mobs75 opened a new pull request, #167:
URL: https://github.com/apache/openserverless-task/pull/167
# Fix: Add default value for SeaweedFS password in whisk.yaml template
## 🐛 Bug Description
Similar to the issue fixed in PR #166, the `seaweedfs.nuvolaris.password`
field in `setup/kubernetes/whisk.yaml` lacks a default value. This causes
deployment failures when users enable the SeaweedFS component
(`OPERATOR_COMPONENT_SEAWEEDFS=true`) without explicitly setting the
`SECRET_SEAWEEDFS_NUVOLARIS` environment variable.
## 🔍 How to Reproduce the Bug
### Prerequisites
- MicroK8s or any Kubernetes cluster
- Apache OpenServerless repository cloned
- `ops` CLI installed
### Steps to Reproduce
1. **Enable SeaweedFS component:**
```bash
export OPERATOR_COMPONENT_SEAWEEDFS=true
```
2. **Ensure the password variable is NOT set:**
```bash
unset SECRET_SEAWEEDFS_NUVOLARIS
```
3. **Attempt deployment:**
```bash
export KUBECONFIG=$HOME/.kube/microk8s-config
ops setup cluster
```
### Expected Error
```
The Whisk "controller" is invalid: spec.seaweedfs.nuvolaris.password:
Required value
ops: Failed to run task "create": exit status 1
```
**Root cause:** The template uses `$SECRET_SEAWEEDFS_NUVOLARIS` without a
default value, and when the variable is unset, `envsubst` produces an empty
string, causing Kubernetes validation to fail.
## 🔧 The Fix
### Code Change
**File:** `setup/kubernetes/whisk.yaml`
**Line:** 261
**Before:**
```yaml
password: $SECRET_SEAWEEDFS_NUVOLARIS
```
**After:**
```yaml
password: ${SECRET_SEAWEEDFS_NUVOLARIS:-changeme-seaweedfs}
```
### Technical Details
This change uses **Bash parameter expansion** syntax `${VAR:-default}`:
- If `SECRET_SEAWEEDFS_NUVOLARIS` is set and non-empty → uses that value
- If `SECRET_SEAWEEDFS_NUVOLARIS` is unset or empty → uses
`changeme-seaweedfs`
This ensures that:
1. ✅ SeaweedFS can be deployed without manual environment variable
configuration
2. ✅ Users can still override with secure passwords: `export
SECRET_SEAWEEDFS_NUVOLARIS="my-secure-pass"`
3. ✅ Maintains consistency with the registry password fix from PR #166
4. ✅ Follows the same pattern used by other optional components in the
template
## ✅ Testing
### Test 1: Deployment with SeaweedFS enabled (no variable set)
```bash
# Clean environment
unset SECRET_SEAWEEDFS_NUVOLARIS
export OPERATOR_COMPONENT_SEAWEEDFS=true
export KUBECONFIG=$HOME/.kube/microk8s-config
# Deploy
ops setup cluster
```
**Expected result:** ✅ Deployment succeeds, SeaweedFS uses
`changeme-seaweedfs` as password
### Test 2: Deployment with custom password
```bash
# Set custom password
export SECRET_SEAWEEDFS_NUVOLARIS="my-custom-secure-password"
export OPERATOR_COMPONENT_SEAWEEDFS=true
export KUBECONFIG=$HOME/.kube/microk8s-config
# Deploy
ops setup cluster
```
**Expected result:** ✅ Deployment succeeds, SeaweedFS uses custom password
### Test 3: Verify the password in deployed Whisk CR
```bash
kubectl get whisk controller -n nuvolaris -o yaml | grep -A3 "seaweedfs:"
```
**Expected output:**
```yaml
seaweedfs:
nuvolaris:
user: nuvolaris
password: changeme-seaweedfs # or custom value if set
```
## 📊 Impact Analysis
### Components Affected
- **SeaweedFS component** (optional, disabled by default via
`OPERATOR_COMPONENT_SEAWEEDFS=false`)
- Only affects deployments where users explicitly enable SeaweedFS
### Backward Compatibility
- ✅ **No breaking changes:** Users who already set
`SECRET_SEAWEEDFS_NUVOLARIS` will continue to work
- ✅ **Improved UX:** New users can enable SeaweedFS without manual secret
configuration
- ✅ **Consistent behavior:** Aligns with registry password default from PR
#166
### Related Components with Similar Pattern
This fix continues the pattern established in PR #166. Other components in
`whisk.yaml` already use default values:
```yaml
# Line 73 - SeaweedFS component (disabled by default)
seaweedfs: ${OPERATOR_COMPONENT_SEAWEEDFS:-false}
# Line 253 - Registry password (fixed in PR #166)
password: ${REGISTRY_CONFIG_SECRET_PUSH_PULL:-changeme-registry}
# Line 261 - SeaweedFS password (THIS PR)
password: ${SECRET_SEAWEEDFS_NUVOLARIS:-changeme-seaweedfs}
```
## 🔐 Security Considerations
1. **Default password is intentionally simple:** The value
`changeme-seaweedfs` is meant to be changed in production environments
2. **Production recommendation:** Users should always set custom passwords:
```bash
export SECRET_SEAWEEDFS_NUVOLARIS="$(openssl rand -base64 32)"
```
3. **Component is optional:** SeaweedFS is disabled by default
(`OPERATOR_COMPONENT_SEAWEEDFS=false`), so this default password is only used
when explicitly enabled
4. **Consistent with project patterns:** Uses the same security approach as
other components (registry, minio, etc.)
## 📝 Additional Context
### Why SeaweedFS Needs Authentication
SeaweedFS is a distributed object storage system that provides:
- S3-compatible API
- Fast blob storage
- Distributed file system capabilities
Authentication is required to:
- Secure access to stored objects
- Prevent unauthorized data access
- Comply with security best practices
### Component Status
According to line 73 in `whisk.yaml`:
```yaml
seaweedfs: ${OPERATOR_COMPONENT_SEAWEEDFS:-false}
```
SeaweedFS is **optional and disabled by default**, so this bug only
manifests when users explicitly enable it.
## 🎯 Summary
This PR fixes a deployment blocker for users who want to enable the
SeaweedFS component. The fix:
- ✅ Adds a default password value following bash parameter expansion syntax
- ✅ Maintains backward compatibility with existing deployments
- ✅ Improves user experience by removing manual configuration requirement
- ✅ Follows the same pattern as PR #166 (registry password fix)
- ✅ Ensures consistency across all optional components
## 🔗 Related Issues
- PR #166: Fix for registry password default value (merged)
- Issue pattern: Required fields without defaults in optional components
---
**Tested on:** Ubuntu 24.04 with MicroK8s
**Test date:** October 26, 2025
**Contributor:** @mobs75
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
