diff options
| -rw-r--r-- | .github/workflows/helm_ci.yml | 2 | ||||
| -rw-r--r-- | k8s/charts/seaweedfs/templates/security-configmap.yaml | 10 |
2 files changed, 7 insertions, 5 deletions
diff --git a/.github/workflows/helm_ci.yml b/.github/workflows/helm_ci.yml index bc43c9b14..25a3de545 100644 --- a/.github/workflows/helm_ci.yml +++ b/.github/workflows/helm_ci.yml @@ -23,7 +23,7 @@ jobs: - name: Set up Helm uses: azure/setup-helm@v4 with: - version: v3.10.0 + version: v3.18.4 - uses: actions/setup-python@v5 with: diff --git a/k8s/charts/seaweedfs/templates/security-configmap.yaml b/k8s/charts/seaweedfs/templates/security-configmap.yaml index 884fe6bb4..6f229c595 100644 --- a/k8s/charts/seaweedfs/templates/security-configmap.yaml +++ b/k8s/charts/seaweedfs/templates/security-configmap.yaml @@ -10,6 +10,8 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} data: + {{- $existing := (lookup "v1" "ConfigMap" .Release.Namespace (printf "%s-security-config" (include "seaweedfs.name" .))) }} + {{- $securityConfig := fromToml (dig "data" "security.toml" "" $existing) }} security.toml: |- # this file is read by master, volume server, and filer @@ -17,7 +19,7 @@ data: # the jwt signing key is read by master and volume server # a jwt expires in 10 seconds [jwt.signing] - key = "{{ randAlphaNum 10 | b64enc }}" + key = "{{ dig "jwt" "signing" "key" (randAlphaNum 10 | b64enc) $securityConfig }}" {{- end }} {{- if .Values.global.securityConfig.jwtSigning.volumeRead }} @@ -25,7 +27,7 @@ data: # - the Master server generates the JWT, which can be used to read a certain file on a volume server # - the Volume server validates the JWT on reading [jwt.signing.read] - key = "{{ randAlphaNum 10 | b64enc }}" + key = "{{ dig "jwt" "signing" "read" "key" (randAlphaNum 10 | b64enc) $securityConfig }}" {{- end }} {{- if .Values.global.securityConfig.jwtSigning.filerWrite }} @@ -34,7 +36,7 @@ data: # - the Filer server validates the JWT on writing # the jwt defaults to expire after 10 seconds. [jwt.filer_signing] - key = "{{ randAlphaNum 10 | b64enc }}" + key = "{{ dig "jwt" "filer_signing" "key" (randAlphaNum 10 | b64enc) $securityConfig }}" {{- end }} {{- if .Values.global.securityConfig.jwtSigning.filerRead }} @@ -43,7 +45,7 @@ data: # - the Filer server validates the JWT on writing # the jwt defaults to expire after 10 seconds. [jwt.filer_signing.read] - key = "{{ randAlphaNum 10 | b64enc }}" + key = "{{ dig "jwt" "filer_signing" "read" "key" (randAlphaNum 10 | b64enc) $securityConfig }}" {{- end }} # all grpc tls authentications are mutual |