[seaweedfs] Client mode refactoring and fix issues

- update cosi-driver
- add support exporting via nginx-ingress
- add support for whitelist

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

packages/extra/seaweedfs/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.0
+version: 0.6.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/extra/seaweedfs/README.md

@@ -4,14 +4,15 @@
 
 ### Common parameters
 
-| Name                | Description                                                                                                              | Value           |
-| ------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------- |
-| `host`              | The hostname used to access the SeaweedFS externally (defaults to 's3' subdomain for the tenant host).                   | `""`            |
-| `topology`          | The topology of the SeaweedFS cluster. (allowed values: Simple, MultiZone, Client)                                       | `Simple`        |
-| `replicationFactor` | The number of replicas for each volume in the SeaweedFS cluster.                                                         | `2`             |
-| `replicas`          | Persistent Volume size for SeaweedFS                                                                                     | `2`             |
-| `size`              | Persistent Volume size                                                                                                   | `10Gi`          |
-| `storageClass`      | StorageClass used to store the data                                                                                      | `""`            |
-| `zones`             | A map of zones for MultiZone topology. Each zone can have its own number of replicas and size.                           | `{}`            |
-| `filer.external`    | Enable external access to the SeaweedFS filer from outside the cluster. Use this when `topology` is not set to `Client`. | `false`         |
-| `remoteEndpoint`    | The endpoint of the remote filer GRPC service. Used when `topology` is set to `Client`.                                  | `1.2.3.4:18888` |
+| Name                | Description                                                                                            | Value    |
+| ------------------- | ------------------------------------------------------------------------------------------------------ | -------- |
+| `host`              | The hostname used to access the SeaweedFS externally (defaults to 's3' subdomain for the tenant host). | `""`     |
+| `topology`          | The topology of the SeaweedFS cluster. (allowed values: Simple, MultiZone, Client)                     | `Simple` |
+| `replicationFactor` | The number of replicas for each volume in the SeaweedFS cluster.                                       | `2`      |
+| `replicas`          | Persistent Volume size for SeaweedFS                                                                   | `2`      |
+| `size`              | Persistent Volume size                                                                                 | `10Gi`   |
+| `storageClass`      | StorageClass used to store the data                                                                    | `""`     |
+| `zones`             | A map of zones for MultiZone topology. Each zone can have its own number of replicas and size.         | `{}`     |
+| `filer.grpcHost`    | The hostname used to expose or access the filer service externally.                                    | `""`     |
+| `filer.grpcPort`    | The port used to access the filer service externally.                                                  | `443`    |
+| `filer.whitelist`   | A list of IP addresses or CIDR ranges that are allowed to access the filer service.                    | `[]`     |

packages/extra/seaweedfs/images/objectstorage-sidecar.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/objectstorage-sidecar
+ghcr.io/cozystack/cozystack/objectstorage-sidecar:v0.35.0-alpha.1@sha256:e4f9a7302285ea9febeb28fc2fa97cb7c01bb91e602f975c31aad1fe46f778f7

packages/extra/seaweedfs/images/seaweedfs-cosi-driver.tag

@@ -0,0 +1 @@
+ghcr.io/seaweedfs/seaweedfs-cosi-driver:v0.2.0

packages/extra/seaweedfs/templates/client/cosi-deployment.yaml

@@ -35,7 +35,7 @@ spec:
     spec:
       containers:
       - name: seaweedfs-cosi-driver
-        image: ghcr.io/seaweedfs/seaweedfs-cosi-driver:v0.1.2
+        image: "{{ $.Files.Get "images/seaweedfs-cosi-driver.tag" | trim }}"
         imagePullPolicy: IfNotPresent
         env:
         - name: DRIVERNAME
@@ -43,7 +43,7 @@ spec:
         - name: ENDPOINT
           value: https://{{ .Values.host | default (printf "s3.%s" $host) }}
         - name: SEAWEEDFS_FILER
-          value: {{ .Values.remoteEndpoint }}
+          value: "{{ .Values.filer.grpcHost }}:{{ .Values.filer.grpcPort }}"
         - name: WEED_GRPC_CLIENT_KEY
           value: /usr/local/share/ca-certificates/client/tls.key
         - name: WEED_GRPC_CLIENT_CERT

packages/extra/seaweedfs/templates/ingress.yaml

@@ -0,0 +1,44 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
+
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
+{{- if and (not (eq .Values.topology "Client")) (.Values.filer.grpcHost) }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: GRPCS
+    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+    nginx.ingress.kubernetes.io/whitelist-source-range: "{{ join "," (.Values.filer.whitelist | default "0.0.0.0/32") }}"
+  name: seaweedfs-filer-external
+spec:
+  ingressClassName: tenant-root
+  rules:
+  - host: {{ .Values.filer.grpcHost | default (printf "filer.%s" $host) }}
+    http:
+      paths:
+      - backend:
+          service:
+            name: {{ $.Release.Name }}-filer-external
+            port:
+              number: 18888
+        path: /
+        pathType: ImplementationSpecific
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ $.Release.Name }}-filer-external
+spec:
+  ports:
+  - name: swfs-filer-grpc
+    port: 18888
+    protocol: TCP
+    targetPort: 18888
+  selector:
+    app.kubernetes.io/component: filer
+    app.kubernetes.io/name: {{ $.Release.Name }}
+{{- end }}

packages/extra/seaweedfs/templates/seaweedfs.yaml

@@ -2,8 +2,8 @@
 {{- if not (has .Values.topology (list "Simple" "MultiZone" "Client")) }}
 {{-   fail "Invalid value for .Values.topology. Must be one of 'Simple', 'MultiZone' or 'Client'." }}
 {{- end }}
-{{- if and (eq .Values.topology "Client") (not .Values.remoteEndpoint) }}
-{{-   fail "When topology is 'Client', .Values.remoteEndpoint must be set to a valid remote filer GRPC service endpoint." }}
+{{- if and (eq .Values.topology "Client") (not .Values.filer.grpcHost) }}
+{{-   fail "When topology is 'Client', .Values.filer.grpcHost must be set to a valid remote filer GRPC service endpoint." }}
 {{- end }}
 {{- if lt (int .Values.replicationFactor) 1 }}
 {{-   fail "Invalid value for .Values.replicationFactor. Must be at least 1." }}

packages/extra/seaweedfs/templates/svc-external.yaml

@@ -1,18 +0,0 @@
-{{- if and (not (eq .Values.topology "Client")) (.Values.filer.external) }}
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ $.Release.Name }}-filer-external
-spec:
-  type: LoadBalancer
-  externalTrafficPolicy: Local
-  ports:
-  - name: swfs-filer-grpc
-    port: 18888
-    protocol: TCP
-    targetPort: 18888
-  selector:
-    app.kubernetes.io/component: filer
-    app.kubernetes.io/name: {{ $.Release.Name }}
-{{- end }}

packages/extra/seaweedfs/values.schema.json

@@ -2,10 +2,21 @@
   "properties": {
     "filer": {
       "properties": {
-        "external": {
-          "default": false,
-          "description": "Enable external access to the SeaweedFS filer from outside the cluster. Use this when `topology` is not set to `Client`.",
-          "type": "boolean"
+        "grpcHost": {
+          "default": "",
+          "description": "The hostname used to expose or access the filer service externally.",
+          "type": "string"
+        },
+        "grpcPort": {
+          "default": 443,
+          "description": "The port used to access the filer service externally.",
+          "type": "number"
+        },
+        "whitelist": {
+          "default": [],
+          "description": "A list of IP addresses or CIDR ranges that are allowed to access the filer service.",
+          "items": {},
+          "type": "array"
         }
       },
       "type": "object"
@@ -15,11 +26,6 @@
       "description": "The hostname used to access the SeaweedFS externally (defaults to 's3' subdomain for the tenant host).",
       "type": "string"
     },
-    "remoteEndpoint": {
-      "default": "1.2.3.4:18888",
-      "description": "The endpoint of the remote filer GRPC service. Used when `topology` is set to `Client`.",
-      "type": "string"
-    },
     "replicas": {
       "default": 2,
       "description": "Persistent Volume size for SeaweedFS",

packages/extra/seaweedfs/values.yaml

@@ -32,9 +32,10 @@ storageClass: ""
 ##     size: 10Gi
 zones: {}
 
-## @param filer.external Enable external access to the SeaweedFS filer from outside the cluster. Use this when `topology` is not set to `Client`.
+## @param filer.grpcHost The hostname used to expose or access the filer service externally.
+## @param filer.grpcPort The port used to access the filer service externally.
+## @param filer.whitelist A list of IP addresses or CIDR ranges that are allowed to access the filer service.
 filer:
-  external: false
-
-## @param remoteEndpoint The endpoint of the remote filer GRPC service. Used when `topology` is set to `Client`.
-remoteEndpoint: "1.2.3.4:18888"
+  grpcHost: ""
+  grpcPort: 443
+  whitelist: []

packages/extra/versions_map

@@ -54,4 +54,5 @@ seaweedfs 0.2.1 fde4bcfa
 seaweedfs 0.3.0 45a7416c
 seaweedfs 0.4.0 632224a3
 seaweedfs 0.4.1 8c86905b
-seaweedfs 0.5.0 HEAD
+seaweedfs 0.5.0 9584e5f5
+seaweedfs 0.6.0 HEAD