Fix: Add default value for SeaweedFS password in whisk.yaml template

[mobs75]

Fix: Add default value for SeaweedFS password in whisk.yaml template

🐛 Bug Description

Similar to the issue fixed in PR #166, the seaweedfs.nuvolaris.password field in setup/kubernetes/whisk.yaml lacks a default value. This causes deployment failures when users enable the SeaweedFS component (OPERATOR_COMPONENT_SEAWEEDFS=true) without explicitly setting the SECRET_SEAWEEDFS_NUVOLARIS environment variable.

🔍 How to Reproduce the Bug

Prerequisites

• MicroK8s or any Kubernetes cluster
• Apache OpenServerless repository cloned
• ops CLI installed

Steps to Reproduce

1. Enable SeaweedFS component:

   export OPERATOR_COMPONENT_SEAWEEDFS=true

2. Ensure the password variable is NOT set:

   unset SECRET_SEAWEEDFS_NUVOLARIS

3. Attempt deployment:

   export KUBECONFIG=$HOME/.kube/microk8s-config
   ops setup cluster

Expected Error

The Whisk "controller" is invalid: spec.seaweedfs.nuvolaris.password: Required value
ops: Failed to run task "create": exit status 1

Root cause: The template uses $SECRET_SEAWEEDFS_NUVOLARIS without a default value, and when the variable is unset, envsubst produces an empty string, causing Kubernetes validation to fail.

🔧 The Fix

Code Change

File: setup/kubernetes/whisk.yaml
Line: 261

Before:

password: $SECRET_SEAWEEDFS_NUVOLARIS

After:

password: ${SECRET_SEAWEEDFS_NUVOLARIS:-changeme-seaweedfs}

Technical Details

This change uses Bash parameter expansion syntax ${VAR:-default}:

• If SECRET_SEAWEEDFS_NUVOLARIS is set and non-empty → uses that value
• If SECRET_SEAWEEDFS_NUVOLARIS is unset or empty → uses changeme-seaweedfs

This ensures that:

1. ✅ SeaweedFS can be deployed without manual environment variable configuration
2. ✅ Users can still override with secure passwords: export SECRET_SEAWEEDFS_NUVOLARIS="my-secure-pass"
3. ✅ Maintains consistency with the registry password fix from PR Fix: Add default value for registry password in Whisk CR template #166
4. ✅ Follows the same pattern used by other optional components in the template

✅ Testing

Test 1: Deployment with SeaweedFS enabled (no variable set)

# Clean environment
unset SECRET_SEAWEEDFS_NUVOLARIS
export OPERATOR_COMPONENT_SEAWEEDFS=true
export KUBECONFIG=$HOME/.kube/microk8s-config

# Deploy
ops setup cluster

Expected result: ✅ Deployment succeeds, SeaweedFS uses changeme-seaweedfs as password

Test 2: Deployment with custom password

# Set custom password
export SECRET_SEAWEEDFS_NUVOLARIS="my-custom-secure-password"
export OPERATOR_COMPONENT_SEAWEEDFS=true
export KUBECONFIG=$HOME/.kube/microk8s-config

# Deploy
ops setup cluster

Expected result: ✅ Deployment succeeds, SeaweedFS uses custom password

Test 3: Verify the password in deployed Whisk CR

kubectl get whisk controller -n nuvolaris -o yaml | grep -A3 "seaweedfs:"

Expected output:

seaweedfs:
  nuvolaris:
    user: nuvolaris
    password: changeme-seaweedfs  # or custom value if set

📊 Impact Analysis

Components Affected

• SeaweedFS component (optional, disabled by default via OPERATOR_COMPONENT_SEAWEEDFS=false)
• Only affects deployments where users explicitly enable SeaweedFS

Backward Compatibility

• ✅ No breaking changes: Users who already set SECRET_SEAWEEDFS_NUVOLARIS will continue to work
• ✅ Improved UX: New users can enable SeaweedFS without manual secret configuration
• ✅ Consistent behavior: Aligns with registry password default from PR Fix: Add default value for registry password in Whisk CR template #166

Related Components with Similar Pattern

This fix continues the pattern established in PR #166. Other components in whisk.yaml already use default values:

# Line 73 - SeaweedFS component (disabled by default)
seaweedfs: ${OPERATOR_COMPONENT_SEAWEEDFS:-false}

# Line 253 - Registry password (fixed in PR #166)
password: ${REGISTRY_CONFIG_SECRET_PUSH_PULL:-changeme-registry}

# Line 261 - SeaweedFS password (THIS PR)
password: ${SECRET_SEAWEEDFS_NUVOLARIS:-changeme-seaweedfs}

🔐 Security Considerations

1. Default password is intentionally simple: The value changeme-seaweedfs is meant to be changed in production environments

2. Production recommendation: Users should always set custom passwords:

   export SECRET_SEAWEEDFS_NUVOLARIS="$(openssl rand -base64 32)"

3. Component is optional: SeaweedFS is disabled by default (OPERATOR_COMPONENT_SEAWEEDFS=false), so this default password is only used when explicitly enabled

4. Consistent with project patterns: Uses the same security approach as other components (registry, minio, etc.)

📝 Additional Context

Why SeaweedFS Needs Authentication

SeaweedFS is a distributed object storage system that provides:

• S3-compatible API
• Fast blob storage
• Distributed file system capabilities

Authentication is required to:

• Secure access to stored objects
• Prevent unauthorized data access
• Comply with security best practices

Component Status

According to line 73 in whisk.yaml:

seaweedfs: ${OPERATOR_COMPONENT_SEAWEEDFS:-false}

SeaweedFS is optional and disabled by default, so this bug only manifests when users explicitly enable it.

🎯 Summary

This PR fixes a deployment blocker for users who want to enable the SeaweedFS component. The fix:

• ✅ Adds a default password value following bash parameter expansion syntax
• ✅ Maintains backward compatibility with existing deployments
• ✅ Improves user experience by removing manual configuration requirement
• ✅ Follows the same pattern as PR Fix: Add default value for registry password in Whisk CR template #166 (registry password fix)
• ✅ Ensures consistency across all optional components

🔗 Related Issues

• PR Fix: Add default value for registry password in Whisk CR template #166: Fix for registry password default value (merged)
• Issue pattern: Required fields without defaults in optional components

---

Tested on: Ubuntu 24.04 with MicroK8s
Test date: October 26, 2025
Contributor: @mobs75

[d4rkstar]

Thank you @mobs75