release new image with presigned URL support for direct s3 downloads as default download mode

Add presigned URL support for direct S3 downloads (#48)

Closes #48

See merge request esv/bsf/bsf-integration/orchard/orchard-mvp!17

CHANGELOG.md

@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+
+## [0.3.0] - 2025-12-15
+### Changed
+- Changed default download mode from `proxy` to `presigned` for better performance (#48)
 ### Added
 - Added presigned URL support for direct S3 downloads (#48)
 - Added `ORCHARD_DOWNLOAD_MODE` config option (`presigned`, `redirect`, `proxy`) (#48)
@@ -13,7 +17,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added `?mode=` query parameter to override download mode per-request (#48)
 - Added `/api/v1/project/{project}/{package}/+/{ref}/url` endpoint for getting presigned URLs (#48)
 - Added `PresignedUrlResponse` schema with URL, expiry, checksums, and artifact metadata (#48)
-- Added `minioIngress` config in Helm chart for exposing MinIO for presigned URL access (#48)
+- Added MinIO ingress support in Helm chart for presigned URL access (#48)
 - Added `orchard.download.mode` and `orchard.download.presignedUrlExpiry` Helm values (#48)
 - Added integrity verification workflow design document (#24)
 - Added `sha256` field to API responses for clarity (alias of `id`) (#25)
@@ -22,8 +26,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Compute and store MD5, SHA1, and S3 ETag alongside SHA256 during upload (#25)
 - Added `Dockerfile.local` and `docker-compose.local.yml` for local development (#25)
 - Added migration script `003_checksum_fields.sql` for existing databases (#25)
-### Changed
+
-- Changed default download mode from `proxy` to `presigned` for better performance (#48)
 
 ## [0.2.0] - 2025-12-15
 ### Changed

README.md

@@ -553,7 +553,8 @@ orchard:
     presignedUrlExpiry: 3600
 
 # MinIO ingress (required for presigned URL downloads)
-minioIngress:
+minio:
+  ingress:
     enabled: true
     className: "nginx"
     annotations:
@@ -564,7 +565,7 @@ minioIngress:
       secretName: minio-tls
 ```
 
-When `minioIngress.enabled` is `true`, the S3 endpoint automatically uses the external URL (`https://minio.your-domain.com`), making presigned URLs accessible to external clients.
+When `minio.ingress.enabled` is `true`, the S3 endpoint automatically uses the external URL (`https://minio.your-domain.com`), making presigned URLs accessible to external clients.
 
 See `helm/orchard/values.yaml` for all configuration options.
 

helm/orchard/templates/_helpers.tpl

@@ -111,11 +111,11 @@ MinIO internal host (for server-side operations)
 MinIO host (uses external URL if ingress enabled, for presigned URLs)
 */}}
 {{- define "orchard.minio.host" -}}
-{{- if and .Values.minio.enabled .Values.minioIngress.enabled .Values.minioIngress.host }}
+{{- if and .Values.minio.enabled .Values.minio.ingress.enabled .Values.minio.ingress.host }}
-{{- if .Values.minioIngress.tls.enabled }}
+{{- if .Values.minio.ingress.tls.enabled }}
-{{- printf "https://%s" .Values.minioIngress.host }}
+{{- printf "https://%s" .Values.minio.ingress.host }}
 {{- else }}
-{{- printf "http://%s" .Values.minioIngress.host }}
+{{- printf "http://%s" .Values.minio.ingress.host }}
 {{- end }}
 {{- else if .Values.minio.enabled }}
 {{- printf "http://%s-minio:9000" .Release.Name }}

helm/orchard/templates/minio-ingress.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.minio.enabled .Values.minioIngress.enabled -}}
+{{- if and .Values.minio.enabled .Values.minio.ingress.enabled -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -6,22 +6,22 @@ metadata:
   labels:
     {{- include "orchard.labels" . | nindent 4 }}
     app.kubernetes.io/component: minio
-  {{- with .Values.minioIngress.annotations }}
+  {{- with .Values.minio.ingress.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
-  {{- if .Values.minioIngress.className }}
+  {{- if .Values.minio.ingress.className }}
-  ingressClassName: {{ .Values.minioIngress.className }}
+  ingressClassName: {{ .Values.minio.ingress.className }}
   {{- end }}
-  {{- if .Values.minioIngress.tls.enabled }}
+  {{- if .Values.minio.ingress.tls.enabled }}
   tls:
     - hosts:
-        - {{ .Values.minioIngress.host | quote }}
+        - {{ .Values.minio.ingress.host | quote }}
-      secretName: {{ .Values.minioIngress.tls.secretName }}
+      secretName: {{ .Values.minio.ingress.tls.secretName }}
   {{- end }}
   rules:
-    - host: {{ .Values.minioIngress.host | quote }}
+    - host: {{ .Values.minio.ingress.host | quote }}
       http:
         paths:
           - path: /

helm/orchard/values.yaml

@@ -152,9 +152,8 @@ minio:
   persistence:
     enabled: false
     size: 50Gi
-
+  # MinIO ingress for presigned URL access
-# MinIO external ingress for presigned URL access (separate from subchart ingress)
+  ingress:
-minioIngress:
     enabled: false
     className: "nginx"
     annotations: