Update operator for embedded IAM in S3 server

[chrislusf]

Summary

This PR updates the SeaweedFS operator to support the new embedded IAM architecture introduced in seaweedfs/seaweedfs#7740.

Background

IAM API is now embedded in the S3 server by default (on the same port as S3), following the pattern used by MinIO and Ceph RGW. This simplifies deployment by running both S3 and IAM on a single port.

Changes

API Types (api/v1/seaweed_types.go)

• Updated FilerSpec.IAM to control embedded IAM (default: true when S3 enabled)
• Added deprecation notice to IAMSpec (standalone IAM is deprecated)

Controller (internal/controller/)

• Removed incorrect -iam and -iam.port flags from filer startup script
  • These flags don't exist on the filer command
• Added -iam=false flag when embedded IAM is explicitly disabled
• Added deprecation warning log when standalone IAM is configured

Sample Manifests (config/samples/)

• Updated seaweed_v1_seaweed_with_iam_embedded.yaml for new architecture
• Updated seaweed_v1_seaweed_with_iam_standalone.yaml with deprecation notice

Documentation (IAM_SUPPORT.md)

• Rewrote documentation to reflect embedded IAM as the recommended approach
• Added migration guide from standalone to embedded IAM

Migration Guide

Before (deprecated):

filer:
  s3:
    enabled: true
iam:
  replicas: 1
  port: 8111

After (recommended):

filer:
  s3:
    enabled: true
  # iam: true  # Default when S3 is enabled
  # IAM API available on same port as S3 (8333)

Related PRs

• seaweedfs/seaweedfs#7740 - Embed IAM API into S3 server

Summary by CodeRabbit

• Documentation

  • Updated IAM documentation to reflect embedded IAM as the default configuration with S3
  • Added migration guidance from standalone to embedded IAM approach

• Configuration Changes

  • IAM now embedded with S3 by default, sharing port 8333
  • Standalone IAM remains backward-compatible but deprecated
  • Option added to explicitly disable embedded IAM when needed

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@chrislusf has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 16 minutes and 8 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between feeaefd and 11c4dd2.

📒 Files selected for processing (15)

• IAM_SUPPORT.md (3 hunks)
• api/v1/component_accessor.go (0 hunks)
• api/v1/seaweed_iam_test.go (0 hunks)
• api/v1/seaweed_types.go (3 hunks)
• api/v1/zz_generated.deepcopy.go (0 hunks)
• config/samples/seaweed_v1_seaweed_with_iam_standalone.yaml (0 hunks)
• internal/controller/controller_filer_iam_test.go (0 hunks)
• internal/controller/controller_filer_service.go (2 hunks)
• internal/controller/controller_iam.go (0 hunks)
• internal/controller/controller_iam_service.go (0 hunks)
• internal/controller/controller_iam_statefulset.go (0 hunks)
• internal/controller/controller_iam_test.go (0 hunks)
• internal/controller/helper.go (1 hunks)
• internal/controller/iam_integration_test.go (0 hunks)
• internal/controller/seaweed_controller.go (1 hunks)

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

This pull request consolidates IAM support architecture by promoting embedded IAM as the default when S3 is enabled, deprecating standalone IAM, and updating configuration, type definitions, and controller logic to reflect this shift. Documentation, sample configurations, and startup logic are aligned accordingly.

Changes

Cohort / File(s)	Change Summary
Documentation IAM_SUPPORT.md	Updated to reflect embedded IAM as default with S3; deprecated standalone IAM; reworked deployment scenarios to migration guidance; consolidated examples around single 8333 port for S3 and IAM.
Type Definitions api/v1/seaweed_types.go	Added kubebuilder:default:=true annotation to FilerSpec.IAM; marked IAMSpec.Replicas and IAMSpec.Port as deprecated via inline documentation.
Configuration Samples config/samples/seaweed_v1_seaweed_with_iam_embedded.yaml	Removed standalone IAM configuration block; removed explicit IAM port; updated comments noting IAM embedded by default on S3 port (8333).
Configuration Samples config/samples/seaweed_v1_seaweed_with_iam_standalone.yaml	Added spec.filer.iam: false to disable embedded IAM; preserved standalone IAM section with deprecation notes.
Controller Implementation internal/controller/controller_filer_statefulset.go	Replaced explicit -iam and -iam.port flags in startup script with conditional -iam=false for disabled state; removed separate IAM container port; IAM now shares S3 port (8333).
Controller Implementation internal/controller/controller_iam.go	Added deprecation warning log when standalone IAM is configured, informing users that IAM is embedded in S3 by default.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Areas requiring attention:

