github-personal/cozystack
1
0
Fork 0
mirror of https://github.com/outbackdingo/cozystack.git synced 2026-01-27 18:18:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

[seaweedfs] Update SeaweedFS v3.99 and deploy S3 as stacked service (#1562)

Browse Source 
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->

## What this PR does


### Release note

<!--  Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->

```release-note
[]
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Helm values now control ingress paths; computed cluster endpoint env
vars are injected.
  * Optional container securityContext for volume init containers added.
  * Node architecture-specific targeting disabled by default.

* **Refactor**
* Image configuration reorganized with separate registry field;
container image build simplified.

* **Bug Fixes / Behavior**
* S3-related authorization and signature handling changed; S3 gateway
toggled.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This commit is contained in:
Andrei Kvapil
2025-10-31 20:13:09 +05:00
committed by GitHub
parent fc7d5ee71f ac10e35272
commit 08bd918a10
15 changed files with 83 additions and 162 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
packages/system/seaweedfs/Makefile
View File

@@ -12,7 +12,6 @@ update:
sed -i.bak "/ARG VERSION/ s|=.*|=$${version}|g" images/seaweedfs/Dockerfile && \
rm -f images/seaweedfs/Dockerfile.bak
patch --no-backup-if-mismatch -p4 < patches/resize-api-server-annotation.diff
patch --no-backup-if-mismatch -p4 < patches/fix-volume-servicemonitor.patch
#patch --no-backup-if-mismatch -p4 < patches/retention-policy-delete.yaml
image:

4
packages/system/seaweedfs/charts/seaweedfs/Chart.yaml
View File

@@ -1,6 +1,6 @@
apiVersion: v1
description: SeaweedFS
name: seaweedfs
appVersion: "3.97"
appVersion: "3.99"
# Dev note: Trigger a helm chart release by `git tag -a helm-<version>`
version: 4.0.397
version: 4.0.399

15
packages/system/seaweedfs/charts/seaweedfs/templates/all-in-one/all-in-one-deployment.yaml
View File

@@ -79,6 +79,12 @@ spec:
image: {{ template "master.image" . }}
imagePullPolicy: {{ default "IfNotPresent" .Values.global.imagePullPolicy }}
env:
{{- /* Determine default cluster alias and the corresponding env var keys to avoid conflicts */}}
{{- $envMerged := merge (.Values.global.extraEnvironmentVars | default dict) (.Values.allInOne.extraEnvironmentVars | default dict) }}
{{- $clusterDefault := default "sw" (index $envMerged "WEED_CLUSTER_DEFAULT") }}
{{- $clusterUpper := upper $clusterDefault }}
{{- $clusterMasterKey := printf "WEED_CLUSTER_%s_MASTER" $clusterUpper }}
{{- $clusterFilerKey := printf "WEED_CLUSTER_%s_FILER" $clusterUpper }}
- name: POD_IP
valueFrom:
fieldRef:
@@ -95,6 +101,7 @@ spec:
value: "{{ template "seaweedfs.name" . }}"
{{- if .Values.allInOne.extraEnvironmentVars }}
{{- range $key, $value := .Values.allInOne.extraEnvironmentVars }}
{{- if and (ne $key $clusterMasterKey) (ne $key $clusterFilerKey) }}
- name: {{ $key }}
{{- if kindIs "string" $value }}
value: {{ $value | quote }}
@@ -104,8 +111,10 @@ spec:
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.global.extraEnvironmentVars }}
{{- range $key, $value := .Values.global.extraEnvironmentVars }}
{{- if and (ne $key $clusterMasterKey) (ne $key $clusterFilerKey) }}
- name: {{ $key }}
{{- if kindIs "string" $value }}
value: {{ $value | quote }}
@@ -115,6 +124,12 @@ spec:
{{- end }}
{{- end }}
{{- end }}
{{- end }}
