bitforge/orchard
3
0
Fork 0
Code Projects Wiki Activity

Add MinIO ingress support in Helm chart for presigned URLs (#48)

Browse Source 
- Add minio.ingress config to values.yaml for exposing MinIO externally
- Create minio-ingress.yaml template for MinIO ingress resource
- Update helpers to use external MinIO URL when ingress is enabled
- Add orchard.download.mode and presignedUrlExpiry to deployment env vars
This commit is contained in:
Mondo Diaz
2025-12-15 15:34:50 -06:00
parent 753c2fd35a
commit 04c9bb7d4c
5 changed files with 75 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@@ -13,6 +13,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Added `?mode=` query parameter to override download mode per-request (#48) - Added `?mode=` query parameter to override download mode per-request (#48)
- Added `/api/v1/project/{project}/{package}/+/{ref}/url` endpoint for getting presigned URLs (#48) - Added `/api/v1/project/{project}/{package}/+/{ref}/url` endpoint for getting presigned URLs (#48)
- Added `PresignedUrlResponse` schema with URL, expiry, checksums, and artifact metadata (#48) - Added `PresignedUrlResponse` schema with URL, expiry, checksums, and artifact metadata (#48)
- Added MinIO ingress support in Helm chart for presigned URL access (#48)
- Added `orchard.download.mode` and `orchard.download.presignedUrlExpiry` Helm values (#48)
- Added integrity verification workflow design document (#24) - Added integrity verification workflow design document (#24)
- Added `sha256` field to API responses for clarity (alias of `id`) (#25) - Added `sha256` field to API responses for clarity (alias of `id`) (#25)
- Added `checksum_sha1` field to artifacts table for compatibility (#25) - Added `checksum_sha1` field to artifacts table for compatibility (#25)

21
helm/orchard/templates/_helpers.tpl
View File

@@ -97,10 +97,27 @@ password
{{- end }} {{- end }}
{{/* {{/*
MinIO host MinIO internal host (for server-side operations)
*/}}
{{- define "orchard.minio.internalHost" -}}
{{- if .Values.minio.enabled }}
{{- printf "http://%s-minio:9000" .Release.Name }}
{{- else }}
{{- .Values.orchard.s3.endpoint }}
{{- end }}
{{- end }}
{{/*
MinIO host (uses external URL if ingress enabled, for presigned URLs)
*/}} */}}
{{- define "orchard.minio.host" -}} {{- define "orchard.minio.host" -}}
{{- if .Values.minio.enabled }} {{- if and .Values.minio.enabled .Values.minio.ingress.enabled .Values.minio.ingress.host }}
{{- if .Values.minio.ingress.tls.enabled }}
{{- printf "https://%s" .Values.minio.ingress.host }}
{{- else }}
{{- printf "http://%s" .Values.minio.ingress.host }}
{{- end }}
{{- else if .Values.minio.enabled }}
{{- printf "http://%s-minio:9000" .Release.Name }} {{- printf "http://%s-minio:9000" .Release.Name }}
{{- else }} {{- else }}
{{- .Values.orchard.s3.endpoint }} {{- .Values.orchard.s3.endpoint }}

4
helm/orchard/templates/deployment.yaml
View File

@@ -92,6 +92,10 @@ spec:
secretKeyRef: secretKeyRef:
name: {{ include "orchard.minio.secretName" . }} name: {{ include "orchard.minio.secretName" . }}
key: {{ if .Values.minio.enabled }}root-password{{ else }}{{ .Values.orchard.s3.existingSecretSecretKeyKey }}{{ end }} key: {{ if .Values.minio.enabled }}root-password{{ else }}{{ .Values.orchard.s3.existingSecretSecretKeyKey }}{{ end }}
- name: ORCHARD_DOWNLOAD_MODE
value: {{ .Values.orchard.download.mode | quote }}
- name: ORCHARD_PRESIGNED_URL_EXPIRY
value: {{ .Values.orchard.download.presignedUrlExpiry | quote }}
livenessProbe: livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 12 }} {{- toYaml .Values.livenessProbe | nindent 12 }}
readinessProbe: readinessProbe:

34
helm/orchard/templates/minio-ingress.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{- if and .Values.minio.enabled .Values.minio.ingress.enabled -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "orchard.fullname" . }}-minio
labels:
{{- include "orchard.labels" . | nindent 4 }}
app.kubernetes.io/component: minio
{{- with .Values.minio.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.minio.ingress.className }}
ingressClassName: {{ .Values.minio.ingress.className }}
{{- end }}
{{- if .Values.minio.ingress.tls.enabled }}
tls:
- hosts:
- {{ .Values.minio.ingress.host | quote }}
secretName: {{ .Values.minio.ingress.tls.secretName }}
{{- end }}
rules:
- host: {{ .Values.minio.ingress.host | quote }}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: {{ .Release.Name }}-minio
port:
number: 9000
{{- end }}

16
helm/orchard/values.yaml
View File

@@ -115,6 +115,11 @@ orchard:
existingSecretAccessKeyKey: "access-key-id" existingSecretAccessKeyKey: "access-key-id"
existingSecretSecretKeyKey: "secret-access-key" existingSecretSecretKeyKey: "secret-access-key"
# Download configuration
download:
mode: "presigned" # presigned, redirect, or proxy
presignedUrlExpiry: 3600 # Presigned URL expiry in seconds
# PostgreSQL subchart configuration # PostgreSQL subchart configuration
postgresql: postgresql:
enabled: true enabled: true
@@ -147,6 +152,17 @@ minio:
persistence: persistence:
enabled: false enabled: false
size: 50Gi size: 50Gi
# MinIO ingress for presigned URL access
ingress:
enabled: false
className: "nginx"
annotations:
cert-manager.io/cluster-issuer: "letsencrypt"
nginx.ingress.kubernetes.io/proxy-body-size: "0" # Disable body size limit for uploads
host: "" # e.g., minio.your-domain.com
tls:
enabled: true
secretName: minio-tls
# Redis subchart configuration (for future caching) # Redis subchart configuration (for future caching)
redis: redis: