lsm/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2025-08-20 09:53:01 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix drift for security config (#6967)

Browse Source
This commit is contained in:
Andrei Kvapil 2025-07-11 17:50:12 +02:00 committed by GitHub
parent 93bbaa1fb4
commit a9e1f00673
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/helm_ci.yml vendored
View File

@ -23,7 +23,7 @@ jobs:
- name: Set up Helm
uses: azure/setup-helm@v4
with:
version: v3.10.0
version: v3.18.4
- uses: actions/setup-python@v5
with:

10
k8s/charts/seaweedfs/templates/security-configmap.yaml
View File

@ -10,6 +10,8 @@ metadata:
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
data:
{{- $existing := (lookup "v1" "ConfigMap" .Release.Namespace (printf "%s-security-config" (include "seaweedfs.name" .))) }}
{{- $securityConfig := fromToml (dig "data" "security.toml" "" $existing) }}
security.toml: |-
# this file is read by master, volume server, and filer
@ -17,7 +19,7 @@ data:
# the jwt signing key is read by master and volume server
# a jwt expires in 10 seconds
[jwt.signing]
key = "{{ randAlphaNum 10 | b64enc }}"
key = "{{ dig "jwt" "signing" "key" (randAlphaNum 10 | b64enc) $securityConfig }}"
{{- end }}
{{- if .Values.global.securityConfig.jwtSigning.volumeRead }}
@ -25,7 +27,7 @@ data:
# - the Master server generates the JWT, which can be used to read a certain file on a volume server
# - the Volume server validates the JWT on reading
[jwt.signing.read]
key = "{{ randAlphaNum 10 | b64enc }}"
key = "{{ dig "jwt" "signing" "read" "key" (randAlphaNum 10 | b64enc) $securityConfig }}"
{{- end }}
{{- if .Values.global.securityConfig.jwtSigning.filerWrite }}
@ -34,7 +36,7 @@ data:
# - the Filer server validates the JWT on writing
# the jwt defaults to expire after 10 seconds.
[jwt.filer_signing]
key = "{{ randAlphaNum 10 | b64enc }}"
key = "{{ dig "jwt" "filer_signing" "key" (randAlphaNum 10 | b64enc) $securityConfig }}"
{{- end }}
{{- if .Values.global.securityConfig.jwtSigning.filerRead }}
@ -43,7 +45,7 @@ data:
# - the Filer server validates the JWT on writing
# the jwt defaults to expire after 10 seconds.
[jwt.filer_signing.read]
key = "{{ randAlphaNum 10 | b64enc }}"
key = "{{ dig "jwt" "filer_signing" "read" "key" (randAlphaNum 10 | b64enc) $securityConfig }}"
{{- end }}
# all grpc tls authentications are mutual