helm: fix admin secret template paths and remove duplicate (#7690)

* add admin and worker to helm charts * workers are stateless, admin is stateful * removed the duplicate admin-deployment.yaml * address comments * address comments * purge * Update README.md * Update k8s/charts/seaweedfs/templates/admin/admin-ingress.yaml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * address comments * address comments * supports Kubernetes versions from v1.14 to v1.30+, ensuring broad compatibility * add probe for workers * address comments * add a todo * chore: trigger CI * use port name for probes in admin statefulset * add secrets to admin helm chart * fix error .Values.admin.secret.existingSecret * helm: fix admin secret template paths and remove duplicate - Fix value paths to use .Values.admin.secret.existingSecret instead of .Values.existingSecret - Use templated secret name {{ template "seaweedfs.name" . }}-admin-secret - Add .Values.admin.enabled check to admin-secret.yaml - Remove duplicate admin-secret.yaml from templates/ root * helm: address PR review feedback - Only pass adminUser/adminPassword args when auth is enabled (fixes regression) - Use $adminSecretName variable to reduce duplication (DRY) - Only create admin-secret when adminPassword is set - Add documentation comments for existingSecret, userKey, pwKey fields - Clarify that empty adminPassword disables authentication * helm: quote admin credentials to handle spaces * helm: fix yaml lint errors (comment spacing, trailing blank line) * helm: add validation for existingSecret requiring userKey and pwKey --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Ubuntu <morez.martin@gmail.com>
2025-12-09 16:57:11 -08:00
parent 80c7de8d76
commit 4f382b77c8
3 changed files with 55 additions and 10 deletions
--- a/k8s/charts/seaweedfs/templates/admin/admin-secret.yaml
+++ b/k8s/charts/seaweedfs/templates/admin/admin-secret.yaml
@@ -0,0 +1,20 @@
+{{- if and .Values.admin.enabled .Values.admin.secret.adminPassword (not .Values.admin.secret.existingSecret) }}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ template "seaweedfs.name" . }}-admin-secret
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/resource-policy": keep
+    "helm.sh/hook": "pre-install,pre-upgrade"
+  labels:
+    app.kubernetes.io/name: {{ template "seaweedfs.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: admin
+data:
+  adminUser: {{ .Values.admin.secret.adminUser | b64enc }}
+  adminPassword: {{ .Values.admin.secret.adminPassword | b64enc }}
+{{- end}}
--- a/k8s/charts/seaweedfs/templates/admin/admin-statefulset.yaml
+++ b/k8s/charts/seaweedfs/templates/admin/admin-statefulset.yaml
@@ -80,7 +80,27 @@ spec:
        - name: seaweedfs
          image: {{ template "admin.image" . }}
          imagePullPolicy: {{ default "IfNotPresent" .Values.global.imagePullPolicy }}
+          {{- $adminAuthEnabled := or .Values.admin.secret.existingSecret .Values.admin.secret.adminPassword }}
+          {{- if and .Values.admin.secret.existingSecret (not .Values.admin.secret.userKey) -}}
+          {{-   fail "admin.secret.userKey must be set when admin.secret.existingSecret is provided" -}}
+          {{- end -}}
+          {{- if and .Values.admin.secret.existingSecret (not .Values.admin.secret.pwKey) -}}
+          {{-   fail "admin.secret.pwKey must be set when admin.secret.existingSecret is provided" -}}
+          {{- end -}}
+          {{- $adminSecretName := .Values.admin.secret.existingSecret | default (printf "%s-admin-secret" (include "seaweedfs.name" .)) }}
          env:
+            {{- if $adminAuthEnabled }}
+            - name: SEAWEEDFS_ADMIN_USER
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $adminSecretName }}
+                  key: {{ if .Values.admin.secret.existingSecret }}{{ .Values.admin.secret.userKey }}{{ else }}adminUser{{ end }}
+            - name: SEAWEEDFS_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $adminSecretName }}
+                  key: {{ if .Values.admin.secret.existingSecret }}{{ .Values.admin.secret.pwKey }}{{ else }}adminPassword{{ end }}
+            {{- end }}
            - name: POD_IP
              valueFrom:
                fieldRef:
@@ -140,9 +160,9 @@ spec:
              {{- else if .Values.admin.dataDir }}
              -dataDir={{ .Values.admin.dataDir }} \
              {{- end }}
-              {{- if .Values.admin.adminPassword }}
-              -adminUser='{{ .Values.admin.adminUser }}' \
-              -adminPassword='{{ .Values.admin.adminPassword }}' \
+              {{- if $adminAuthEnabled }}
+              -adminUser="${SEAWEEDFS_ADMIN_USER}" \
+              -adminPassword="${SEAWEEDFS_ADMIN_PASSWORD}" \
              {{- end }}
              {{- if .Values.admin.masters }}
              -masters={{ .Values.admin.masters }}{{- if .Values.admin.extraArgs }} \{{ end }}
--- a/k8s/charts/seaweedfs/values.yaml
+++ b/k8s/charts/seaweedfs/values.yaml
@@ -1099,10 +1099,15 @@ admin:
  loggingOverrideLevel: null

  # Admin authentication
-  # Note: Avoid special shell characters in password ($ \ " ' ( ) [ ] { } ; | & < >)
-  # For production, consider using Kubernetes Secrets (future enhancement)
-  adminUser: "admin"
-  adminPassword: ""  # If empty, auth is disabled
+  secret:
+    # Name of an existing secret containing admin credentials. If set, adminUser and adminPassword below are ignored.
+    existingSecret: ""
+    # Key in the existing secret for the admin username. Required if existingSecret is set.
+    userKey: ""
+    # Key in the existing secret for the admin password. Required if existingSecret is set.
+    pwKey: ""
+    adminUser: "admin"
+    adminPassword: ""  # If empty, authentication is disabled.

  # Data directory for admin configuration and maintenance data
  dataDir: ""  # If empty, configuration is kept in memory only
@@ -1226,9 +1231,9 @@ worker:
  adminServer: ""

  # Worker capabilities - comma-separated list
-  # Available: vacuum, balance, ec (erasure_coding)
-  # Default: "vacuum,ec,balance"
-  capabilities: "vacuum,ec,balance"
+  # Available: vacuum, balance, erasure_coding
+  # Default: "vacuum,balance,erasure_coding" (all capabilities)
+  capabilities: "vacuum,balance,erasure_coding"

  # Maximum number of concurrent tasks
  maxConcurrent: 3