diff options
| author | Andrei Kvapil <kvapss@gmail.com> | 2025-07-11 17:50:12 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-07-11 08:50:12 -0700 |
| commit | a9e1f006739d397087ba8e7c632de223be40707d (patch) | |
| tree | 50a17972e6f72260af68b479889c36c43d4a20f6 /k8s/charts | |
| parent | 93bbaa1fb486f95ff40f5891057f8415bdf3fc27 (diff) | |
| download | seaweedfs-a9e1f006739d397087ba8e7c632de223be40707d.tar.xz seaweedfs-a9e1f006739d397087ba8e7c632de223be40707d.zip | |
Fix drift for security config (#6967)
Diffstat (limited to 'k8s/charts')
| -rw-r--r-- | k8s/charts/seaweedfs/templates/security-configmap.yaml | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/k8s/charts/seaweedfs/templates/security-configmap.yaml b/k8s/charts/seaweedfs/templates/security-configmap.yaml index 884fe6bb4..6f229c595 100644 --- a/k8s/charts/seaweedfs/templates/security-configmap.yaml +++ b/k8s/charts/seaweedfs/templates/security-configmap.yaml @@ -10,6 +10,8 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} data: + {{- $existing := (lookup "v1" "ConfigMap" .Release.Namespace (printf "%s-security-config" (include "seaweedfs.name" .))) }} + {{- $securityConfig := fromToml (dig "data" "security.toml" "" $existing) }} security.toml: |- # this file is read by master, volume server, and filer @@ -17,7 +19,7 @@ data: # the jwt signing key is read by master and volume server # a jwt expires in 10 seconds [jwt.signing] - key = "{{ randAlphaNum 10 | b64enc }}" + key = "{{ dig "jwt" "signing" "key" (randAlphaNum 10 | b64enc) $securityConfig }}" {{- end }} {{- if .Values.global.securityConfig.jwtSigning.volumeRead }} @@ -25,7 +27,7 @@ data: # - the Master server generates the JWT, which can be used to read a certain file on a volume server # - the Volume server validates the JWT on reading [jwt.signing.read] - key = "{{ randAlphaNum 10 | b64enc }}" + key = "{{ dig "jwt" "signing" "read" "key" (randAlphaNum 10 | b64enc) $securityConfig }}" {{- end }} {{- if .Values.global.securityConfig.jwtSigning.filerWrite }} @@ -34,7 +36,7 @@ data: # - the Filer server validates the JWT on writing # the jwt defaults to expire after 10 seconds. [jwt.filer_signing] - key = "{{ randAlphaNum 10 | b64enc }}" + key = "{{ dig "jwt" "filer_signing" "key" (randAlphaNum 10 | b64enc) $securityConfig }}" {{- end }} {{- if .Values.global.securityConfig.jwtSigning.filerRead }} @@ -43,7 +45,7 @@ data: # - the Filer server validates the JWT on writing # the jwt defaults to expire after 10 seconds. [jwt.filer_signing.read] - key = "{{ randAlphaNum 10 | b64enc }}" + key = "{{ dig "jwt" "filer_signing" "read" "key" (randAlphaNum 10 | b64enc) $securityConfig }}" {{- end }} # all grpc tls authentications are mutual |