fix(nubus): Add nginx s3 proxy when minio disabled

2025-12-06 15:31:38 +01:00 · 2024-11-14 16:54:21 +01:00
parent 7f1f6cdcd4
commit b3b6ab5a61
8 changed files with 91 additions and 2 deletions
--- a/helmfile/apps/nubus/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/nubus/helmfile-child.yaml.gotmpl
@@ -28,6 +28,14 @@ repositories:
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/{{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
+  # NGINX S3 Gateway Chart
+  - name: "nginx-s3-gateway-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.nginxS3Gateway.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.nginxS3Gateway.registry }}/{{ .Values.charts.nginxS3Gateway.repository }}"

 releases:
  # Univention Management Stack Umbrella Chart
@@ -62,6 +70,16 @@ releases:
    installed: {{ .Values.nubus.enabled }}
    timeout: 900

+  # NGINX S3 Gateway (when cluster minio is not used)
+  - name: "nubus"
+    chart: "nginx-s3-gateway-repo/{{ .Values.charts.nginxS3Gateway.name }}"
+    version: "{{ .Values.charts.nginxS3Gateway.version }}"
+    values:
+      - "values-nginx-s3-gateway.yaml.gotmpl"
+      - {{ .Values.customization.release.nginxS3Gateway | default "additionalValues: false" }}
+    installed: {{ not .Values.minio.enabled }}
+    timeout: 900
+
 commonLabels:
  deploy-stage: "component-1"
  component: "nubus"
--- a/helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl
@@ -0,0 +1,39 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nginxS3Gateway.registry | quote }}
+  repository: {{ .Values.images.nginxS3Gateway.repository | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.nginxS3Gateway.tag | quote }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  host: "{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: "/portal-assets/icons/$2/$3"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+  path: "/univention/(portal|selfservice)/icons/(logos|entries)/(.*)$"
+  tls:
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+configuration:
+  bucket: {{ .Values.objectstores.nubus.bucket | quote }}
+  endpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+  port: 443
+  region: {{ .Values.objectstores.nubus.region | quote }}
+  style: "path"
+  credentials:
+    accessKey:
+      value: {{ .Values.objectstores.nubus.username | quote }}
+    secretKey:
+      value: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
+
+resources:
+  {{ .Values.resources.nginxS3Gateway | toYaml | nindent 2 }}
+
+replicaCount: {{ .Values.replicas.nginxS3Gateway }}
+...
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -144,6 +144,10 @@ global:
            groups: __DELETE_KEY__

 ingress:
+  # temporary fix
+  {{- if not .Values.minio.enabled }}
+  enabled: false
+  {{- end }}
  certManager:
    enabled: false
  tls:
@@ -333,7 +337,7 @@ nubusPortalConsumer:
  enabled: true
  portalConsumer:
    logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
-    objectStorageEndpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+    objectStorageEndpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
    objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
  provisioningApi:
    auth:
@@ -341,7 +345,7 @@ nubusPortalConsumer:

 nubusPortalServer:
  portalServer:
-    objectStorageEndpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+    objectStorageEndpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
    objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
    objectStorageCredentialSecret:
      name: "ums-portal-server-minio-opendesk-credentials"
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -254,6 +254,16 @@ charts:
    name: "nginx"
    version: "15.9.3"
    verify: true
+  nginxS3Gateway:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # packageName=bmi/opendesk/components/platform-development/charts/nginx-s3-gateway/nginx-s3-gateway
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/nginx-s3-gateway"
+    name: "nginx-s3-gateway"
+    version: "1.0.1"
+    verify: true
  nubus:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
--- a/helmfile/environments/default/customization.yaml
+++ b/helmfile/environments/default/customization.yaml
@@ -30,6 +30,7 @@ customization:
    ums: ~
    intercomService: ~
    opendeskKeycloakBootstrap: ~
+    nginxS3Gateway: ~
    # open-xchange
    dovecot: ~
    openXchange: ~
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -244,6 +244,14 @@ images:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-exporter"
    tag: "1.0.1@sha256:63e63c7420e37d3989fa0ffdbcf18a07b2a603ab9b2a849c2e7e44342dd82af0"
+  nginxS3Gateway:
+    # providerCategory: "Community"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "nginxinc/nginx-s3-gateway"
+    registry: "registry-1.docker.io"
+    repository: "nginxinc/nginx-s3-gateway"
+    tag: "unprivileged-oss-20241111@sha256:20d6b6ec5fc987b18c3e345de33674374a8335c593d6d0841ac64eb49ae2dea4"
  nubusDataLoader:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
--- a/helmfile/environments/default/replicas.yaml
+++ b/helmfile/environments/default/replicas.yaml
@@ -122,6 +122,8 @@ replicas:
  umsUmcServer: 1
  # -- scalable: tbd
  umsUmcServerProxy: 1
+  # -- scalable: true
+  nginxS3Gateway: 1

  # -- component: Video conference (Jitsi)
  # -- scalable: tbd
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -218,6 +218,13 @@ resources:
    requests:
      cpu: 0.1
      memory: "32Mi"
+  nginxS3Gateway:
+    limits:
+      cpu: 99
+      memory: "64Mi"
+    requests:
+      cpu: "100m"
+      memory: "16Mi"
  openproject:
    limits:
      cpu: 99