From 580eb3983ee06f5c7efd8879ae981b67f15e87c3 Mon Sep 17 00:00:00 2001 From: Sienna Meridian Satterwhite Date: Mon, 2 Mar 2026 18:32:16 +0000 Subject: [PATCH] feat(storage): migrate SeaweedFS S3 credentials to VSO; mount s3.json from Secret Previously s3.json was embedded in the seaweedfs-filer-config ConfigMap with hardcoded minioadmin credentials, and the config volume was mounted at /etc/seaweedfs/ (overwriting filer.toml with its own directory mount). - Remove s3.json from ConfigMap; fix the config volume to mount only filer.toml via subPath so both files coexist under /etc/seaweedfs/. - Add vault-secrets.yaml with VaultStaticSecrets that VSO syncs from OpenBao secret/seaweedfs: seaweedfs-s3-credentials (S3_ACCESS_KEY / S3_SECRET_KEY) and seaweedfs-s3-json (s3.json as a JSON template). - Mount seaweedfs-s3-json Secret at /etc/seaweedfs/s3.json via subPath. --- base/storage/kustomization.yaml | 1 + base/storage/seaweedfs-config.yaml | 16 --------- base/storage/seaweedfs-filer.yaml | 10 +++++- base/storage/vault-secrets.yaml | 56 ++++++++++++++++++++++++++++++ 4 files changed, 66 insertions(+), 17 deletions(-) create mode 100644 base/storage/vault-secrets.yaml diff --git a/base/storage/kustomization.yaml b/base/storage/kustomization.yaml index 32ba298..fa97b3c 100644 --- a/base/storage/kustomization.yaml +++ b/base/storage/kustomization.yaml @@ -9,3 +9,4 @@ resources: - seaweedfs-master.yaml - seaweedfs-volume.yaml - seaweedfs-filer.yaml + - vault-secrets.yaml diff --git a/base/storage/seaweedfs-config.yaml b/base/storage/seaweedfs-config.yaml index f922e80..b5e8883 100644 --- a/base/storage/seaweedfs-config.yaml +++ b/base/storage/seaweedfs-config.yaml @@ -16,22 +16,6 @@ data: enabled = true port = 8333 - s3.json: | - { - "identities": [ - { - "name": "minioadmin", - "credentials": [ - { - "accessKey": "minioadmin", - "secretKey": "minioadmin" - } - ], - "actions": ["Admin", "Read", "Write", "List", "Tagging"] - } - ] - } - master.toml: | [master.maintenance] sleep_minutes = 17 diff --git a/base/storage/seaweedfs-filer.yaml b/base/storage/seaweedfs-filer.yaml index 812a095..51f515e 100644 --- a/base/storage/seaweedfs-filer.yaml +++ b/base/storage/seaweedfs-filer.yaml @@ -38,7 +38,12 @@ spec: name: seaweedfs-s3-credentials volumeMounts: - name: config - mountPath: /etc/seaweedfs + mountPath: /etc/seaweedfs/filer.toml + subPath: filer.toml + readOnly: true + - name: s3-json-secret + mountPath: /etc/seaweedfs/s3.json + subPath: s3.json readOnly: true - name: filer-data mountPath: /data/filer @@ -52,6 +57,9 @@ spec: - name: config configMap: name: seaweedfs-filer-config + - name: s3-json-secret + secret: + secretName: seaweedfs-s3-json - name: filer-data emptyDir: {} --- diff --git a/base/storage/vault-secrets.yaml b/base/storage/vault-secrets.yaml new file mode 100644 index 0000000..dfb3858 --- /dev/null +++ b/base/storage/vault-secrets.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vso-auth + namespace: storage +spec: + method: kubernetes + mount: kubernetes + kubernetes: + role: vso + serviceAccount: default +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: seaweedfs-s3-credentials + namespace: storage +spec: + vaultAuthRef: vso-auth + mount: secret + type: kv-v2 + path: seaweedfs + refreshAfter: 30s + destination: + name: seaweedfs-s3-credentials + create: true + overwrite: true + transformation: + excludeRaw: true + templates: + S3_ACCESS_KEY: + text: "{{ index .Secrets \"access-key\" }}" + S3_SECRET_KEY: + text: "{{ index .Secrets \"secret-key\" }}" +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: seaweedfs-s3-json + namespace: storage +spec: + vaultAuthRef: vso-auth + mount: secret + type: kv-v2 + path: seaweedfs + refreshAfter: 30s + destination: + name: seaweedfs-s3-json + create: true + overwrite: true + transformation: + excludeRaw: true + templates: + "s3.json": + text: '{"identities":[{"name":"seaweed","credentials":[{"accessKey":"{{ index .Secrets "access-key" }}","secretKey":"{{ index .Secrets "secret-key" }}"}],"actions":["Admin","Read","Write","List","Tagging"]}]}'