# Inject computed cluster endpoints for the default cluster
- name: {{ $clusterMasterKey }}
value: {{ include "seaweedfs.cluster.masterAddress" . | quote }}
- name: {{ $clusterFilerKey }}
value: {{ include "seaweedfs.cluster.filerAddress" . | quote }}
command:
- "/bin/sh"
- "-ec"

1
packages/system/seaweedfs/charts/seaweedfs/templates/cosi/cosi-deployment.yaml
View File

@@ -15,7 +15,6 @@ spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ template "seaweedfs.name" . }}
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: objectstorage-provisioner
template:

4
packages/system/seaweedfs/charts/seaweedfs/templates/filer/filer-ingress.yaml
View File

@@ -28,8 +28,8 @@ spec:
rules:
- http:
paths:
- path: /sw-filer/?(.*)
pathType: ImplementationSpecific
- path: {{ .Values.filer.ingress.path | quote }}
pathType: {{ .Values.filer.ingress.pathType | quote }}
backend:
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion }}
service:

4
packages/system/seaweedfs/charts/seaweedfs/templates/master/master-ingress.yaml
View File

@@ -28,8 +28,8 @@ spec:
rules:
- http:
paths:
- path: /sw-master/?(.*)
pathType: ImplementationSpecific
- path: {{ .Values.master.ingress.path | quote }}
pathType: {{ .Values.master.ingress.pathType | quote }}
backend:
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion }}
service:

4
packages/system/seaweedfs/charts/seaweedfs/templates/s3/s3-ingress.yaml
View File

@@ -27,8 +27,8 @@ spec:
rules:
- http:
paths:
- path: /
pathType: ImplementationSpecific
- path: {{ .Values.s3.ingress.path | quote }}
pathType: {{ .Values.s3.ingress.pathType | quote }}
backend:
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion }}
service:

33
packages/system/seaweedfs/charts/seaweedfs/templates/shared/_helpers.tpl
View File

@@ -96,13 +96,16 @@ Inject extra environment vars in the format key:value, if populated
{{/* Computes the container image name for all components (if they are not overridden) */}}
{{- define "common.image" -}}
{{- $registryName := default .Values.image.registry .Values.global.registry | toString -}}
{{- $repositoryName := .Values.image.repository | toString -}}
{{- $repositoryName := default .Values.image.repository .Values.global.repository | toString -}}
{{- $name := .Values.global.imageName | toString -}}
{{- $tag := default .Chart.AppVersion .Values.image.tag | toString -}}
{{- if $repositoryName -}}
{{- $name = printf "%s/%s" (trimSuffix "/" $repositoryName) (base $name) -}}
{{- end -}}
{{- if $registryName -}}
{{- printf "%s/%s%s:%s" $registryName $repositoryName $name $tag -}}
{{- printf "%s/%s:%s" $registryName $name $tag -}}
{{- else -}}
{{- printf "%s%s:%s" $repositoryName $name $tag -}}
{{- printf "%s:%s" $name $tag -}}
{{- end -}}
{{- end -}}
@@ -219,3 +222,27 @@ or generate a new random password if it doesn't exist.
{{- randAlphaNum $length -}}
{{- end -}}
{{- end -}}
{{/*
Compute the master service address to be used in cluster env vars.
If allInOne is enabled, point to the all-in-one service; otherwise, point to the master service.
*/}}
{{- define "seaweedfs.cluster.masterAddress" -}}
{{- $serviceNameSuffix := "-master" -}}
{{- if .Values.allInOne.enabled -}}
{{- $serviceNameSuffix = "-all-in-one" -}}
{{- end -}}
{{- printf "%s%s.%s:%d" (include "seaweedfs.name" .) $serviceNameSuffix .Release.Namespace (int .Values.master.port) -}}
{{- end -}}
{{/*
Compute the filer service address to be used in cluster env vars.
If allInOne is enabled, point to the all-in-one service; otherwise, point to the filer-client service.
