fix(helm): namespace app-specific global values under global.seaweedfs (#8700)

* fix(helm): namespace app-specific values under global.seaweedfs

Move all app-specific values from the global namespace to
global.seaweedfs.* to avoid polluting the shared .Values.global
namespace when the chart is used as a subchart.

Standard Helm conventions (global.imageRegistry, global.imagePullSecrets)
remain at the global level as they are designed to be shared across
subcharts.

Fixes seaweedfs/seaweedfs#8699

BREAKING CHANGE: global values have been restructured. Users must update
their values files to use the new paths:
- global.registry → global.imageRegistry
- global.repository → global.seaweedfs.image.repository
- global.imageName → global.seaweedfs.image.name
- global.<key> → global.seaweedfs.<key> (for all other app-specific values)

* fix(ci): update helm CI tests to use new global.seaweedfs.* value paths

Update all --set flags in helm_ci.yml to use the new namespaced
global.seaweedfs.* paths matching the values.yaml restructuring.

* fix(ci): install Claude Code via npm to avoid install.sh 403

The claude-code-action's built-in installer uses
`curl https://claude.ai/install.sh | bash` which can fail with 403.
Due to the pipe, bash exits 0 on empty input, masking the curl failure
and leaving the `claude` binary missing.

Work around this by installing Claude Code via npm before invoking the
action, and passing the executable path via path_to_claude_code_executable.

* revert: remove claude-code-review.yml changes from this PR

The claude-code-action OIDC token exchange validates that the workflow
file matches the version on the default branch. Modifying it in a PR
causes the review job to fail with "Workflow validation failed".

The Claude Code install fix will need to be applied directly to master
or in a separate PR.

* fix: update stale references to old global.* value paths

- admin-statefulset.yaml: fix fail message to reference
  global.seaweedfs.masterServer
- values.yaml: fix comment to reference image.name instead of imageName
- helm_ci.yml: fix diagnostic message to reference
  global.seaweedfs.enableSecurity

* feat(helm): add backward-compat shim for old global.* value paths

Add _compat.tpl with a seaweedfs.compat helper that detects old-style
global.* keys (e.g. global.enableSecurity, global.registry) and merges
them into the new global.seaweedfs.* namespace.

Since the old keys no longer have defaults in values.yaml, their
presence means the user explicitly provided them. The helper uses
in-place mutation via `set` so all templates see the merged values.

This ensures existing deployments using old value paths continue to
work without changes after upgrading.

* fix: update stale comment references in values.yaml

Update comments referencing global.enableSecurity and global.masterServer
to the new global.seaweedfs.* paths.

---------

Co-authored-by: Copilot <copilot@github.com>

k8s/charts/seaweedfs/values.yaml

@@ -1,51 +1,57 @@
 # Available parameters and their default values for the SeaweedFS chart.
 
 global:
-  createClusterRole: true
-  registry: ""
-  # if repository is set, it overrides the namespace part of imageName
-  repository: ""
-  imageName: chrislusf/seaweedfs
-  imagePullPolicy: IfNotPresent
+  # global.imageRegistry and global.imagePullSecrets are standard Helm conventions
+  # shared across subcharts. See https://helm.sh/docs/chart_template_guide/subcharts_and_globals/
+  imageRegistry: ""
   imagePullSecrets: ""
-  restartPolicy: Always
-  loggingLevel: 1
-  enableSecurity: false
-  masterServer: null
-  securityConfig:
-    jwtSigning:
-      volumeWrite: true
-      volumeRead: false
-      filerWrite: false
-      filerRead: false
-  # we will use this serviceAccountName for all ClusterRoles/ClusterRoleBindings
-  serviceAccountName: "seaweedfs"
-  serviceAccountAnnotations: {}
-  automountServiceAccountToken: true
-  certificates:
-    duration: 87600h
-    renewBefore: 720h
-    alphacrds: false
-  monitoring:
-    enabled: false
-    gatewayHost: null
-    gatewayPort: null
-    additionalLabels: {}
-  # if enabled will use global.replicationPlacement and override master & filer defaultReplicaPlacement config
-  enableReplication: false
-  #  replication type is XYZ:
-  # X number of replica in other data centers
-  # Y number of replica in other racks in the same data center
-  # Z number of replica in other servers in the same rack
-  replicationPlacement: "001"
-  extraEnvironmentVars:
-    WEED_CLUSTER_DEFAULT: "sw"
-    WEED_CLUSTER_SW_MASTER: "{{ include \"seaweedfs.cluster.masterAddress\" . }}"
-    WEED_CLUSTER_SW_FILER: "{{ include \"seaweedfs.cluster.filerAddress\" . }}"
-    # WEED_JWT_SIGNING_KEY:
-    #   secretKeyRef:
-    #     name: seaweedfs-signing-key
-    #     key: signingKey
+  # All app-specific global values are namespaced under global.seaweedfs
+  # to avoid polluting the shared global namespace when used as a subchart.
+  seaweedfs:
+    createClusterRole: true
+    image:
+      # if repository is set, it overrides the namespace part of image.name
+      repository: ""
+      name: chrislusf/seaweedfs
+    imagePullPolicy: IfNotPresent
+    restartPolicy: Always
+    loggingLevel: 1
+    enableSecurity: false
+    masterServer: null
+    securityConfig:
+      jwtSigning:
+        volumeWrite: true
+        volumeRead: false
+        filerWrite: false
+        filerRead: false
+    # we will use this serviceAccountName for all ClusterRoles/ClusterRoleBindings
+    serviceAccountName: "seaweedfs"
+    serviceAccountAnnotations: {}
+    automountServiceAccountToken: true
+    certificates:
+      duration: 87600h
+      renewBefore: 720h
+      alphacrds: false
+    monitoring:
+      enabled: false
+      gatewayHost: null
+      gatewayPort: null
+      additionalLabels: {}
+    # if enabled will use global.seaweedfs.replicationPlacement and override master & filer defaultReplicaPlacement config
+    enableReplication: false
+    #  replication type is XYZ:
+    # X number of replica in other data centers
+    # Y number of replica in other racks in the same data center
+    # Z number of replica in other servers in the same rack
+    replicationPlacement: "001"
+    extraEnvironmentVars:
+      WEED_CLUSTER_DEFAULT: "sw"
+      WEED_CLUSTER_SW_MASTER: "{{ include \"seaweedfs.cluster.masterAddress\" . }}"
+      WEED_CLUSTER_SW_FILER: "{{ include \"seaweedfs.cluster.filerAddress\" . }}"
+      # WEED_JWT_SIGNING_KEY:
+      #   secretKeyRef:
+      #     name: seaweedfs-signing-key
+      #     key: signingKey
 
 image:
   registry: ""
@@ -932,7 +938,7 @@ s3:
   # instead of the internal self-signed client certificate generated by cert-manager.
   # This allows using a publicly trusted certificate (e.g., from Let's Encrypt)
   # so that S3 clients don't need to trust the internal CA.
-  # Requires global.enableSecurity to be true.
+  # Requires global.seaweedfs.enableSecurity to be true.
   tlsSecret: null
   metricsPort: 9327
   # Iceberg catalog REST port (Apache Iceberg REST Catalog API)
@@ -1203,7 +1209,7 @@ admin:
   dataDir: ""  # If empty, configuration is kept in memory only
 
   # Master servers to connect to
-  # If empty, uses global.masterServer or auto-discovers from master statefulset
+  # If empty, uses global.seaweedfs.masterServer or auto-discovers from master statefulset
   masters: ""
 
   # URL path prefix when running behind a reverse proxy under a subdirectory