feat(storage): sccache S3 build cache with scoped SeaweedFS identity

Add sunbeam-sccache bucket and a dedicated sccache S3 identity scoped to Read/Write/List/Tagging on that bucket only. Bump volume server max from 50 to 100 (was full, blocking all new writes).
2026-04-05 21:50:46 +01:00
parent 1206cd0fe4
commit efe574f48e
4 changed files with 8 additions and 5 deletions
--- a/base/lasuite/seaweedfs-buckets.yaml
+++ b/base/lasuite/seaweedfs-buckets.yaml
@@ -30,7 +30,8 @@ spec:
                sunbeam-git-lfs \
                sunbeam-game-assets \
                sunbeam-ml-models \
-                sunbeam-stalwart; do
+                sunbeam-stalwart \
+                sunbeam-sccache; do
                mc mb --ignore-existing "weed/$bucket"
                echo "Ensured bucket: $bucket"
              done
--- a/base/storage/seaweedfs-volume.yaml
+++ b/base/storage/seaweedfs-volume.yaml
@@ -17,13 +17,13 @@ spec:
      terminationGracePeriodSeconds: 60
      containers:
        - name: volume
-          image: chrislusf/seaweedfs:latest
+          image: chrislusf/seaweedfs:4.18
          args:
            - volume
            - -port=8080
            - -mserver=seaweedfs-master.storage.svc.cluster.local:9333
            - -dir=/data
-            - -max=50
+            - -max=100
            - -metricsPort=9091
          ports:
            - name: http
--- a/base/storage/vault-secrets.yaml
+++ b/base/storage/vault-secrets.yaml
@@ -84,4 +84,4 @@ spec:
      excludeRaw: true
      templates:
        "s3.json":
-          text: '{"identities":[{"name":"seaweed","credentials":[{"accessKey":"{{ index .Secrets "access-key" }}","secretKey":"{{ index .Secrets "secret-key" }}"}],"actions":["Admin","Read","Write","List","Tagging"]}]}'
+          text: '{"identities":[{"name":"seaweed","credentials":[{"accessKey":"{{ index .Secrets "access-key" }}","secretKey":"{{ index .Secrets "secret-key" }}"}],"actions":["Admin","Read","Write","List","Tagging"]},{"name":"sccache","credentials":[{"accessKey":"{{ index .Secrets "sccache-access-key" }}","secretKey":"{{ index .Secrets "sccache-secret-key" }}"}],"actions":["Read:sunbeam-sccache","Write:sunbeam-sccache","List:sunbeam-sccache","Tagging:sunbeam-sccache"]}]}'
--- a/scripts/local-seed-secrets.sh
+++ b/scripts/local-seed-secrets.sh
@@ -15,6 +15,8 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 DB_PASSWORD="localdev"
 S3_ACCESS_KEY="minioadmin"
 S3_SECRET_KEY="minioadmin"
+SCCACHE_ACCESS_KEY="sccache-local"
+SCCACHE_SECRET_KEY="sccache-local-secret"
 HYDRA_SYSTEM_SECRET="local-hydra-system-secret-at-least-16"
 HYDRA_COOKIE_SECRET="local-hydra-cookie-secret-at-least-16"
 HYDRA_PAIRWISE_SALT="local-hydra-pairwise-salt-value-1"
@@ -201,7 +203,7 @@ else
      bao kv put secret/hydra db-password='$DB_PASSWORD' system-secret='$HYDRA_SYSTEM_SECRET' cookie-secret='$HYDRA_COOKIE_SECRET' pairwise-salt='$HYDRA_PAIRWISE_SALT'
      bao kv put secret/kratos db-password='$DB_PASSWORD'
      bao kv put secret/gitea db-password='$DB_PASSWORD' s3-access-key='$S3_ACCESS_KEY' s3-secret-key='$S3_SECRET_KEY'
-      bao kv put secret/seaweedfs access-key='$S3_ACCESS_KEY' secret-key='$S3_SECRET_KEY'
+      bao kv put secret/seaweedfs access-key='$S3_ACCESS_KEY' secret-key='$S3_SECRET_KEY' sccache-access-key='$SCCACHE_ACCESS_KEY' sccache-secret-key='$SCCACHE_SECRET_KEY'
      bao kv put secret/hive db-url='postgresql://hive:${DB_PASSWORD}@postgres-rw.data.svc.cluster.local:5432/hive_db' oidc-client-id='hive-local' oidc-client-secret='hive-local-secret'
      bao kv put secret/people db-password='$DB_PASSWORD' django-secret-key='local-dev-people-django-secret-key-not-for-production'
      bao kv put secret/penpot db-password='$DB_PASSWORD' secret-key='penpot-local-secret-key-not-for-production'