*/}}
{{- define "seaweedfs.cluster.filerAddress" -}}
{{- $serviceNameSuffix := "-filer-client" -}}
{{- if .Values.allInOne.enabled -}}
{{- $serviceNameSuffix = "-all-in-one" -}}
{{- end -}}
{{- printf "%s%s.%s:%d" (include "seaweedfs.name" .) $serviceNameSuffix .Release.Namespace (int .Values.filer.port) -}}
{{- end -}}

4
packages/system/seaweedfs/charts/seaweedfs/templates/volume/volume-servicemonitor.yaml
View File

@@ -21,9 +21,9 @@ metadata:
{{- with $.Values.global.monitoring.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if $.Values.volume.annotations }}
{{- with $volume.annotations }}
annotations:
{{- toYaml $.Values.volume.annotations | nindent 4 }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
endpoints:

3
packages/system/seaweedfs/charts/seaweedfs/templates/volume/volume-statefulset.yaml
View File

@@ -88,6 +88,9 @@ spec:
- name: {{ $dir.name }}
mountPath: /{{ $dir.name }}
{{- end }}
{{- if $volume.containerSecurityContext.enabled }}
securityContext: {{- omit $volume.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- end }}
{{- if $volume.initContainers }}
{{ tpl (printf "{{ $volumeName := \"%s\" }}%s" $volumeName $volume.initContainers) $ | indent 8 | trim }}

32
packages/system/seaweedfs/charts/seaweedfs/values.yaml
View File

@@ -3,6 +3,7 @@
global:
createClusterRole: true
registry: ""
# if repository is set, it overrides the namespace part of imageName
repository: ""
imageName: chrislusf/seaweedfs
imagePullPolicy: IfNotPresent
@@ -201,8 +202,7 @@ master:
# nodeSelector labels for master pod assignment, formatted as a muli-line string.
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
# Example:
nodeSelector: |
kubernetes.io/arch: amd64
nodeSelector: ""
# nodeSelector: |
# sw-backend: "true"
@@ -238,6 +238,8 @@ master:
className: "nginx"
# host: false for "*" hostname
host: "master.seaweedfs.local"
path: "/sw-master/?(.*)"
pathType: ImplementationSpecific
annotations:
nginx.ingress.kubernetes.io/auth-type: "basic"
nginx.ingress.kubernetes.io/auth-secret: "default/ingress-basic-auth-secret"
@@ -478,8 +480,7 @@ volume:
# nodeSelector labels for server pod assignment, formatted as a muli-line string.
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
# Example:
nodeSelector: |
kubernetes.io/arch: amd64
nodeSelector: ""
# nodeSelector: |
# sw-volume: "true"
@@ -735,8 +736,7 @@ filer:
# nodeSelector labels for server pod assignment, formatted as a muli-line string.
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
# Example:
nodeSelector: |
kubernetes.io/arch: amd64
nodeSelector: ""
# nodeSelector: |
# sw-backend: "true"
@@ -772,6 +772,8 @@ filer:
className: "nginx"
# host: false for "*" hostname
host: "seaweedfs.cluster.local"
path: "/sw-filer/?(.*)"
pathType: ImplementationSpecific
annotations:
nginx.ingress.kubernetes.io/backend-protocol: GRPC
nginx.ingress.kubernetes.io/auth-type: "basic"
@@ -871,7 +873,7 @@ filer:
# anonymousRead: false
s3:
enabled: false
enabled: true
imageOverride: null
restartPolicy: null
replicas: 1
@@ -932,8 +934,7 @@ s3:
