diff --git a/packages/system/seaweedfs/Makefile b/packages/system/seaweedfs/Makefile index c9fd7b74..a349ba82 100644 --- a/packages/system/seaweedfs/Makefile +++ b/packages/system/seaweedfs/Makefile @@ -1,12 +1,30 @@ -NAME=seaweedfs-system +export NAME=seaweedfs-system +include ../../../scripts/common-envs.mk include ../../../scripts/package.mk update: rm -rf charts mkdir -p charts - curl -sSL https://github.com/seaweedfs/seaweedfs/archive/refs/heads/master.tar.gz | \ - tar xzvf - --strip 3 -C charts seaweedfs-master/k8s/charts/seaweedfs + version=$$(git ls-remote --tags --sort="v:refname" https://github.com/seaweedfs/seaweedfs | grep -v '\^{}' | grep 'refs/tags/[0-9]' | awk -F'/' 'END{print $$3}') && \ + curl -sSL https://github.com/seaweedfs/seaweedfs/archive/refs/tags/$${version}.tar.gz | \ + tar xzvf - --strip 3 -C charts seaweedfs-$${version}/k8s/charts/seaweedfs && \ + sed -i.bak "/ARG VERSION/ s|=.*|=$${version}|g" images/seaweedfs/Dockerfile && \ + rm -f images/seaweedfs/Dockerfile.bak patch --no-backup-if-mismatch -p4 < patches/resize-api-server-annotation.diff patch --no-backup-if-mismatch -p4 < patches/fix-volume-servicemonitor.patch #patch --no-backup-if-mismatch -p4 < patches/retention-policy-delete.yaml + +image: + docker buildx build images/seaweedfs \ + --tag $(REGISTRY)/seaweedfs:$(call settag,$(TAG)) \ + --cache-from type=registry,ref=$(REGISTRY)/seaweedfs:latest \ + --cache-to type=inline \ + --metadata-file images/seaweedfs.json \ + $(BUILDX_ARGS) + REGISTRY="$(REGISTRY)" \ + yq -i '.seaweedfs.image.registry = strenv(REGISTRY)' values.yaml + TAG=$(TAG)@$$(yq e '."containerimage.digest"' images/seaweedfs.json -o json -r) \ + yq -i '.seaweedfs.image.tag = strenv(TAG)' values.yaml + yq -i '.global.imageName = "seaweedfs"' values.yaml + rm -f images/seaweedfs.json diff --git a/packages/system/seaweedfs/images/seaweedfs/Dockerfile b/packages/system/seaweedfs/images/seaweedfs/Dockerfile new file mode 100644 index 00000000..43bf41cb --- /dev/null +++ b/packages/system/seaweedfs/images/seaweedfs/Dockerfile @@ -0,0 +1,58 @@ +FROM golang:1.24-alpine as builder + +ARG VERSION=3.97 +ARG TARGETOS +ARG TARGETARCH + +RUN apk add --no-cache git g++ fuse + +WORKDIR /workspace + +RUN git clone --depth 1 --branch ${VERSION} https://github.com/seaweedfs/seaweedfs.git . + +COPY patches /patches +RUN git apply /patches/*.diff + +RUN cd weed && \ + export LDFLAGS="-X github.com/seaweedfs/seaweedfs/weed/util/version.COMMIT=$(git rev-parse --short HEAD)" && \ + GOOS=$TARGETOS GOARCH=$TARGETARCH CGO_ENABLED=0 go build \ + -tags "full" \ + -ldflags "-extldflags -static ${LDFLAGS}" \ + -o /usr/bin/weed + +FROM alpine AS final + +LABEL author="Chris Lu" + +COPY --from=builder /usr/bin/weed /usr/bin/ +RUN mkdir -p /etc/seaweedfs +COPY --from=builder /workspace/docker/filer.toml /etc/seaweedfs/filer.toml +COPY --from=builder /workspace/docker/entrypoint.sh /entrypoint.sh +RUN apk add --no-cache fuse + +# volume server gprc port +EXPOSE 18080 +# volume server http port +EXPOSE 8080 +# filer server gprc port +EXPOSE 18888 +# filer server http port +EXPOSE 8888 +# master server shared gprc port +EXPOSE 19333 +# master server shared http port +EXPOSE 9333 +# s3 server http port +EXPOSE 8333 +# webdav server http port +EXPOSE 7333 + +RUN mkdir -p /data/filerldb2 + +VOLUME /data +WORKDIR /data + +RUN chmod +x /entrypoint.sh + +ENTRYPOINT ["/entrypoint.sh"] + diff --git a/packages/system/seaweedfs/images/seaweedfs/patches/fix-signature-permission-check.diff b/packages/system/seaweedfs/images/seaweedfs/patches/fix-signature-permission-check.diff new file mode 100644 index 00000000..df30b0dc --- /dev/null +++ b/packages/system/seaweedfs/images/seaweedfs/patches/fix-signature-permission-check.diff @@ -0,0 +1,58 @@ +diff --git a/weed/s3api/auth_signature_v2.go b/weed/s3api/auth_signature_v2.go +index 4cdc07df0..b31c37a27 100644 +--- a/weed/s3api/auth_signature_v2.go ++++ b/weed/s3api/auth_signature_v2.go +@@ -116,11 +116,6 @@ func (iam *IdentityAccessManagement) doesSignV2Match(r *http.Request) (*Identity + return nil, s3err.ErrInvalidAccessKeyID + } + +- bucket, object := s3_constants.GetBucketAndObject(r) +- if !identity.canDo(s3_constants.ACTION_WRITE, bucket, object) { +- return nil, s3err.ErrAccessDenied +- } +- + expectedAuth := signatureV2(cred, r.Method, r.URL.Path, r.URL.Query().Encode(), r.Header) + if !compareSignatureV2(v2Auth, expectedAuth) { + return nil, s3err.ErrSignatureDoesNotMatch +@@ -163,11 +158,6 @@ func (iam *IdentityAccessManagement) doesPresignV2SignatureMatch(r *http.Request + return nil, s3err.ErrInvalidAccessKeyID + } + +- bucket, object := s3_constants.GetBucketAndObject(r) +- if !identity.canDo(s3_constants.ACTION_READ, bucket, object) { +- return nil, s3err.ErrAccessDenied +- } +- + expectedSignature := preSignatureV2(cred, r.Method, r.URL.Path, r.URL.Query().Encode(), r.Header, expires) + if !compareSignatureV2(signature, expectedSignature) { + return nil, s3err.ErrSignatureDoesNotMatch +diff --git a/weed/s3api/auth_signature_v4.go b/weed/s3api/auth_signature_v4.go +index a0417a922..c512f70cc 100644 +--- a/weed/s3api/auth_signature_v4.go ++++ b/weed/s3api/auth_signature_v4.go +@@ -190,12 +190,6 @@ func (iam *IdentityAccessManagement) doesSignatureMatch(hashedPayload string, r + return nil, s3err.ErrInvalidAccessKeyID + } + +- bucket, object := s3_constants.GetBucketAndObject(r) +- canDoResult := identity.canDo(s3_constants.ACTION_WRITE, bucket, object) +- if !canDoResult { +- return nil, s3err.ErrAccessDenied +- } +- + // Extract date, if not present throw error. + var dateStr string + if dateStr = req.Header.Get("x-amz-date"); dateStr == "" { +@@ -318,12 +312,6 @@ func (iam *IdentityAccessManagement) doesPresignedSignatureMatch(hashedPayload s + return nil, s3err.ErrInvalidAccessKeyID + } + +- // Check permissions +- bucket, object := s3_constants.GetBucketAndObject(r) +- if !identity.canDo(s3_constants.ACTION_READ, bucket, object) { +- return nil, s3err.ErrAccessDenied +- } +- + // Parse date + t, e := time.Parse(iso8601Format, dateStr) + if e != nil { diff --git a/packages/system/seaweedfs/values.yaml b/packages/system/seaweedfs/values.yaml index 05792a48..df17d857 100644 --- a/packages/system/seaweedfs/values.yaml +++ b/packages/system/seaweedfs/values.yaml @@ -1,12 +1,15 @@ global: enableSecurity: true serviceAccountName: "tenant-foo-seaweedfs" + imageName: "ghcr.io/cozystack/cozystack/seaweedfs" extraEnvironmentVars: WEED_CLUSTER_SW_MASTER: "seaweedfs-master:9333" WEED_CLUSTER_SW_FILER: "seaweedfs-filer-client:8888" monitoring: enabled: true seaweedfs: + image: + tag: "latest@sha256:5ab64da9a0bc33c555f18d86a9664fe63617d48e5ea5192ef34822c24dcc5771" master: volumeSizeLimitMB: 30000 replicas: 3