring.enabled=true \ diff --git a/k8s/charts/seaweedfs/Chart.yaml b/k8s/charts/seaweedfs/Chart.yaml index 86216518d..0edc1801e 100644 --- a/k8s/charts/seaweedfs/Chart.yaml +++ b/k8s/charts/seaweedfs/Chart.yaml @@ -4,3 +4,4 @@ name: seaweedfs appVersion: "4.06" # Dev note: Trigger a helm chart release by `git tag -a helm-` version: 4.0.406 +kubeVersion: ">=1.19.0-0" diff --git a/k8s/charts/seaweedfs/README.md b/k8s/charts/seaweedfs/README.md index 7f27cb22e..8cb588675 100644 --- a/k8s/charts/seaweedfs/README.md +++ b/k8s/charts/seaweedfs/README.md @@ -2,13 +2,21 @@ ## Getting Started -### Add the helm repo +### Prerequisites + +This chart requires: +- **Helm 3.x** (tested with Helm 3.12+) +- **Kubernetes 1.19+** + +The chart is designed to be compatible with a wide range of Helm 3.x versions. + +### Add the Helm Repo ```bash helm repo add seaweedfs https://seaweedfs.github.io/seaweedfs/helm ``` -### Install the helm chart +### Install the Helm Chart ```bash helm install seaweedfs seaweedfs/seaweedfs diff --git a/k8s/charts/seaweedfs/templates/shared/security-configmap.yaml b/k8s/charts/seaweedfs/templates/shared/security-configmap.yaml index f7fb69ea4..8a2f2862e 100644 --- a/k8s/charts/seaweedfs/templates/shared/security-configmap.yaml +++ b/k8s/charts/seaweedfs/templates/shared/security-configmap.yaml @@ -11,7 +11,6 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} data: {{- $existing := (lookup "v1" "ConfigMap" .Release.Namespace (printf "%s-security-config" (include "seaweedfs.name" .))) }} - {{- $securityConfig := fromToml (dig "data" "security.toml" "" $existing) }} security.toml: |- # this file is read by master, volume server, and filer @@ -19,7 +18,7 @@ data: # the jwt signing key is read by master and volume server # a jwt expires in 10 seconds [jwt.signing] - key = "{{ dig "jwt" "signing" "key" (randAlphaNum 10 | b64enc) $securityConfig }}" + key = "{{ randAlphaNum 10 | b64enc }}" {{- end }} {{- if .Values.global.securityConfig.jwtSigning.volumeRead }} @@ -27,7 +26,7 @@ data: # - the Master server generates the JWT, which can be used to read a certain file on a volume server # - the Volume server validates the JWT on reading [jwt.signing.read] - key = "{{ dig "jwt" "signing" "read" "key" (randAlphaNum 10 | b64enc) $securityConfig }}" + key = "{{ randAlphaNum 10 | b64enc }}" {{- end }} {{- if .Values.global.securityConfig.jwtSigning.filerWrite }} @@ -36,7 +35,7 @@ data: # - the Filer server validates the JWT on writing # the jwt defaults to expire after 10 seconds. [jwt.filer_signing] - key = "{{ dig "jwt" "filer_signing" "key" (randAlphaNum 10 | b64enc) $securityConfig }}" + key = "{{ randAlphaNum 10 | b64enc }}" {{- end }} {{- if .Values.global.securityConfig.jwtSigning.filerRead }} @@ -45,7 +44,7 @@ data: # - the Filer server validates the JWT on writing # the jwt defaults to expire after 10 seconds. [jwt.filer_signing.read] - key = "{{ dig "jwt" "filer_signing" "read" "key" (randAlphaNum 10 | b64enc) $securityConfig }}" + key = "{{ randAlphaNum 10 | b64enc }}" {{- end }} # all grpc tls authentications are mutual