# nodeSelector labels for server pod assignment, formatted as a muli-line string.
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
# Example:
nodeSelector: |
kubernetes.io/arch: amd64
nodeSelector: ""
# nodeSelector: |
# sw-backend: "true"
@@ -975,6 +976,11 @@ s3:
extraEnvironmentVars:
# Custom command line arguments to add to the s3 command
# Example to fix connection idle seconds:
extraArgs: ["-idleTimeout=30"]
# extraArgs: []
# used to configure livenessProbe on s3 containers
#
livenessProbe:
@@ -1006,6 +1012,8 @@ s3:
className: "nginx"
# host: false for "*" hostname
host: "seaweedfs.cluster.local"
path: "/"
pathType: Prefix
# additional ingress annotations for the s3 endpoint
annotations: {}
tls: []
@@ -1051,8 +1059,7 @@ sftp:
annotations: {}
resources: {}
tolerations: ""
nodeSelector: |
kubernetes.io/arch: amd64
nodeSelector: ""
priorityClassName: ""
serviceAccountName: ""
podSecurityContext: {}
@@ -1179,8 +1186,7 @@ allInOne:
# nodeSelector labels for master pod assignment, formatted as a muli-line string.
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
nodeSelector: |
kubernetes.io/arch: amd64
nodeSelector: ""
# Used to assign priority to master pods
# ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/

60
packages/system/seaweedfs/images/seaweedfs/Dockerfile
View File

@@ -1,58 +1,2 @@
FROM golang:1.24-alpine as builder
ARG VERSION=3.97
ARG TARGETOS
ARG TARGETARCH
RUN apk add --no-cache git g++ fuse
WORKDIR /workspace
RUN git clone --depth 1 --branch ${VERSION} https://github.com/seaweedfs/seaweedfs.git .
COPY patches /patches
RUN git apply /patches/*.diff
RUN cd weed && \
export LDFLAGS="-X github.com/seaweedfs/seaweedfs/weed/util/version.COMMIT=$(git rev-parse --short HEAD)" && \
GOOS=$TARGETOS GOARCH=$TARGETARCH CGO_ENABLED=0 go build \
-tags "full" \
-ldflags "-extldflags -static ${LDFLAGS}" \
-o /usr/bin/weed
FROM alpine AS final
LABEL author="Chris Lu"
COPY --from=builder /usr/bin/weed /usr/bin/
RUN mkdir -p /etc/seaweedfs
COPY --from=builder /workspace/docker/filer.toml /etc/seaweedfs/filer.toml
COPY --from=builder /workspace/docker/entrypoint.sh /entrypoint.sh
RUN apk add --no-cache fuse
# volume server gprc port
EXPOSE 18080
# volume server http port
EXPOSE 8080
# filer server gprc port
EXPOSE 18888
# filer server http port
EXPOSE 8888
# master server shared gprc port
EXPOSE 19333
# master server shared http port
EXPOSE 9333
# s3 server http port
EXPOSE 8333
# webdav server http port
EXPOSE 7333
RUN mkdir -p /data/filerldb2
VOLUME /data
WORKDIR /data
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
ARG VERSION=3.99
FROM chrislusf/seaweedfs:${VERSION}

58
packages/system/seaweedfs/images/seaweedfs/patches/fix-signature-permission-check.diff
View File

@@ -1,58 +0,0 @@
diff --git a/weed/s3api/auth_signature_v2.go b/weed/s3api/auth_signature_v2.go
index 4cdc07df0..b31c37a27 100644
--- a/weed/s3api/auth_signature_v2.go
+++ b/weed/s3api/auth_signature_v2.go
@@ -116,11 +116,6 @@ func (iam *IdentityAccessManagement) doesSignV2Match(r *http.Request) (*Identity
return nil, s3err.ErrInvalidAccessKeyID
}
- bucket, object := s3_constants.GetBucketAndObject(r)
- if !identity.canDo(s3_constants.ACTION_WRITE, bucket, object) {
- return nil, s3err.ErrAccessDenied
- }
-
expectedAuth := signatureV2(cred, r.Method, r.URL.Path, r.URL.Query().Encode(), r.Header)
if !compareSignatureV2(v2Auth, expectedAuth) {
return nil, s3err.ErrSignatureDoesNotMatch
@@ -163,11 +158,6 @@ func (iam *IdentityAccessManagement) doesPresignV2SignatureMatch(r *http.Request
return nil, s3err.ErrInvalidAccessKeyID
}
- bucket, object := s3_constants.GetBucketAndObject(r)
- if !identity.canDo(s3_constants.ACTION_READ, bucket, object) {
- return nil, s3err.ErrAccessDenied
- }
-
expectedSignature := preSignatureV2(cred, r.Method, r.URL.Path, r.URL.Query().Encode(), r.Header, expires)
if !compareSignatureV2(signature, expectedSignature) {
return nil, s3err.ErrSignatureDoesNotMatch
diff --git a/weed/s3api/auth_signature_v4.go b/weed/s3api/auth_signature_v4.go
index a0417a922..c512f70cc 100644
--- a/weed/s3api/auth_signature_v4.go
+++ b/weed/s3api/auth_signature_v4.go
@@ -190,12 +190,6 @@ func (iam *IdentityAccessManagement) doesSignatureMatch(hashedPayload string, r
return nil, s3err.ErrInvalidAccessKeyID
}
- bucket, object := s3_constants.GetBucketAndObject(r)
- canDoResult := identity.canDo(s3_constants.ACTION_WRITE, bucket, object)
- if !canDoResult {
- return nil, s3err.ErrAccessDenied
- }
-
// Extract date, if not present throw error.