• Verify the default behavior change in controller_filer_statefulset.go — ensure backward compatibility when IAM is not explicitly specified in existing configurations
• Confirm deprecation warnings in controller_iam.go do not spam logs for valid use cases
• Review sample configurations to ensure both embedded and standalone paths are clearly documented and functional

Poem

🐰 IAM hops into S3's embrace so tight,
Embedded now, default, sharing one port bright,
No more standalone wandering alone,
One home at 8333 they call their own,
Deprecated paths fade to legacy light! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Update operator for embedded IAM in S3 server' accurately summarizes the main change: updating the operator to support embedded IAM in S3, which is the core objective of this PR.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @chrislusf, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refactors how Identity and Access Management (IAM) is handled within the SeaweedFS Operator. It transitions from a standalone IAM service to an embedded model where the IAM API runs directly within the S3 server. This change streamlines deployments, reduces resource overhead, and aligns the operator with common industry patterns seen in systems like MinIO and Ceph RGW. The update includes necessary API changes, controller adjustments, and comprehensive documentation to guide users through the new recommended architecture and the deprecation of the standalone IAM service.

Highlights

• Embedded IAM as Default: The IAM API is now embedded directly within the S3 server by default, simplifying deployment by running both services on a single port (8333).
• Standalone IAM Deprecation: The separate standalone IAM service is now deprecated, with clear guidance provided for migration to the embedded model.
• API Type Updates: The FilerSpec now includes a boolean IAM field to control embedded IAM (defaulting to true when S3 is enabled), and the IAMSpec has been marked as deprecated.
• Controller Logic Refinement: The operator's controller logic has been updated to correctly manage embedded IAM, removing obsolete flags and adding explicit disabling options for embedded IAM.
• Documentation and Examples: All relevant documentation (IAM_SUPPORT.md) and sample Kubernetes manifests have been updated to reflect the new embedded IAM architecture and deprecation of standalone IAM.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This is a great pull request that significantly simplifies IAM deployment by embedding it into the S3 server, following the pattern of other object storage systems like MinIO. The changes are comprehensive, consistently applied across API definitions, controller logic, sample manifests, and documentation.

The deprecation of the standalone IAM service is handled very well, with clear notices in the API types, sample files, and a helpful warning log for users who are still using the old configuration. The updated documentation, including the new architecture diagrams and migration guide, is excellent and will be very valuable for users.

I have one minor suggestion for the documentation to replace a version placeholder.

I also noticed that the test files were not updated as part of this PR. The changes to the controller logic, especially in buildFilerStartupScript, are not covered by new or updated tests. Additionally, existing tests for IAM configuration might now be outdated due to the new default behavior of filer.iam. I strongly recommend adding tests for the new embedded IAM logic and updating existing tests to reflect these changes to ensure correctness and prevent future regressions.

Overall, the changes look solid and well-implemented, but would be strengthened by accompanying tests.

[gemini-code-assist]

The documentation refers to a placeholder version X.X.X. Please update this to the actual SeaweedFS version where this change was introduced, or use a more generic phrasing like 'a recent version of SeaweedFS'. This will help users understand the version requirements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

IAM_SUPPORT.md (1)

179-191: Consider adding language specifiers to diagram code blocks.

The ASCII diagram code blocks should include a language specifier to satisfy markdown linting rules. Consider adding text as the language:

-```
+```text
 ┌─────────────────────────────────────────────┐
 │                Filer Pod                     │
 ...

Apply the same change to the standalone IAM diagram at lines 195-203.


Also applies to: 195-203

</blockquote></details>

</blockquote></details>

<details>
<summary>📜 Review details</summary>

**Configuration used**: CodeRabbit UI

**Review profile**: CHILL

**Plan**: Pro

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between 01017805956d6e64da158ca51feae7d63e84d9f8 and feeaefddf6bf70f97d2acab0c7c3af306b6518aa.

