helm: fix admin secret template paths and remove duplicate (#7690)

* add admin and worker to helm charts

* workers are stateless, admin is stateful

* removed the duplicate admin-deployment.yaml

* address comments

* address comments

* purge

* Update README.md

* Update k8s/charts/seaweedfs/templates/admin/admin-ingress.yaml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* address comments

* address comments

* supports Kubernetes versions from v1.14 to v1.30+, ensuring broad compatibility

* add probe for workers

* address comments

* add a todo

* chore: trigger CI

* use port name for probes in admin statefulset

* add secrets to admin helm chart

* fix error .Values.admin.secret.existingSecret

* helm: fix admin secret template paths and remove duplicate

- Fix value paths to use .Values.admin.secret.existingSecret instead of .Values.existingSecret
- Use templated secret name {{ template "seaweedfs.name" . }}-admin-secret
- Add .Values.admin.enabled check to admin-secret.yaml
- Remove duplicate admin-secret.yaml from templates/ root

* helm: address PR review feedback

- Only pass adminUser/adminPassword args when auth is enabled (fixes regression)
- Use $adminSecretName variable to reduce duplication (DRY)
- Only create admin-secret when adminPassword is set
- Add documentation comments for existingSecret, userKey, pwKey fields
- Clarify that empty adminPassword disables authentication

* helm: quote admin credentials to handle spaces

* helm: fix yaml lint errors (comment spacing, trailing blank line)

* helm: add validation for existingSecret requiring userKey and pwKey

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Ubuntu <morez.martin@gmail.com>

3 files changed, 55 insertions, 10 deletions

diff --git a/k8s/charts/seaweedfs/templates/admin/admin-secret.yaml b/k8s/charts/seaweedfs/templates/admin/admin-secret.yaml
new file mode 100644
index 000000000..bc1044565
--- /dev/null
+++ b/k8s/charts/seaweedfs/templates/admin/admin-secret.yaml
@@ -0,0 +1,20 @@
+{{- if and .Values.admin.enabled .Values.admin.secret.adminPassword (not .Values.admin.secret.existingSecret) }}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ template "seaweedfs.name" . }}-admin-secret
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/resource-policy": keep
+    "helm.sh/hook": "pre-install,pre-upgrade"
+  labels:
+    app.kubernetes.io/name: {{ template "seaweedfs.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: admin
+data:
+  adminUser: {{ .Values.admin.secret.adminUser | b64enc }}
+  adminPassword: {{ .Values.admin.secret.adminPassword | b64enc }}
+{{- end}}
diff --git a/k8s/charts/seaweedfs/templates/admin/admin-statefulset.yaml b/k8s/charts/seaweedfs/templates/admin/admin-statefulset.yaml
index 9076d9e62..68a2d157d 100644
--- a/k8s/charts/seaweedfs/templates/admin/admin-statefulset.yaml
+++ b/k8s/charts/seaweedfs/templates/admin/admin-statefulset.yaml
@@ -80,7 +80,27 @@ spec:
         - name: seaweedfs
           image: {{ template "admin.image" . }}
           imagePullPolicy: {{ default "IfNotPresent" .Values.global.imagePullPolicy }}
+          {{- $adminAuthEnabled := or .Values.admin.secret.existingSecret .Values.admin.secret.adminPassword }}
+          {{- if and .Values.admin.secret.existingSecret (not .Values.admin.secret.userKey) -}}
+          {{-   fail "admin.secret.userKey must be set when admin.secret.existingSecret is provided" -}}
+          {{- end -}}
+          {{- if and .Values.admin.secret.existingSecret (not .Values.admin.secret.pwKey) -}}
+          {{-   fail "admin.secret.pwKey must be set when admin.secret.existingSecret is provided" -}}
+          {{- end -}}
+          {{- $adminSecretName := .Values.admin.secret.existingSecret | default (printf "%s-admin-secret" (include "seaweedfs.name" .)) }}
           env:
+            {{- if $adminAuthEnabled }}
+            - name: SEAWEEDFS_ADMIN_USER
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $adminSecretName }}
+                  key: {{ if .Values.admin.secret.existingSecret }}{{ .Values.admin.secret.userKey }}{{ else }}adminUser{{ end }}
+            - name: SEAWEEDFS_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $adminSecretName }}
+                  key: {{ if .Values.admin.secret.existingSecret }}{{ .Values.admin.secret.pwKey }}{{ else }}adminPassword{{ end }}
+            {{- end }}
             - name: POD_IP
               valueFrom:
                 fieldRef:
@@ -140,9 +160,9 @@ spec:
               {{- else if .Values.admin.dataDir }}
               -dataDir={{ .Values.admin.dataDir }} \
               {{- end }}
-              {{- if .Values.admin.adminPassword }}
-              -adminUser='{{ .Values.admin.adminUser }}' \
-              -adminPassword='{{ .Values.admin.adminPassword }}' \
+              {{- if $adminAuthEnabled }}
+              -adminUser="${SEAWEEDFS_ADMIN_USER}" \
+              -adminPassword="${SEAWEEDFS_ADMIN_PASSWORD}" \
               {{- end }}
               {{- if .Values.admin.masters }}
               -masters={{ .Values.admin.masters }}{{- if .Values.admin.extraArgs }} \{{ end }}
diff --git a/k8s/charts/seaweedfs/values.yaml b/k8s/charts/seaweedfs/values.yaml
index 84688e73a..b03e66c40 100644
--- a/k8s/charts/seaweedfs/values.yaml
+++ b/k8s/charts/seaweedfs/values.yaml
@@ -1099,10 +1099,15 @@ admin:
   loggingOverrideLevel: null
 
   # Admin authentication
-  # Note: Avoid special shell characters in password ($ \ " ' ( ) [ ] { } ; | & < >)
-  # For production, consider using Kubernetes Secrets (future enhancement)
-  adminUser: "admin"
-  adminPassword: ""  # If empty, auth is disabled
+  secret:
+    # Name of an existing secret containing admin credentials. If set, adminUser and adminPassword below are ignored.
+    existingSecret: ""
+    # Key in the existing secret for the admin username. Required if existingSecret is set.
+    userKey: ""
+    # Key in the existing secret for the admin password. Required if existingSecret is set.
+    pwKey: ""
+    adminUser: "admin"
+    adminPassword: ""  # If empty, authentication is disabled.
 
   # Data directory for admin configuration and maintenance data
   dataDir: ""  # If empty, configuration is kept in memory only
@@ -1226,9 +1231,9 @@ worker:
   adminServer: ""
 
   # Worker capabilities - comma-separated list
-  # Available: vacuum, balance, ec (erasure_coding)
-  # Default: "vacuum,ec,balance"
-  capabilities: "vacuum,ec,balance"
+  # Available: vacuum, balance, erasure_coding
+  # Default: "vacuum,balance,erasure_coding" (all capabilities)
+  capabilities: "vacuum,balance,erasure_coding"
 
   # Maximum number of concurrent tasks
   maxConcurrent: 3