var dateStr string
if dateStr = req.Header.Get("x-amz-date"); dateStr == "" {
@@ -318,12 +312,6 @@ func (iam *IdentityAccessManagement) doesPresignedSignatureMatch(hashedPayload s
return nil, s3err.ErrInvalidAccessKeyID
}
- // Check permissions
- bucket, object := s3_constants.GetBucketAndObject(r)
- if !identity.canDo(s3_constants.ACTION_READ, bucket, object) {
- return nil, s3err.ErrAccessDenied
- }
-
// Parse date
t, e := time.Parse(iso8601Format, dateStr)
if e != nil {

15
packages/system/seaweedfs/patches/fix-volume-servicemonitor.patch
View File

@@ -1,15 +0,0 @@
diff --git a/packages/system/seaweedfs/charts/seaweedfs/templates/volume/volume-servicemonitor.yaml b/packages/system/seaweedfs/charts/seaweedfs/templates/volume/volume-servicemonitor.yaml
--- a/packages/system/seaweedfs/charts/seaweedfs/templates/volume/volume-servicemonitor.yaml (revision 8951bc13d7d02b5e6982a239570ed58ed7cb025a)
+++ b/packages/system/seaweedfs/charts/seaweedfs/templates/volume/volume-servicemonitor.yaml (revision fa4fff2292c4b79a92db5cd654a3c6bf590252a6)
@@ -21,9 +21,9 @@
{{- with $.Values.global.monitoring.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
-{{- if .Values.volume.annotations }}
+{{- if $.Values.volume.annotations }}
annotations:
- {{- toYaml .Values.volume.annotations | nindent 4 }}
+ {{- toYaml $.Values.volume.annotations | nindent 4 }}
{{- end }}
spec:
endpoints:

7
packages/system/seaweedfs/values.yaml
View File

@@ -1,7 +1,7 @@
global:
enableSecurity: true
serviceAccountName: "tenant-foo-seaweedfs"
imageName: "ghcr.io/cozystack/cozystack/seaweedfs"
imageName: "seaweedfs"
extraEnvironmentVars:
WEED_CLUSTER_SW_MASTER: "seaweedfs-master:9333"
WEED_CLUSTER_SW_FILER: "seaweedfs-filer-client:8888"
@@ -9,7 +9,8 @@ global:
enabled: true
seaweedfs:
image:
tag: "latest@sha256:5ab64da9a0bc33c555f18d86a9664fe63617d48e5ea5192ef34822c24dcc5771"
tag: "latest@sha256:944e9bff98b088773847270238b63ce57dc5291054814d08e0226a139b3affb2"
registry: ghcr.io/cozystack/cozystack
master:
volumeSizeLimitMB: 30000
replicas: 3
@@ -86,7 +87,7 @@ seaweedfs:
existingConfigSecret: null
auditLogConfig: {}
s3:
enabled: true
enabled: false
extraArgs:
- -idleTimeout=60
enableAuth: false