Fix jwt error in Filer pod (k8s) (#7960)

* Avoid JWT error on liveprobeness * fix jwt error * address comments * lint --------- Co-authored-by: Chris Lu <chris.lu@gmail.com>
2026-01-09 06:11:42 +08:00 · 2026-01-04 21:05:31 +01:00 · 2026-01-04 21:05:31 +01:00 · 629d9479a1
commit 629d9479a1
parent 21a871f3ad
2 changed files with 33 additions and 24 deletions
--- a/k8s/charts/seaweedfs/templates/filer/filer-statefulset.yaml
+++ b/k8s/charts/seaweedfs/templates/filer/filer-statefulset.yaml
@ -263,7 +263,7 @@ spec:
              mountPath: /usr/local/share/ca-certificates/filer/
            - name: client-cert
              readOnly: true
-              mountPath: /usr/local/share/ca-certificates/client/
+              mountPath: /usr/local/share/ca-certificates/client
            {{- end }}
            {{ tpl .Values.filer.extraVolumeMounts . | nindent 12 | trim }}
          ports:
@ -281,12 +281,18 @@ spec:
              name: swfs-s3-tls
            {{- end }}
            {{- end }}
+          {{- $isJwtEnabled := or .Values.global.securityConfig.jwtSigning.filerWrite .Values.global.securityConfig.jwtSigning.filerRead }}
          {{- if .Values.filer.readinessProbe.enabled }}
          readinessProbe:
+          {{- if or $isJwtEnabled .Values.filer.readinessProbe.tcpSocket }}
+            tcpSocket:
+              port: {{ if $isJwtEnabled }}{{ .Values.filer.port }}{{ else }}{{ .Values.filer.readinessProbe.tcpSocket.port }}{{ end }}
+          {{- else }}
            httpGet:
              path: {{ .Values.filer.readinessProbe.httpGet.path }}
              port: {{ .Values.filer.port }}
              scheme: {{ .Values.filer.readinessProbe.httpGet.scheme }}
+          {{- end }}
            initialDelaySeconds: {{ .Values.filer.readinessProbe.initialDelaySeconds }}
            periodSeconds: {{ .Values.filer.readinessProbe.periodSeconds }}
            successThreshold: {{ .Values.filer.readinessProbe.successThreshold }}
@ -295,10 +301,15 @@ spec:
          {{- end }}
          {{- if .Values.filer.livenessProbe.enabled }}
          livenessProbe:
+          {{- if or $isJwtEnabled .Values.filer.livenessProbe.tcpSocket }}
+            tcpSocket:
+              port: {{ if $isJwtEnabled }}{{ .Values.filer.port }}{{ else }}{{ .Values.filer.livenessProbe.tcpSocket.port }}{{ end }}
+          {{- else }}
            httpGet:
              path: {{ .Values.filer.livenessProbe.httpGet.path }}
              port: {{ .Values.filer.port }}
              scheme: {{ .Values.filer.livenessProbe.httpGet.scheme }}
+          {{- end }}
            initialDelaySeconds: {{ .Values.filer.livenessProbe.initialDelaySeconds }}
            periodSeconds: {{ .Values.filer.livenessProbe.periodSeconds }}
            successThreshold: {{ .Values.filer.livenessProbe.successThreshold }}
--- a/k8s/charts/seaweedfs/values.yaml
+++ b/k8s/charts/seaweedfs/values.yaml
@ -261,10 +261,10 @@ master:
    tls: []

  extraEnvironmentVars:
-    WEED_MASTER_VOLUME_GROWTH_COPY_1: '7'
-    WEED_MASTER_VOLUME_GROWTH_COPY_2: '6'
-    WEED_MASTER_VOLUME_GROWTH_COPY_3: '3'
-    WEED_MASTER_VOLUME_GROWTH_COPY_OTHER: '1'
+    WEED_MASTER_VOLUME_GROWTH_COPY_1: "7"
+    WEED_MASTER_VOLUME_GROWTH_COPY_2: "6"
+    WEED_MASTER_VOLUME_GROWTH_COPY_3: "3"
+    WEED_MASTER_VOLUME_GROWTH_COPY_OTHER: "1"

  # used to configure livenessProbe on master-server containers
  #
@ -348,16 +348,16 @@ volume:
  #     maxVolumes: 0  # If set to zero on non-windows OS, the limit will be auto configured. (default "7")

  dataDirs:
-  - name: data1
-    type: "hostPath"
-    hostPathPrefix: /ssd
-    maxVolumes: 0
+    - name: data1
+      type: "hostPath"
+      hostPathPrefix: /ssd
+      maxVolumes: 0

-   # - name: data2
-   #   type: "persistentVolumeClaim"
-   #   storageClass: "yourClassNameOfChoice"
-   #   size: "800Gi"
-   #   maxVolumes: 0
+      # - name: data2
+      #   type: "persistentVolumeClaim"
+      #   storageClass: "yourClassNameOfChoice"
+      #   size: "800Gi"
+      #   maxVolumes: 0

  # This will automatically create a job for patching Kubernetes resources if the dataDirs type is 'persistentVolumeClaim' and the size has changed.
  resizeHook:
@ -397,7 +397,6 @@ volume:
  # limit background compaction or copying speed in mega bytes per second
  compactionMBps: "50"

-
  # Volume server's rack name
  rack: null

@ -846,14 +845,14 @@ filer:

  # secret env variables
  secretExtraEnvironmentVars: {}
-      # WEED_POSTGRES_USERNAME:
-      #   secretKeyRef:
-      #     name: postgres-credentials
-      #     key: username
-      # WEED_POSTGRES_PASSWORD:
-      #   secretKeyRef:
-      #     name: postgres-credentials
-      #     key: password
+    # WEED_POSTGRES_USERNAME:
+    #   secretKeyRef:
+    #     name: postgres-credentials
+    #     key: username
+    # WEED_POSTGRES_PASSWORD:
+    #   secretKeyRef:
+    #     name: postgres-credentials
+    #     key: password

  s3:
    enabled: false
@ -1232,7 +1231,6 @@ worker:
  # Admin server to connect to
  adminServer: ""

-
  # Worker capabilities - comma-separated list
  # Available: vacuum, balance, erasure_coding
  # Default: "vacuum,balance,erasure_coding" (all capabilities)