From b3b6ab5a61dc5bca13c8b1f4e6b716bbcad64e8c Mon Sep 17 00:00:00 2001
From: Dominik Kaminski <dominik.kaminski.extern@zendis.de>
Date: Thu, 14 Nov 2024 16:54:21 +0100
Subject: [PATCH] fix(nubus): Add nginx s3 proxy when minio disabled

---
 .../apps/nubus/helmfile-child.yaml.gotmpl     | 18 +++++++++
 .../nubus/values-nginx-s3-gateway.yaml.gotmpl | 39 +++++++++++++++++++
 helmfile/apps/nubus/values-nubus.yaml.gotmpl  |  8 +++-
 helmfile/environments/default/charts.yaml     | 10 +++++
 .../environments/default/customization.yaml   |  1 +
 helmfile/environments/default/images.yaml     |  8 ++++
 helmfile/environments/default/replicas.yaml   |  2 +
 helmfile/environments/default/resources.yaml  |  7 ++++
 8 files changed, 91 insertions(+), 2 deletions(-)
 create mode 100644 helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl

diff --git a/helmfile/apps/nubus/helmfile-child.yaml.gotmpl b/helmfile/apps/nubus/helmfile-child.yaml.gotmpl
index ef9f061c..56540c4d 100644
--- a/helmfile/apps/nubus/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/nubus/helmfile-child.yaml.gotmpl
@@ -28,6 +28,14 @@ repositories:
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
     url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/{{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
+  # NGINX S3 Gateway Chart
+  - name: "nginx-s3-gateway-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.nginxS3Gateway.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.nginxS3Gateway.registry }}/{{ .Values.charts.nginxS3Gateway.repository }}"
 
 releases:
   # Univention Management Stack Umbrella Chart
@@ -62,6 +70,16 @@ releases:
     installed: {{ .Values.nubus.enabled }}
     timeout: 900
 
+  # NGINX S3 Gateway (when cluster minio is not used)
+  - name: "nubus"
+    chart: "nginx-s3-gateway-repo/{{ .Values.charts.nginxS3Gateway.name }}"
+    version: "{{ .Values.charts.nginxS3Gateway.version }}"
+    values:
+      - "values-nginx-s3-gateway.yaml.gotmpl"
+      - {{ .Values.customization.release.nginxS3Gateway | default "additionalValues: false" }}
+    installed: {{ not .Values.minio.enabled }}
+    timeout: 900
+
 commonLabels:
   deploy-stage: "component-1"
   component: "nubus"
diff --git a/helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl b/helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl
new file mode 100644
index 00000000..af8a4af3
--- /dev/null
+++ b/helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl
@@ -0,0 +1,39 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nginxS3Gateway.registry | quote }}
+  repository: {{ .Values.images.nginxS3Gateway.repository | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.nginxS3Gateway.tag | quote }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  host: "{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: "/portal-assets/icons/$2/$3"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+  path: "/univention/(portal|selfservice)/icons/(logos|entries)/(.*)$"
+  tls:
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+configuration:
+  bucket: {{ .Values.objectstores.nubus.bucket | quote }}
+  endpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+  port: 443
+  region: {{ .Values.objectstores.nubus.region | quote }}
+  style: "path"
+  credentials:
+    accessKey:
+      value: {{ .Values.objectstores.nubus.username | quote }}
+    secretKey:
+      value: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
+
+resources:
+  {{ .Values.resources.nginxS3Gateway | toYaml | nindent 2 }}
+
+replicaCount: {{ .Values.replicas.nginxS3Gateway }}
+...
diff --git a/helmfile/apps/nubus/values-nubus.yaml.gotmpl b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
index 2d1a07dc..ff6ef3f8 100644
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -144,6 +144,10 @@ global:
             groups: __DELETE_KEY__
 
 ingress:
+  # temporary fix
+  {{- if not .Values.minio.enabled }}
+  enabled: false
+  {{- end }}
   certManager:
     enabled: false
   tls:
@@ -333,7 +337,7 @@ nubusPortalConsumer:
   enabled: true
   portalConsumer:
     logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
-    objectStorageEndpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+    objectStorageEndpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
     objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
   provisioningApi:
     auth:
@@ -341,7 +345,7 @@ nubusPortalConsumer:
 
 nubusPortalServer:
   portalServer:
-    objectStorageEndpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+    objectStorageEndpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
     objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
     objectStorageCredentialSecret:
       name: "ums-portal-server-minio-opendesk-credentials"
diff --git a/helmfile/environments/default/charts.yaml b/helmfile/environments/default/charts.yaml
index d4adc1c0..16255a69 100644
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -254,6 +254,16 @@ charts:
     name: "nginx"
     version: "15.9.3"
     verify: true
+  nginxS3Gateway:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # packageName=bmi/opendesk/components/platform-development/charts/nginx-s3-gateway/nginx-s3-gateway
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/nginx-s3-gateway"
+    name: "nginx-s3-gateway"
+    version: "1.0.1"
+    verify: true
   nubus:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
diff --git a/helmfile/environments/default/customization.yaml b/helmfile/environments/default/customization.yaml
index 9ab2a294..d04aca81 100644
--- a/helmfile/environments/default/customization.yaml
+++ b/helmfile/environments/default/customization.yaml
@@ -30,6 +30,7 @@ customization:
     ums: ~
     intercomService: ~
     opendeskKeycloakBootstrap: ~
+    nginxS3Gateway: ~
     # open-xchange
     dovecot: ~
     openXchange: ~
diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml
index a5ea376d..46894e47 100644
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -244,6 +244,14 @@ images:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-exporter"
     tag: "1.0.1@sha256:63e63c7420e37d3989fa0ffdbcf18a07b2a603ab9b2a849c2e7e44342dd82af0"
+  nginxS3Gateway:
+    # providerCategory: "Community"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "nginxinc/nginx-s3-gateway"
+    registry: "registry-1.docker.io"
+    repository: "nginxinc/nginx-s3-gateway"
+    tag: "unprivileged-oss-20241111@sha256:20d6b6ec5fc987b18c3e345de33674374a8335c593d6d0841ac64eb49ae2dea4"
   nubusDataLoader:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
diff --git a/helmfile/environments/default/replicas.yaml b/helmfile/environments/default/replicas.yaml
index 04c6e05e..499d5c4a 100644
--- a/helmfile/environments/default/replicas.yaml
+++ b/helmfile/environments/default/replicas.yaml
@@ -122,6 +122,8 @@ replicas:
   umsUmcServer: 1
   # -- scalable: tbd
   umsUmcServerProxy: 1
+  # -- scalable: true
+  nginxS3Gateway: 1
 
   # -- component: Video conference (Jitsi)
   # -- scalable: tbd
diff --git a/helmfile/environments/default/resources.yaml b/helmfile/environments/default/resources.yaml
index cc36b8b1..49cb1a62 100644
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -218,6 +218,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "32Mi"
+  nginxS3Gateway:
+    limits:
+      cpu: 99
+      memory: "64Mi"
+    requests:
+      cpu: "100m"
+      memory: "16Mi"
   openproject:
     limits:
       cpu: 99