</details>

<details>
<summary>📒 Files selected for processing (6)</summary>

* `IAM_SUPPORT.md` (4 hunks)
* `api/v1/seaweed_types.go` (2 hunks)
* `config/samples/seaweed_v1_seaweed_with_iam_embedded.yaml` (2 hunks)
* `config/samples/seaweed_v1_seaweed_with_iam_standalone.yaml` (2 hunks)
* `internal/controller/controller_filer_statefulset.go` (2 hunks)
* `internal/controller/controller_iam.go` (1 hunks)

</details>

<details>
<summary>🧰 Additional context used</summary>

<details>
<summary>🪛 markdownlint-cli2 (0.18.1)</summary>

<details>
<summary>IAM_SUPPORT.md</summary>

179-179: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

195-195: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>

</details>

</details>

<details>
<summary>⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)</summary>

* GitHub Check: test on k8s latest version
* GitHub Check: test on k8s previous version
* GitHub Check: test on k8s penultimate version
* GitHub Check: Resource Validation Test
* GitHub Check: test-e2e on k8s latest version
* GitHub Check: test-e2e on k8s previous version
* GitHub Check: Build Check
* GitHub Check: pre-commit

</details>

<details>
<summary>🔇 Additional comments (8)</summary><blockquote>

<details>
<summary>internal/controller/controller_iam.go (1)</summary><blockquote>

`23-27`: **LGTM! Clear and actionable deprecation warning.**

The deprecation warning effectively communicates the architectural shift to embedded IAM and provides clear guidance for users to migrate their configurations.

</blockquote></details>
<details>
<summary>config/samples/seaweed_v1_seaweed_with_iam_embedded.yaml (1)</summary><blockquote>

`23-42`: **LGTM! Sample configuration correctly demonstrates embedded IAM.**

The updated sample clearly shows that IAM is enabled by default when S3 is enabled, and the comments provide helpful context about the port consolidation and optional nature of the `iam` field.

</blockquote></details>
<details>
<summary>api/v1/seaweed_types.go (2)</summary><blockquote>

`239-264`: **LGTM! Clear and comprehensive deprecation notices.**

The deprecation notes on `IAMSpec` and its fields are well-documented and provide clear guidance on the recommended alternative (embedded IAM). This will help users understand the transition path.

---

`231-236`: **The backward compatibility concern is documented in IAM_SUPPORT.md.**

The `+kubebuilder:default:=true` annotation will enable IAM by default for new deployments, which is intentional and explicitly documented in the migration guide. The documentation provides clear before/after examples showing how to migrate from standalone IAM to embedded IAM, and advises users to explicitly set `filer.iam: false` if they need to disable embedded IAM when upgrading. No additional documentation changes are needed.

</blockquote></details>
<details>
<summary>internal/controller/controller_filer_statefulset.go (2)</summary><blockquote>

`25-31`: **LGTM! Startup script correctly implements embedded IAM.**

The logic properly handles the default-enabled embedded IAM by only adding the `-iam=false` flag when explicitly disabled. The comments clearly explain the behavior.

---

`52-59`: **LGTM! Port consolidation correctly implemented.**

The removal of the separate IAM port and the addition of explanatory comments correctly reflect that IAM now uses the same port as S3 (8333) when embedded.

</blockquote></details>
<details>
<summary>config/samples/seaweed_v1_seaweed_with_iam_standalone.yaml (1)</summary><blockquote>

`1-50`: **LGTM! Deprecated standalone IAM sample is well-documented.**

The sample configuration correctly demonstrates backward-compatible standalone IAM usage while prominently displaying deprecation notices. The explicit `iam: false` on line 36 correctly disables embedded IAM when using standalone mode.

</blockquote></details>
<details>
<summary>IAM_SUPPORT.md (1)</summary><blockquote>

`1-237`: **LGTM! Comprehensive and well-structured documentation.**

The documentation effectively covers:
- The architectural shift to embedded IAM
- Clear configuration examples for both embedded and standalone modes
- Migration guidance from standalone to embedded IAM
- Service discovery information
- Troubleshooting tips

This will help users understand and adopt the new embedded IAM approach.

</blockquote></details>

</blockquote></details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->